Legal

Data Processing Agreement

Last updated: March 22, 2026 · Effective: March 22, 2026

Who this applies to: This Data Processing Agreement (“DPA”) is incorporated by reference into the GovEtract Terms of Service and applies to all customers who use the Platform to process personal data of EU/EEA data subjects or California residents. This public page summarizes our standard data processing terms; customers who need a countersigned DPA should contact privacy@govetract.com.

1. Definitions

For the purposes of this DPA:

“Controller” means the customer entity that determines the purposes and means of processing personal data (you, the customer).
“Processor” means GovEtract, which processes personal data on behalf of the Controller.
“Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection law, including GDPR Article 4(1) and the CCPA.
“Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
“Data Subject” means the natural person to whom Personal Data relates (e.g., your employees, contacts, or individuals whose data you enter into the Platform).
“GDPR” means the EU General Data Protection Regulation (Regulation 2016/679) and, where applicable, the UK GDPR.
“CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.), as amended by the CPRA.
“Sub-processor” means any third party engaged by GovEtract to process Personal Data on behalf of the Controller.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under GDPR Article 46(2)(c).

2. Scope and Roles

2.1 Controller and Processor Relationship

When you use the Platform, you act as the Controller of Personal Data you submit, and GovEtract acts as the Processor. GovEtract processes Personal Data only on your instructions as documented in this DPA and the Terms of Service.

2.2 Types of Personal Data Processed

The categories of Personal Data processed through the Platform may include, depending on how you use it:

Identity and contact data: Names, email addresses, phone numbers, and job titles of your employees and account users
Business identifiers: DUNS/UEI numbers, EIN/TIN, SAM.gov registration data, CAGE codes, and similar government contracting identifiers associated with individuals
Proposal and contract data: Contact details of contracting officers, program managers, or agency personnel included in proposals or contracts you manage
Past performance contacts: Names and contact information of references or evaluators referenced in past performance records
Authentication data: Email addresses and hashed passwords for platform accounts (processed exclusively by Supabase Auth)

2.3 Purposes of Processing

GovEtract processes Personal Data solely to provide and maintain the Platform services as described in the Terms of Service, including:

Authenticating and authorizing platform users
Storing and organizing your government contracting data
Generating AI-assisted content (proposals, compliance summaries) using the context you provide
Sending transactional communications (account verification, notifications, security alerts)
Detecting and preventing fraud, abuse, and security incidents
Complying with legal obligations

3. Controller Obligations

As the Controller, you represent and warrant that:

You have a lawful basis for processing all Personal Data you submit to the Platform under applicable data protection law (e.g., legitimate interest, contractual necessity, consent, or legal obligation)
You have provided Data Subjects with appropriate privacy notices describing how their data may be processed by third-party service providers, including GovEtract
You will not submit to the Platform special categories of personal data (including health data, biometric data, racial or ethnic origin, religious beliefs, or sexual orientation) unless strictly necessary for government contracting and only if you have an explicit legal basis for doing so
You will promptly notify GovEtract of any changes to your instructions that may affect the lawfulness of processing
You are solely responsible for the accuracy, completeness, and legality of the Personal Data you submit

4. Processor Obligations

4.1 Processing on Instructions

GovEtract will process Personal Data only on documented instructions from the Controller (as set out in this DPA and the Terms of Service), unless required to do so by applicable law. If GovEtract is required by law to process data beyond your instructions, we will notify you before processing unless prohibited from doing so by law.

4.2 Confidentiality

GovEtract ensures that all personnel authorized to process Personal Data are bound by confidentiality obligations. Access to Personal Data is limited to personnel who need it to provide or maintain the Platform.

4.3 Security Measures

GovEtract implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration, or destruction, as described in our Security Policy. These measures include:

Encryption and secure transport features provided by our infrastructure vendors
Workspace isolation controls such as database-level access restrictions
Restricted access to production systems and operational tooling
Logging, monitoring, and maintenance practices used to operate the service

4.4 Data Subject Rights Assistance

GovEtract will, to the extent possible given the nature of the processing, assist the Controller in responding to Data Subject requests to exercise rights under applicable law (access, rectification, erasure, restriction, portability, objection). Data Subjects wishing to exercise rights should first contact the Controller (you). If you need GovEtract's assistance, contact privacy@govetract.com.

4.5 Data Protection Impact Assessments

GovEtract will provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) where required by GDPR Article 35, to the extent such assistance is possible given GovEtract's role as Processor.

4.6 Breach Notification

GovEtract will notify the Controller without undue delay after confirming a Personal Data breach affecting data processed under this DPA, consistent with applicable law and any separately agreed contractual commitments. Notification may include:

The nature of the breach, including categories and approximate number of records affected
Contact information for the GovEtract data protection point of contact
Likely consequences of the breach
Measures taken or proposed to address the breach

The Controller is responsible for notifying supervisory authorities and Data Subjects as required by applicable law.

4.7 Deletion and Return

Upon termination of the Terms of Service, the Controller may request return or deletion of Personal Data, subject to GovEtract's standard account-closure, retention, backup, and legal-hold practices.

Return: GovEtract may provide a machine-readable export of customer data for a limited period after termination, subject to the process described in the Terms of Service and technical feasibility
Delete: GovEtract will delete or anonymize Personal Data in accordance with its standard retention and backup practices, except to the extent retention is required by applicable law, security, fraud prevention, billing, or legitimate legal hold

GovEtract may provide written confirmation of deletion where operationally feasible. Backup copies are removed according to GovEtract's normal backup rotation practices.

