Data Processing Addendum (DPA)

1. Scope and Parties

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Couranr LLC, a Virginia limited-liability company operating Proveo ("Processor", "we"), and the customer that has entered into the Terms ("Controller", "you"). It applies to our processing of Personal Data on your behalf where you are a Controller subject to the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), or any other applicable data-protection law that requires a written processor agreement.

This DPA is automatically incorporated into the Terms when you (a) are established in or process the personal data of individuals in the EEA, UK, or Switzerland, or (b) sign this DPA and return it to privacy@proveohq.com. No additional signature is required for incorporation. In the event of conflict between this DPA and the Terms, this DPA governs with respect to processing of Personal Data.

2. Definitions

• "Personal Data", "Processing", "Data Subject", "Controller", and "Processor" have the meanings given in the GDPR.
• "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
• "Applicable Data Protection Laws" means the GDPR, UK GDPR, FADP, CCPA / CPRA, and any other privacy law that applies to your use of the Service.
• "SCCs" means the Standard Contractual Clauses approved by the European Commission in Decision 2021/914, including all annexes.
• "UK Addendum" means the International Data Transfer Addendum issued by the UK Information Commissioner's Office.
• "Personal Data Breach" has the meaning in Article 4(12) GDPR.
• Other terms used here have the meaning given in the Terms of Service.

3. Roles and Responsibilities

For Personal Data processed under the Terms, you act as the Controller (or, where applicable, as a Processor acting for your own customer) and we act as the Processor. You are responsible for ensuring that you have a lawful basis to provide us the Personal Data and that all required notices and consents have been obtained from Data Subjects.

4. Subject Matter, Duration and Purpose

The subject matter of the processing is the provision of the Proveo service. The duration is the term of the Terms plus the deletion period described in section 12 below. The categories of Data Subjects and Personal Data are:

• Data Subjects: your team members, your customers (when they appear in photos or submit leads), portfolio visitors, and end-users of features you enable.
• Categories of Personal Data: name, email, phone, business name and address, photos that may contain identifiable persons or property, IP address, device identifiers, lead form submissions, AI prompts and outputs, and account-activity metadata.
• Special categories of Personal Data: not intentionally processed. You agree not to submit special-category data (Article 9 GDPR) to the Service unless we agree in writing.
• Nature and purpose: hosting, image processing, AI-assisted features, communications, analytics and operational support of the Service.

5. Sub-processors

You grant us a general authorisation to engage Sub-processors to provide the Service. Our current Sub-processors are listed at /subprocessors. We will give you at least 30 days' notice before engaging a new Sub-processor (by updating that page and emailing you if you have subscribed to updates). You may object on reasonable data-protection grounds during that period; if we cannot resolve the objection we will, as your sole remedy, allow you to terminate the affected portion of the Service and receive a prorated refund.

6. Security Measures

We implement and maintain appropriate technical and organisational measures designed to protect Personal Data against unauthorized or unlawful processing and accidental loss, destruction, damage, or alteration. Measures include:

• TLS 1.2+ encryption in transit and AES-256 encryption at rest for primary database and object storage.
• Postgres Row-Level Security on every multi-tenant table.
• Role-based access controls and least-privilege provisioning for staff. Production access requires multi-factor authentication.
• Rate limiting and abuse detection on authentication, AI, and public-facing endpoints.
• Automated daily backups with point-in-time recovery for the primary database.
• Stripe webhook signature verification for billing events.
• Vendor-side certifications inherited from our subprocessor list (SOC 2, ISO 27001, PCI DSS where applicable).

7. Personal Data Breach

We will notify you of a Personal Data Breach affecting your data without undue delay, and in any event within seventy-two (72) hours after becoming aware of it. Our notice will include, where known, a description of the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to mitigate the breach. We will reasonably assist you with your own breach-notification obligations under Articles 33–34 GDPR.

8. Data Subject Rights

Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under Articles 12–22 GDPR (access, rectification, erasure, restriction, portability, objection). The Service includes self-service tools (account export, data deletion) you can use to fulfil most requests directly. For requests we must execute, contact privacy@proveohq.com.

9. International Transfers

Where we transfer Personal Data outside the EEA, UK, or Switzerland to a country that does not benefit from an adequacy decision, the transfer is governed by:

• EU Standard Contractual Clauses Module 2 (Controller to Processor), Modules 3 (Processor to Processor) as applicable, with Docking Clause selected, Option 1 of Clause 9 (general written authorisation), and governing law of the Republic of Ireland for purposes of the SCCs (or, for UK transfers, the laws of England and Wales).
• For UK transfers: the UK International Data Transfer Addendum, with Tables 1, 2 and 3 completed by reference to this DPA and our Subprocessor list.
• For Swiss transfers: the SCCs as adapted by the Swiss FDPIC, with references to the GDPR understood as references to the Swiss FADP and Swiss law as governing law.

A Transfer Impact Assessment (TIA) is maintained internally and is available upon written request to privacy@proveohq.com.

10. Audit Rights

On reasonable prior written notice (no more frequently than once per twelve months, except where required following a Personal Data Breach or by a supervisory authority), we will make available to you the information necessary to demonstrate compliance with Article 28 GDPR. To the extent possible we will satisfy audit obligations by providing summaries of our most recent independent third-party audit reports and our subprocessors' SOC 2 / ISO 27001 reports. On-site audits, where required by law, are at your expense and must be conducted in a manner that does not disrupt our operations or compromise the confidentiality of other customers.

11. Confidentiality

We ensure that staff authorised to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory, that survive the termination of their engagement.

12. Deletion or Return on Termination

On termination of the Terms, you can export your data through self-service tools for up to thirty (30) days. After that period, we delete or anonymise your Personal Data from active production systems within sixty (60) days, and from backups in the ordinary course (typically within ninety (90) days). Certain Personal Data may be retained where retention is required by law (e.g. invoicing records, anti-fraud logs), in which case it remains subject to the protections in this DPA for the retention period.

13. Liability, Governing Law and Contact

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. This DPA is governed by the law that governs the Terms, except that, with respect to the SCCs, the SCCs' own governing-law and jurisdiction provisions apply. Questions, signature requests, or Data Subject Rights requests can be sent to privacy@proveohq.com.