Legal

Data Processing Agreement

Last updated: March 22, 2026 · Effective: March 22, 2026

Who this applies to: This Data Processing Agreement (“DPA”) is incorporated by reference into the GovEtract Terms of Service and applies to all customers who use the Platform to process personal data of EU/EEA data subjects or California residents. This public page summarizes our standard data processing terms; customers who need a countersigned DPA should contact privacy@govetract.com.

1. Definitions

For the purposes of this DPA:

  • “Controller” means the customer entity that determines the purposes and means of processing personal data (you, the customer).
  • “Processor” means GovEtract, which processes personal data on behalf of the Controller.
  • “Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection law, including GDPR Article 4(1) and the CCPA.
  • “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • “Data Subject” means the natural person to whom Personal Data relates (e.g., your employees, contacts, or individuals whose data you enter into the Platform).
  • “GDPR” means the EU General Data Protection Regulation (Regulation 2016/679) and, where applicable, the UK GDPR.
  • “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.), as amended by the CPRA.
  • “Sub-processor” means any third party engaged by GovEtract to process Personal Data on behalf of the Controller.
  • “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under GDPR Article 46(2)(c).

2. Scope and Roles

2.1 Controller and Processor Relationship

When you use the Platform, you act as the Controller of Personal Data you submit, and GovEtract acts as the Processor. GovEtract processes Personal Data only on your instructions as documented in this DPA and the Terms of Service.

2.2 Types of Personal Data Processed

The categories of Personal Data processed through the Platform may include, depending on how you use it:

  • Identity and contact data: Names, email addresses, phone numbers, and job titles of your employees and account users
  • Business identifiers: DUNS/UEI numbers, EIN/TIN, SAM.gov registration data, CAGE codes, and similar government contracting identifiers associated with individuals
  • Proposal and contract data: Contact details of contracting officers, program managers, or agency personnel included in proposals or contracts you manage
  • Past performance contacts: Names and contact information of references or evaluators referenced in past performance records
  • Authentication data: Email addresses and hashed passwords for platform accounts (processed exclusively by Supabase Auth)

2.3 Purposes of Processing

GovEtract processes Personal Data solely to provide and maintain the Platform services as described in the Terms of Service, including:

  • Authenticating and authorizing platform users
  • Storing and organizing your government contracting data
  • Generating AI-assisted content (proposals, compliance summaries) using the context you provide
  • Sending transactional communications (account verification, notifications, security alerts)
  • Detecting and preventing fraud, abuse, and security incidents
  • Complying with legal obligations

3. Controller Obligations

As the Controller, you represent and warrant that:

  • You have a lawful basis for processing all Personal Data you submit to the Platform under applicable data protection law (e.g., legitimate interest, contractual necessity, consent, or legal obligation)
  • You have provided Data Subjects with appropriate privacy notices describing how their data may be processed by third-party service providers, including GovEtract
  • You will not submit to the Platform special categories of personal data (including health data, biometric data, racial or ethnic origin, religious beliefs, or sexual orientation) unless strictly necessary for government contracting and only if you have an explicit legal basis for doing so
  • You will promptly notify GovEtract of any changes to your instructions that may affect the lawfulness of processing
  • You are solely responsible for the accuracy, completeness, and legality of the Personal Data you submit

4. Processor Obligations

4.1 Processing on Instructions

GovEtract will process Personal Data only on documented instructions from the Controller (as set out in this DPA and the Terms of Service), unless required to do so by applicable law. If GovEtract is required by law to process data beyond your instructions, we will notify you before processing unless prohibited from doing so by law.

4.2 Confidentiality

GovEtract ensures that all personnel authorized to process Personal Data are bound by confidentiality obligations. Access to Personal Data is limited to personnel who need it to provide or maintain the Platform.

4.3 Security Measures

GovEtract implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration, or destruction, as described in our Security Policy. These measures include:

  • Encryption and secure transport features provided by our infrastructure vendors
  • Workspace isolation controls such as database-level access restrictions
  • Restricted access to production systems and operational tooling
  • Logging, monitoring, and maintenance practices used to operate the service

4.4 Data Subject Rights Assistance

GovEtract will, to the extent possible given the nature of the processing, assist the Controller in responding to Data Subject requests to exercise rights under applicable law (access, rectification, erasure, restriction, portability, objection). Data Subjects wishing to exercise rights should first contact the Controller (you). If you need GovEtract's assistance, contact privacy@govetract.com.

4.5 Data Protection Impact Assessments

GovEtract will provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) where required by GDPR Article 35, to the extent such assistance is possible given GovEtract's role as Processor.

4.6 Breach Notification

GovEtract will notify the Controller without undue delay after confirming a Personal Data breach affecting data processed under this DPA, consistent with applicable law and any separately agreed contractual commitments. Notification may include:

  • The nature of the breach, including categories and approximate number of records affected
  • Contact information for the GovEtract data protection point of contact
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

The Controller is responsible for notifying supervisory authorities and Data Subjects as required by applicable law.

