DevalandDevalandAI Deal OS

Data Processing Agreement

Last updated: June 2026

This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Terms & Conditions between you ("Customer", the controller) and DEVALAND MARKETING S.R.L. ("Devaland", the processor). It applies automatically whenever you use Deal OS to process personal data contained in documents or data you upload to your workspace — no separate signature is required. A counter-signed copy is available on request at office@devaland.com.

1. Roles & Scope

For personal data contained in the documents and data you upload into a Deal OS workspace, you are the controller and Devaland is the processor, acting only on your documented instructions. For account, billing, and marketing data, Devaland is the controller and its Privacy Policy applies. This DPA governs Devaland's processing on your behalf and prevails over any conflicting term in the Terms with respect to such processing.

2. Subject Matter, Duration, Nature & Purpose

Devaland processes your personal data to provide the Deal OS platform — storing your deal documents and generating source-cited diligence briefs and findings from them — for the duration of your subscription and any wind-down period described in the Privacy Policy. Processing is limited to what is necessary to provide the service and to comply with law.

3. Types of Data & Data Subjects

The categories depend on what you upload. They may include:

  • Personal data: names, contact details, role/title, and any personal data appearing in CIMs, financials, contracts, and similar deal documents you choose to upload.
  • Data subjects: your team members, and individuals named in your deal documents (e.g., owners, management, employees, counterparties of a target company).

You are responsible for ensuring you have a lawful basis to upload and process this data, and you should avoid uploading special-category data unless necessary.

4. Devaland's Obligations (Art. 28(3) GDPR)

  • Instructions only: we process personal data only on your documented instructions, including for transfers, unless required by law (in which case we inform you unless legally prohibited).
  • Confidentiality: personnel authorised to process the data are bound by confidentiality.
  • Security: we implement appropriate technical and organisational measures under Article 32 (see §7).
  • Sub-processors: you grant general authorisation for the sub-processors in §6; we impose equivalent data-protection obligations on them and remain liable for their performance, and we give notice of intended changes so you can object.
  • Data-subject requests: we assist you, by appropriate measures, to respond to requests to exercise data-subject rights, and our self-serve export/deletion tools in Settings → Privacy & data support this.
  • Assistance: we assist you with security, breach notification, data-protection impact assessments, and prior consultation (Articles 32–36).
  • Deletion/return: on termination, at your choice, we delete or return your personal data and delete existing copies, save where storage is required by law (see Privacy Policy retention).
  • Audits: we make available the information needed to demonstrate compliance and allow for and contribute to audits, including inspections, on reasonable notice.
  • We do not use your documents to train AI models or for any purpose other than providing the service.

5. Personal-Data Breach

We notify you without undue delay after becoming aware of a personal-data breach affecting your data, with the information you need to meet your own obligations under Articles 33–34.

6. Sub-processors

  • Anthropic — AI generation of diligence briefs (document excerpts).
  • Stripe — payment processing and subscription billing.
  • Google Workspace — transactional and account email.
  • Hosting provider — server hosting and encrypted backups (EU/US region as agreed).

7. Security Measures

Encryption in transit (TLS); HTTP-only, Secure session cookies; per-client workspace isolation at the database and file level; hashed credentials (we never log credential values); nightly encrypted backups with periodic restore drills; and least-privilege access controls.

8. International Transfers

Where personal data is transferred outside the European Economic Area (for example to US-based sub-processors), we rely on the European Commission's Standard Contractual Clauses or other lawful transfer safeguards under Chapter V of the GDPR, with any additional measures required.

9. Governing Law

This DPA is governed by the laws of Romania and applicable EU law. DEVALAND MARKETING S.R.L., CUI 50841395, VAT RO50841395, Trade Registry J2024039063003, with registered office in Romania. Questions: office@devaland.com.