Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service.

1. Scope

This DPA applies to the processing of Personal Data within the logs and payloads sent to DeerDawn.

2. Roles

Customer is the Controller. DeerDawn is the Processor.

3. Processing Instructions

DeerDawn shall process Personal Data only in accordance with Customer's documented instructions as provided through the Service, including policy configurations and API requests. DeerDawn will not process Personal Data for any other purpose unless required by applicable law.

4. Security Measures

DeerDawn implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

• Encryption of data at rest (AES-256) and in transit (TLS 1.3+)
• Role-based access controls and multi-factor authentication for administrative access
• Regular security assessments and vulnerability scanning
• Automated redaction of secrets and credentials (API keys, tokens, passwords) from captured commands and synced context
• Network isolation and firewall configurations
• SOC 2 Type II alignment (certification in progress)

5. Subprocessors

DeerDawn engages the following third-party Subprocessors to support service delivery:

• Fly.io: Application hosting and infrastructure (United States)
• Neon: PostgreSQL database hosting (United States)
• Vercel: Frontend application hosting (United States)
• Stripe: Payment processing (United States)
• Clerk: Authentication services (United States)
• OpenAI: LLM-based context extraction and matching — receives project context and conversation excerpts, processed under OpenAI's API terms (no training on API data) (United States)
• PostHog: Product analytics and session replay (United States)
• Google (Analytics & Ads): Website analytics and advertising conversion measurement (United States)
• Slack: Optional Slack integration — only when a customer connects Slack (United States)
• Zendesk: Optional Zendesk integration — only when a customer connects Zendesk (United States)

Customer consents to the engagement of these Subprocessors. DeerDawn will notify Customer at least 30 days in advance of adding or replacing Subprocessors. Customer may object to such changes by terminating the agreement if the new Subprocessor presents unacceptable risks.

6. Data Subject Rights

DeerDawn will, to the extent legally permitted, promptly notify Customer if DeerDawn receives a request from a Data Subject to exercise their rights under Data Protection Laws (including access, rectification, erasure, data portability, and restriction of processing).

DeerDawn will provide reasonable assistance to Customer in fulfilling Data Subject requests, including providing tools within the dashboard to export, modify, or delete decision records. Customer is responsible for responding to Data Subject requests.

7. Data Breach Notification

DeerDawn will notify Customer without undue delay upon becoming aware of a confirmed Personal Data breach affecting Customer data, and in any event within 72 hours of discovery. Notification will include:

• Description of the nature and scope of the breach
• Categories and approximate number of Data Subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate harm

Customer is responsible for determining whether the breach requires notification to supervisory authorities or Data Subjects under applicable Data Protection Laws.

8. Audit Rights

DeerDawn will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including providing access to audit reports (such as SOC 2 reports) upon request and subject to confidentiality obligations.

Customer may conduct audits or inspections of DeerDawn's processing activities up to once per year, upon 30 days prior written notice, during business hours, and subject to reasonable security and confidentiality requirements. Additional audits may be conducted if required by a Data Protection Authority.

9. International Data Transfers

All data processing occurs within the United States. If Customer is located in the European Economic Area (EEA), United Kingdom, or Switzerland, DeerDawn relies on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers of Personal Data. A copy of the SCCs is available upon request to legal@deerdawn.com.

10. Data Retention and Deletion

Customer data is retained according to Customer's selected Plan tier (Standard: 14 days, Growth: 90 days, Pro: 365 days, Enterprise: up to 730 days). Upon expiration of the retention period, data is automatically and permanently deleted.

Upon termination of the Service, DeerDawn will delete or return all Personal Data to Customer within 30 days, unless legally required to retain copies. Customer may request immediate deletion by contacting support@deerdawn.com.

11. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service. DeerDawn will indemnify Customer against claims arising from DeerDawn's violation of Data Protection Laws, subject to Customer's prompt notification and cooperation.

12. Term and Termination

This DPA remains in effect for as long as DeerDawn processes Personal Data on behalf of Customer under the Terms of Service. The obligations regarding data deletion, confidentiality, and breach notification survive termination.