4.7 Deletion and Return

Upon termination of the Terms of Service, GovEtract will, at the Controller's election:

  • Return: Provide an export of your data in a machine-readable format within 30 days of the termination date, upon written request submitted before termination or within 30 days after
  • Delete: Securely delete or anonymize all Personal Data within 90 days of account termination, except to the extent retention is required by applicable law or legitimate legal hold

GovEtract will certify deletion in writing upon request. Backups are deleted on their normal rotation schedule (within 7–30 days depending on backup tier).

5. Sub-processors

5.1 Authorization and List

By entering into this DPA, you provide general authorization for GovEtract to engage sub-processors to process Personal Data in connection with providing the Platform. Our current sub-processors are:

Sub-processorPurposeData locationReference
Supabase, Inc.Database hosting, authentication, and file storageUnited States (AWS us-east-1)See provider documentation
Vercel, Inc.Application hosting and edge computeUnited States / Global edgeSee provider documentation
Anthropic, PBCAI language model inference (proposal generation, AI assistant)United StatesSee provider documentation
OpenAI, LLCAI language model inference (supplemental features)United StatesSee provider documentation

5.2 Change Notice

GovEtract will notify you at least 14 days in advance of adding or replacing a sub-processor by posting an updated sub-processor list and sending an email notification to your account email address. You may object to a new sub-processor within 14 days of notice by emailing privacy@govetract.com. If the parties cannot resolve the objection, either party may terminate the affected services with 30 days' notice without penalty.

5.3 Sub-processor Obligations

GovEtract imposes data protection obligations on each sub-processor equivalent to those in this DPA, by contract. GovEtract remains liable to the Controller for the performance of sub-processors' obligations to the extent they fail to meet their obligations.

6. International Data Transfers

6.1 Transfer Mechanisms

GovEtract is based in the United States. When Personal Data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States, the transfer is governed by the EU Standard Contractual Clauses (SCCs) adopted by the European Commission Decision 2021/914 (Module Two: Controller to Processor).

By entering into this DPA, the Controller (as data exporter) and GovEtract (as data importer) are deemed to have entered into the applicable SCCs, which are incorporated herein by reference. The details required by the SCCs (Annexes I, II, and III) are described in this DPA.

6.2 UK Transfers

For transfers from the United Kingdom, the UK International Data Transfer Addendum (IDTA) issued by the ICO (in force March 21, 2022) supplements the EU SCCs and is incorporated herein by reference.

6.3 Transfer Impact Assessment

Where required, GovEtract may assess cross-border transfer risks and implement supplementary measures that are appropriate to the processing involved. Additional details may be made available on request where appropriate.

7. Audit Rights

GovEtract will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits, subject to the following conditions:

  • Documentation review: GovEtract will provide relevant security documentation and responses to a reasonable security questionnaire upon written request, subject to confidentiality and availability
  • On-site audits: Controllers may conduct or commission an on-site audit of GovEtract's data processing activities upon 60 days' written notice, subject to reasonable conditions including execution of a non-disclosure agreement, audit scope agreement, scheduling during business hours, and reimbursement of GovEtract's reasonable out-of-pocket costs
  • Frequency: On-site audits are limited to once per 12-month period, unless required by a supervisory authority following a confirmed breach
  • Confidentiality: Audit findings are confidential and may not be disclosed to third parties without GovEtract's prior written consent, except to the relevant supervisory authority

8. CCPA Service Provider Terms

For purposes of the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), GovEtract is a “Service Provider” as defined in Cal. Civ. Code §1798.140(ag). GovEtract:

  • Processes Personal Information only for the business purpose of providing the Platform as specified in this DPA and the Terms of Service
  • Does not sell or share Personal Information (as defined under CCPA/CPRA) received from the Controller
  • Does not retain, use, or disclose Personal Information for any purpose other than the business purpose specified in this DPA, including for its own commercial purpose
  • Does not combine Personal Information received from the Controller with Personal Information received from other sources, except as permitted under CCPA/CPRA
  • Will assist the Controller in responding to verifiable consumer requests under CCPA to the extent technically feasible
  • Certifies that it understands and will comply with these restrictions

9. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service, except to the extent that applicable data protection law does not permit such limitations (e.g., for intentional misconduct or gross negligence).

Where both parties are responsible for a Data Subject's loss or damage, liability shall be apportioned according to the degree of each party's fault. GovEtract is not responsible for losses or claims arising from the Controller's failure to fulfill its own obligations under applicable data protection law.

10. Term and Termination

This DPA is effective from the date you first accept the Terms of Service (or the effective date of this version, whichever is later) and remains in force for as long as GovEtract processes Personal Data on your behalf.

Upon termination of the Terms of Service, this DPA terminates automatically, except that obligations relating to data deletion, return, confidentiality, and any ongoing breach investigations survive termination.

11. Governing Law

This DPA is governed by the same governing law as the Terms of Service (the laws of the State of Delaware, United States), except to the extent that applicable data protection law requires the law of another jurisdiction to apply (e.g., GDPR disputes before EU supervisory authorities).

Nothing in this DPA limits the right of a Data Subject or supervisory authority to bring claims under applicable data protection law in the jurisdiction where the Data Subject resides.

12. Contact and Data Protection Officer

For questions about this DPA, data protection inquiries, or to exercise rights on behalf of your users:

EU/UK Data Subjects may also lodge complaints with their local supervisory authority. A list of EU supervisory authorities is available on the European Data Protection Board's website. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.