Legal
Data Processing Agreement
Last updated: April 5, 2026
1. Scope and Purpose
This Data Processing Agreement ("DPA") supplements the Provisum Terms of Service and applies when Provisum Corp. ("Processor") processes personal data on behalf of the customer organization ("Controller") to provide the Provisum platform ("Service").
This DPA is designed to meet the requirements of GDPR Article 28 and equivalent data protection legislation.
2. Definitions
- Customer Data: Personal data uploaded by the Controller to the Service, including employee identifiers, department assignments, role names, and permission sets
- Processing: Any operation performed on Customer Data, including collection, storage, retrieval, analysis, transmission, and deletion
- Data Subjects: Individuals whose personal data is included in Customer Data (typically the Controller's employees)
3. Processing Details
| Subject matter | Provision of the Provisum role mapping platform |
| Duration | Duration of the subscription agreement |
| Nature of processing | Storage, AI analysis, role mapping computation, SOD analysis, reporting |
| Purpose | Persona generation, role mapping, SOD conflict detection, approval workflows, audit logging |
| Categories of data | Employee IDs, names, departments, job titles, role assignments, permission sets, organizational hierarchies |
| Categories of data subjects | Employees and contractors of the Controller organization |
4. Processor Obligations
- Process Customer Data only on documented instructions from the Controller (the subscription agreement and Service configuration)
- Ensure all personnel with access to Customer Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures (see our Security Policy)
- Engage sub-processors only with prior written consent and equivalent contractual protections
- Assist the Controller in responding to data subject rights requests
- Delete or return all Customer Data within 30 days of termination, at the Controller's choice
- Make available all information necessary to demonstrate compliance and allow for audits
5. Sub-Processors
The following sub-processors are authorized:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting & authentication | US (AWS us-east-1) |
| Vercel Inc. | Application hosting & CDN | US / Global Edge |
| Anthropic PBC | AI processing (persona generation, role suggestions) | US |
| Resend Inc. | Transactional email delivery | US |
| Sentry (Functional Software Inc.) | Error tracking & performance monitoring | US |
The Controller will be notified of any sub-processor changes at least 30 days in advance. The Controller may object to a new sub-processor within 14 days.
6. International Transfers
Where Customer Data is transferred outside the EEA/UK, we rely on Standard Contractual Clauses (SCCs) as adopted by the European Commission, supplemented by transfer impact assessments where required.
7. Data Breach Notification
In the event of a personal data breach, we will notify the Controller without undue delay and no later than 72 hours after becoming aware, including:
- Nature of the breach and categories of data affected
- Approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
8. Audit Rights
The Controller (or an independent auditor appointed by the Controller) may audit our compliance with this DPA once per calendar year, with 30 days written notice. We will provide reasonable assistance and access to relevant documentation, systems, and personnel.
9. Request a Signed DPA
Enterprise customers can request a countersigned copy of this DPA. Contact hello@provisum.io with your organization name and subscription details.