Data Processing Agreement
How we process personal data on your behalf under GDPR and applicable data protection laws.
Effective date: March 3, 2026
This Data Processing Agreement (“DPA”) is incorporated into and forms part of the Terms of Service (“Agreement”) between Engular LLC, a Michigan limited liability company, operating as PartParse (“Processor,” “we,” “us”) and the entity or person accepting the Agreement (“Controller,” “you,” “your”).
This DPA applies when we process Personal Data on your behalf in connection with the Service. Terms not defined in this DPA have the meanings given in the Agreement.
1. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
- “Processing” means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.
- “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council.
- “UK GDPR” means the GDPR as incorporated into UK law by the Data Protection Act 2018 and the European Union (Withdrawal) Act 2018.
- “Data Protection Laws” means the GDPR, UK GDPR, the Swiss Federal Act on Data Protection (“FADP”), and any other applicable data protection legislation.
- “Sub-processor” means any third party engaged by us to process Personal Data on your behalf.
- “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
- “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annexed to European Commission Implementing Decision (EU) 2021/914.
- “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
2. Scope and Roles
You are the Controller and we are the Processor with respect to Personal Data contained in documents you submit to the Service. This includes personal data of third parties (such as your customers, suppliers, or contacts) whose information appears in uploaded RFQ documents.
You are responsible for:
- Ensuring you have a lawful basis under applicable Data Protection Laws to submit Personal Data to the Service
- Providing any required notices to, and obtaining any required consents from, Data Subjects whose Personal Data you submit
- Determining whether a Data Protection Impact Assessment is required for your use of the Service
3. Processing Details
| Detail | Description |
|---|---|
| Subject matter | AI-powered extraction of structured data from uploaded RFQ PDF documents |
| Duration | For the term of the Agreement, plus the period needed to delete Personal Data in accordance with this DPA |
| Nature and purpose | Automated document parsing, data extraction, storage of extracted results, email delivery of results, and webhook transmission as configured by Controller |
| Categories of Data Subjects | Your customers, suppliers, buyers, contacts, and other individuals whose information appears in submitted documents |
| Types of Personal Data | Names, email addresses, phone numbers, job titles, company names, mailing addresses, and any other personal data contained in submitted RFQ documents |
4. Processor Obligations
We will:
- Process Personal Data only on your documented instructions, unless required by applicable law (in which case we will notify you before processing, unless prohibited by law)
- Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
- Implement appropriate technical and organizational security measures as described in Annex II
- Not engage a Sub-processor without meeting the requirements of Section 7
- Assist you, taking into account the nature of processing, in responding to Data Subject requests (Section 8)
- Assist you in ensuring compliance with your obligations regarding security, breach notification, impact assessments, and prior consultation, taking into account the nature of processing and the information available to us
- At your choice, delete or return all Personal Data upon termination of the Agreement, and delete existing copies unless required by applicable law to retain them
- Make available to you all information necessary to demonstrate compliance with the obligations in this DPA
5. Security Measures
We implement and maintain the technical and organizational security measures described in Annex II. These measures are designed to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
We may update these measures from time to time, provided that updates do not materially decrease the overall level of protection.
6. Security Incident Notification
We will notify you of a Security Incident without undue delay, and in any event within 72 hours of becoming aware of it. Notification will include:
- A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and records affected
- The name and contact details of our point of contact for further information
- A description of the likely consequences
- A description of the measures taken or proposed to address the incident and mitigate its effects
Notification of a Security Incident is not an acknowledgment of fault or liability.
7. Sub-processors
Current Sub-processors
We use the following Sub-processors to provide the Service:
| Sub-processor | Purpose | Location | Sub-processor DPA |
|---|---|---|---|
| Anthropic | AI document processing (Claude API) | United States | anthropic.com/legal/commercial-terms |
| Postmark (ActiveCampaign LLC) | Transactional email delivery | United States | postmarkapp.com/eu-privacy |
| Hetzner | Server hosting and infrastructure | United States (Virginia) | hetzner.com/legal/privacy-policy |
| Stripe | Payment processing | United States | stripe.com/legal/dpa |
Sub-processor Changes
We will notify you by email at least thirty (30) days before engaging a new Sub-processor or replacing an existing one. You may object to the appointment of a new Sub-processor within fourteen (14) days of receiving notice by emailing privacy@partparse.com with a reasonable explanation of your grounds for objection.
If you object and we cannot reasonably accommodate your objection, either party may terminate the affected portion of the Service by providing written notice. We will refund any prepaid fees for the unused portion of the subscription term following termination.
Sub-processor Obligations
We impose data protection obligations on each Sub-processor that are no less protective than those in this DPA. We remain fully liable to you for the performance of each Sub-processor’s obligations.
