# VendorGuard Data Processing Addendum Template Version: Draft template for customer legal review Last updated: 2026-05-31 This template is provided for review and negotiation. It is not legal advice and should be approved by counsel before signature. ## 1. Parties This Data Processing Addendum ("DPA") forms part of the agreement between: - Customer: [Customer legal name] - Provider: [VendorGuard provider legal name] Effective date: [Date] ## 2. Processing scope VendorGuard processes customer data only to provide the vendor risk assessment workspace, including vendor records, evidence uploads, risk evaluations, monitoring, reports, and related support. ## 3. Categories of personal data Customer data may include: - Business contact details for customer users and vendor contacts - User account identifiers and authentication metadata - Vendor profile details submitted by the customer - Uploaded vendor evidence that may contain business contact details or other personal data - Comments, findings, reports, monitoring alerts, and assessment logs Customers should not upload regulated sensitive personal data unless both parties have agreed to that use in writing. ## 4. Processing purposes Provider may process customer data to: - Authenticate users and manage organization access - Store vendor records, documents, evaluations, findings, reports, and monitoring schedules - Analyze uploaded evidence and public vendor information for risk assessment - Generate summaries, findings, reports, and alerts - Provide support, security, troubleshooting, and service improvement ## 5. Subprocessors The following subprocessors may be used depending on the deployment and enabled integrations: | Subprocessor | Purpose | | --- | --- | | Supabase | Authentication, database, storage, and access control infrastructure | | Anthropic | AI-assisted analysis, summarization, and drafting | | Tavily | Web research and source discovery | | BitSight, SecurityScorecard, UpGuard, RiskRecon | Security rating enrichment when configured by customer | | Resend | Email notifications when configured | Provider will maintain an accurate subprocessor list for the active production deployment and provide notice of material changes as agreed in the main agreement. ## 6. Security measures Provider will maintain appropriate technical and organizational measures, including: - Authentication for workspace access - Organization-scoped access controls and role-based permissions - Private storage buckets for uploaded evidence and generated reports - Signed URLs for report file access where applicable - Server-side use of privileged service credentials - HTTPS transport for application traffic - Supabase-managed database and storage protections at rest - Administrative access limited to personnel with a business need ## 7. Customer controls Customer is responsible for: - Choosing which vendor data and documents to upload - Limiting uploads to information needed for the assessment - Managing authorized users and roles - Reviewing AI-assisted findings before relying on them for procurement, legal, or security decisions - Configuring and rotating third-party API keys used for enrichment services ## 8. Data subject requests Provider will reasonably assist Customer with data subject requests related to customer data, taking into account the nature of the processing and information available to Provider. ## 9. Deletion and return Upon termination or written request, Provider will delete or return customer data according to the main agreement and applicable law. Any backup retention, log retention, and technical deletion windows should be specified in the signed agreement. ## 10. Incident notification Provider will notify Customer without undue delay after confirming a security incident affecting customer data. The final notification timeline, contact method, and cooperation obligations should be specified in the signed agreement. ## 11. International transfers The active deployment region and any international transfer mechanism should be confirmed for the production environment before signature. ## 12. Audit and documentation Provider will make reasonable documentation available to demonstrate compliance with this DPA. Any customer audit rights, frequency limits, and confidentiality requirements should be specified in the signed agreement. ## 13. Signatures Customer: Name: Title: Date: Provider: Name: Title: Date: