ProductPricingAboutResourcesBlogPartnersJoin the Waitlist
Legal

Data Processing Addendum

Effective Date: June 9, 2026  ·  Last Updated: June 9, 2026

This Data Processing Addendum (“DPA”) supplements and forms part of the Dynition Master Services Agreement (MSA) between Dynition LLC (“Dynition”) and the customer (“Customer”). It governs the processing of Personal Data and supports the EU GDPR (Article 28), the UK GDPR, and the CCPA/CPRA service-provider requirements.

1. Definitions

Terms not defined here have the meaning in the MSA. “Data Protection Laws” means applicable privacy and data-protection laws, including the EU GDPR, UK GDPR, and the California Consumer Privacy Act as amended (CCPA/CPRA). “Personal Data,” “Controller,” “Processor,” “Process/Processing,” “Data Subject,” and “Personal Data Breach” have the meanings in the GDPR (and the analogous CCPA terms apply for California data). “Customer Personal Data” means Personal Data within Customer Data that Dynition Processes on Customer's behalf.

2. Roles and Scope

2.1 Roles. For Customer Personal Data, Customer is the Controller (or processor acting for another controller) and Dynition is the Processor (or sub-processor). Under CCPA/CPRA, Dynition acts as a Service Provider.

2.2 Instructions. Dynition will Process Customer Personal Data only (a) to provide and support the Service, (b) as further documented in the MSA and this DPA, and (c) on Customer's reasonable documented instructions. Dynition will notify Customer if it believes an instruction violates Data Protection Laws.

2.3 Service-Provider Restrictions (CCPA/CPRA). Dynition will not (a) sell or share Customer Personal Data; (b) retain, use, or disclose it for any purpose other than performing the Service (which includes improving the quality of the Service as permitted by CCPA/CPRA), or outside the direct business relationship; or (c) combine it with data from other sources except as permitted by CCPA. Dynition certifies it understands and will comply with these restrictions.

2.4 AI Models; No Training on Personal Data. Consistent with MSA Section 6.2, Dynition will not use Customer Personal Data to train, retrain, or fine-tune its AI models; Dynition improves its models using de-identified data as described in MSA Section 6.3. Dynition maintains contractual commitments with its model providers prohibiting them from using Customer Personal Data to train their foundation models.

3. Confidentiality and Security

3.1 Confidentiality. Dynition ensures personnel authorized to Process Customer Personal Data are bound by confidentiality.

3.2 Security Measures. Dynition will implement and maintain the technical and organizational measures in Annex II, including encryption in transit and at rest, access controls, and infrastructure hosted on Google Cloud Platform.

4. Sub-processors

4.1 Authorization. Customer authorizes Dynition to engage sub-processors to provide the Service. Current sub-processors include those listed in Annex III (which includes Google LLC / Google Cloud Platform for hosting).

4.2 Obligations and Notice. Dynition will impose data-protection obligations on sub-processors no less protective than this DPA and remains responsible for their performance. Dynition will give Customer notice of new sub-processors via a posted sub-processor list before they begin Processing, and Customer may object on reasonable data-protection grounds.

5. Data Subject Requests; Assistance

5.1 Data Subject Requests. Taking into account the nature of Processing, Dynition will assist Customer with reasonable technical/organizational measures to respond to Data Subject requests (access, deletion, correction, portability, objection). If Dynition receives such a request directly, it will direct the Data Subject to Customer.

5.2 Assistance. Dynition will provide reasonable assistance with Customer's data-protection impact assessments, consultations with authorities, and security obligations, taking into account the information available to Dynition.

6. Personal Data Breach

Dynition will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to help Customer meet its notification obligations. Notice is not an acknowledgment of fault.

7. International Transfers

Dynition serves customers in the EU and UK. Where Customer Personal Data subject to the EU GDPR or UK GDPR is transferred to a country without an adequacy decision (including transfers to the United States), the parties agree that:

  • the EU Standard Contractual Clauses (SCCs) (Commission Implementing Decision (EU) 2021/914), Module Two (Controller-to-Processor), are incorporated by reference and apply, with the parties' details and elections completed in Annex I; and
  • for UK transfers, the UK International Data Transfer Addendum (IDTA) to the EU SCCs is incorporated by reference and applies.

In a conflict between the SCCs and this DPA, the SCCs prevail for transfers they govern.

8. Audit

Dynition will make available to Customer the information reasonably necessary to demonstrate Dynition's compliance with this DPA, including security documentation, written responses to a reasonable security questionnaire (no more than once per 12 months), and relevant third-party audit reports and certifications where available (for example, the SOC 2 and ISO 27001 reports of Dynition's hosting provider). The parties agree that providing this information satisfies Customer's audit and inspection rights under this DPA, and Dynition is not required to permit on-site or physical audits or inspections of its facilities or systems.

9. Return and Deletion

On termination of the Service, Dynition will, at Customer's choice, return or delete Customer Personal Data within 30 days, except to the extent retention is required by law; this aligns with MSA Section 9.4.

10. General

This DPA is part of the MSA and is subject to its limitation of liability (MSA Section 11). In a conflict between this DPA and the MSA on Personal Data matters, this DPA controls. Governing law and dispute resolution follow the MSA (Delaware law and binding arbitration under MSA Section 13.1) except where Data Protection Laws or the SCCs require otherwise, in which case the governing law and forum specified by the SCCs, and any mandatory supervisory-authority or court jurisdiction under Data Protection Laws, apply to the matters they govern.

Annex I: Processing Details and SCC Elections

  • Controller: Customer (identified at account creation / in the Order).
  • Processor: Dynition LLC, 1153 Old Marine Dr, Unit A, Bellingham, WA 98225 (Attn: Micah Thomas, Member), legal@dynition.ai.
  • Subject matter: provision of the Dynition Service.
  • Duration: the term of the MSA plus the return/deletion period.
  • Nature and purpose: ingesting and reading inbound documents (purchase orders, quotes, inquiries), extracting and matching data to the customer's catalog and pricing, generating Output, and reading/writing data in Connected Systems to provide the Service.
  • Categories of Data Subjects: Customer's personnel and Customer's business contacts/customers represented in Customer Data (e.g., buyer/contact names and details on purchase orders and in customer lists).
  • Categories of Personal Data: business contact details (names, business email/phone, company, role) and order/transaction data containing such details.
  • Special categories: none intended.
  • Frequency: continuous, for the term.

SCC elections (EU SCCs, Module Two):

  • Clause 7 (docking clause): applies.
  • Clause 9 (sub-processors): Option 2 (general written authorization); notice as provided in Section 4.2.
  • Clause 11 (independent dispute resolution / redress): the optional language does not apply.
  • Clause 17 (governing law): the law of Ireland.
  • Clause 18 (forum): the courts of Ireland.
  • Annex I.C (competent supervisory authority): the Irish Data Protection Commission.
  • UK transfers: the UK IDTA applies; the IDTA tables are completed with the corresponding details above, with UK courts and the UK Information Commissioner's Office as the relevant forum and authority.

Annex II: Security Measures (summary)

  • Encryption of Customer Data in transit (TLS) and at rest.
  • Role-based access controls and least-privilege access; access logging.
  • Hosting on Google Cloud Platform (infrastructure independently certified to SOC 1/2/3 and ISO 27001).
  • Network and application security controls; secrets management.
  • Backup and recovery practices.
  • Personnel confidentiality obligations and security awareness.
  • Vendor/sub-processor management.
  • Incident detection and response, including breach notification per Section 6.

Annex III: Sub-processors

  • Google LLC (Google Cloud Platform): cloud hosting and infrastructure (United States).
  • Google LLC (Gemini API / Google Cloud Vertex AI): AI model inference (United States).
  • Postmark (ActiveCampaign, LLC): transactional email (United States).

Contact

Questions about this DPA: legal@dynition.ai.