5. Sub-processors

5.1 Authorization and List

By entering into this DPA, you provide general authorization for GovEtract to engage sub-processors to process Personal Data in connection with providing the Platform. Our current and feature-conditional sub-processors may include:

Sub-processor	Purpose	Data location	Reference
Supabase, Inc.	Database hosting, authentication, and file storage	United States (AWS us-east-1)	See provider documentation
Vercel, Inc.	Application hosting and edge compute	United States / Global edge	See provider documentation
Anthropic, PBC	AI language model inference (proposal generation, AI assistant)	United States	See provider documentation
OpenAI, LLC	AI language model inference (supplemental features)	United States	See provider documentation
Resend, Inc.	Transactional email delivery	United States	See provider documentation
Stripe, Inc.	Billing checkout, subscription management, and payment-related customer records	United States	See provider documentation
Sentry (Functional Software, Inc.)	Error monitoring, diagnostics, and service performance telemetry (if enabled)	United States	See provider documentation
Upstash, Inc.	Distributed rate limiting and request-protection storage	United States	See provider documentation
ElevenLabs, Inc.	Voice guide session setup, speech inference, and related audio processing (if enabled)	United States	See provider documentation

5.2 Change Notice

GovEtract may update its sub-processor list from time to time and will use commercially reasonable efforts to provide notice of material changes by posting an updated list or sending notice to your account email address when practicable. If you have a reasonable data-protection objection to a new sub-processor, you may email privacy@govetract.com. The parties will work in good faith to address the objection, which may include discussing alternative processing arrangements where feasible.

5.3 Sub-processor Obligations

GovEtract imposes data protection obligations on each sub-processor equivalent to those in this DPA, by contract. GovEtract remains liable to the Controller for the performance of sub-processors' obligations to the extent they fail to meet their obligations.

6. International Data Transfers

6.1 Transfer Mechanisms

GovEtract is based in the United States. When Personal Data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States, the transfer is governed by the EU Standard Contractual Clauses (SCCs) adopted by the European Commission Decision 2021/914 (Module Two: Controller to Processor).

By entering into this DPA, the Controller (as data exporter) and GovEtract (as data importer) are deemed to have entered into the applicable SCCs, which are incorporated herein by reference. The details required by the SCCs (Annexes I, II, and III) are described in this DPA.

6.2 UK Transfers

For transfers from the United Kingdom, the UK International Data Transfer Addendum (IDTA) issued by the ICO (in force March 21, 2022) supplements the EU SCCs and is incorporated herein by reference.

6.3 Transfer Impact Assessment

Where required, GovEtract may assess cross-border transfer risks and implement supplementary measures that are appropriate to the processing involved. Additional details may be made available on request where appropriate.

7. Audit Rights

GovEtract may make available reasonable information about its privacy and security controls to help customers assess compliance with this DPA, subject to confidentiality, resource availability, and the nature of the customer relationship.

Documentation review: GovEtract may provide relevant security summaries, policies, or responses to a reasonable questionnaire upon written request, subject to confidentiality, scope, and availability
On-site audits: Routine on-site audits are not granted through this public DPA page. Any enhanced audit, assurance, or customer-specific review rights require a separate written agreement
Scope and frequency: Any additional review process will be limited to a reasonable scope, timing, and frequency designed to avoid undue disruption to GovEtract's operations or other customers
Confidentiality: Audit findings are confidential and may not be disclosed to third parties without GovEtract's prior written consent, except as required by law or to the relevant supervisory authority

8. CCPA Service Provider Terms

For purposes of the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), GovEtract is a “Service Provider” as defined in Cal. Civ. Code §1798.140(ag). GovEtract:

Processes Personal Information only for the business purpose of providing the Platform as specified in this DPA and the Terms of Service
Does not sell or share Personal Information (as defined under CCPA/CPRA) received from the Controller
Does not retain, use, or disclose Personal Information for any purpose other than the business purpose specified in this DPA, including for its own commercial purpose
Does not combine Personal Information received from the Controller with Personal Information received from other sources, except as permitted under CCPA/CPRA
Will assist the Controller in responding to verifiable consumer requests under CCPA to the extent technically feasible
Certifies that it understands and will comply with these restrictions

9. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service, except to the extent that applicable data protection law does not permit such limitations (e.g., for intentional misconduct or gross negligence).

Where both parties are responsible for a Data Subject's loss or damage, liability shall be apportioned according to the degree of each party's fault. GovEtract is not responsible for losses or claims arising from the Controller's failure to fulfill its own obligations under applicable data protection law.

10. Term and Termination

This DPA is effective from the date you first accept the Terms of Service (or the effective date of this version, whichever is later) and remains in force for as long as GovEtract processes Personal Data on your behalf.

Upon termination of the Terms of Service, this DPA terminates automatically, except that obligations relating to data deletion, return, confidentiality, and any ongoing breach investigations survive termination.

11. Governing Law

This DPA is governed by the same governing law as the Terms of Service (the laws of the State of Delaware, United States), except to the extent that applicable data protection law requires the law of another jurisdiction to apply (e.g., GDPR disputes before EU supervisory authorities).

Nothing in this DPA limits the right of a Data Subject or supervisory authority to bring claims under applicable data protection law in the jurisdiction where the Data Subject resides.

12. Contact and Data Protection Officer

For questions about this DPA, data protection inquiries, or to exercise rights on behalf of your users:

Privacy and DPA inquiries: privacy@govetract.com
Security incidents: security@govetract.com
Mailing address: Available on request

EU/UK Data Subjects may also lodge complaints with their local supervisory authority. A list of EU supervisory authorities is available on the European Data Protection Board's website. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.