Data Processing Addendum

Processor processes the personal data described in the Privacy Policy on Controller's instructions to operate the Service.

Controller authorizes Processor to engage the sub-processors listed in the Privacy Policy. Processor will give 30 days' notice of any new sub-processor; Controller may object by ceasing use of the Service.

• Encryption in transit (TLS 1.2+) for every connection.
• Encryption at rest for the database via the platform provider.
• Row-level security on every user-owned table.
• Audit logging of every administrative action (impersonation, plan change, account deletion).
• Rate limiting on every authentication and email-sending endpoint.

Where personal data is transferred outside the EEA / UK to a country not covered by an adequacy decision, the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum apply and are incorporated by reference. Each sub-processor has its own SCCs in place with Processor.

Controller may, no more than once per year, request a summary of Processor's most recent third-party security audit (e.g. Supabase's SOC 2 report).

Processor will notify Controller without undue delay (and no later than 72 hours after becoming aware) of any personal data breach affecting Controller's data.

On termination, Processor will delete or return all personal data within 30 days, except where retention is required by law.

DPA queries: team@plotwise.ca. Reference DPA version 2026-04-17.dpa.v1.