8. Data Subject Rights
We will assist you in responding to requests from Data Subjects exercising their rights under Data Protection Laws (access, rectification, erasure, restriction, portability, and objection).
If we receive a request directly from a Data Subject, we will promptly notify you and will not respond to the request unless you instruct us to do so or we are required by law to respond.
9. Data Deletion and Return
Upon termination of the Agreement:
- Uploaded PDFs are automatically purged within 24 hours of processing during the term of service
- All remaining Personal Data (extracted data, account records, audit logs) will be deleted within 30 days of your account deletion request
- We will confirm deletion in writing upon your request
- We may retain Personal Data to the extent required by applicable law, in which case we will isolate and protect such data and limit further processing to the purposes required by law
10. Audits
You may audit our compliance with this DPA up to once per year, with at least thirty (30) days’ prior written notice. Audits will be conducted during normal business hours, at your expense, and in a manner that minimizes disruption to our operations.
As an alternative to an on-site audit, we will:
- Respond to reasonable written audit questionnaires within thirty (30) days
- Provide relevant certifications, audit reports, or third-party assessment results that we have obtained (if any)
11. International Data Transfers
Transfer Mechanism
Personal Data transferred from the EEA, UK, or Switzerland to the United States is governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission in Implementing Decision (EU) 2021/914, which are incorporated into this DPA by reference.
The following SCC modules apply:
- Module 2 (Controller to Processor): Applies to transfers of Personal Data from you (Controller in the EEA) to us (Processor in the United States)
The SCCs are deemed completed as follows:
- Clause 7 (Docking clause): Included, allowing additional parties to accede to the SCCs
- Clause 9(a) (Sub-processor authorization): Option 2 (general written authorization) applies, with the notification mechanism described in Section 7 of this DPA
- Clause 11 (Redress): The optional language regarding independent dispute resolution is not included
- Clause 13 (Supervision): The supervisory authority of the EU Member State in which your establishment is located, or if you have no EEA establishment, the supervisory authority of the Member State where your EEA representative is appointed, will act as the competent supervisory authority
- Clause 17 (Governing law): Option 1: the law of Ireland
- Clause 18(b) (Forum): The courts of Ireland
- Annex I: As described in Section 3 of this DPA
- Annex II: As described in Annex II of this DPA
- Annex III: As described in the Sub-processor table in Section 7 of this DPA
UK Transfers
For transfers of Personal Data from the United Kingdom, the SCCs apply as amended by the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0, in force March 21, 2022), which is incorporated by reference.
Swiss Transfers
For transfers of Personal Data from Switzerland, the SCCs apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner, including that references to the GDPR are understood as references to the FADP where applicable.
12. Limitation of Liability
Each party’s liability under this DPA is subject to the limitations of liability set forth in the Agreement.
13. Conflicts
In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Personal Data. In the event of a conflict between this DPA and the SCCs, the SCCs prevail.
Annex II: Technical and Organizational Security Measures {#annex-ii-technical-and-organizational-security-measures}
The Processor implements the following technical and organizational measures to protect Personal Data:
Encryption
- All data in transit is encrypted using TLS 1.2 or higher (HTTPS)
- Database connections use encrypted channels
Access Control
- Role-based access control within customer accounts (member, admin roles)
- All data queries are scoped to the authenticated user’s account at the application level
- Administrative access to production infrastructure is limited to authorized personnel using SSH key authentication
Authentication and Session Security
- Passwords are hashed using bcrypt with a secure cost factor
- Sessions expire after 12 hours of use or 30 minutes of inactivity
- Session tokens are rotated on password change, invalidating all other active sessions
- Rate limiting on authentication endpoints (5 attempts per email per 20 seconds, 20 per IP per minute)
Data Minimization
- Uploaded PDF documents are automatically purged within 24 hours of processing
- Only extracted structured data is retained for ongoing use
Personnel
- All personnel with access to Personal Data are bound by confidentiality obligations
- Access to production systems is restricted to essential personnel only
Sub-processor Oversight
- Sub-processors are selected based on their ability to provide appropriate security measures
- Sub-processor data processing obligations are documented in written agreements
- Sub-processor list is maintained and updated in Section 7 of this DPA
Incident Response
- Security Incident notification procedures as described in Section 6 of this DPA
- Defined escalation procedures for suspected breaches
Availability and Resilience
- Infrastructure hosted on Hetzner dedicated servers with redundant power and network
- Regular database backups
- Monitoring and alerting for service availability
Contact
For questions about this DPA, data protection inquiries, or to report a Security Incident, contact:
Engular LLC (PartParse) Email: privacy@partparse.com