Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between the Customer (“Controller”) and productbet.io (“Processor”) for the provision of the productbet.io platform (the “Service”). It applies to all Processing of Personal Data carried out by the Processor on behalf of the Controller in connection with the Service.

The Processor shall process Personal Data solely for the purpose of providing, maintaining, and improving the Service as instructed by the Controller, and shall not process Personal Data for any other purpose unless required by Applicable Data Protection Law.

The Personal Data processed under this DPA may include: names, email addresses, job titles, organization names, user-generated content (such as product bets, priorities, and opportunity descriptions), integration metadata from connected third-party tools (such as issue titles, customer feedback excerpts, and CRM records), and usage analytics data.

Data Subjects include the Controller's employees, contractors, and authorized users of the Service, as well as individuals whose Personal Data may be contained in signals, feedback, or records imported from the Controller's connected integrations.

The Processor shall process Personal Data for the duration of the agreement for the Service. Upon termination of the agreement, the Processor shall delete or return all Personal Data in accordance with Section 12 of this DPA, unless retention is required by Applicable Data Protection Law.

The Processor shall: (a) process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to a third country, unless required to do so by Applicable Data Protection Law; (b) ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (c) implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 7; (d) respect the conditions for engaging Sub-processors as set out in Section 8; (e) assist the Controller in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law; (f) assist the Controller in ensuring compliance with obligations related to security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation with supervisory authorities; (g) at the choice of the Controller, delete or return all Personal Data after the end of the provision of the Service; and (h) make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller.

The Controller shall: (a) comply with its obligations under Applicable Data Protection Law with respect to the Processing of Personal Data and any processing instructions it issues to the Processor; (b) ensure that it has obtained all necessary consents and legal bases for the processing of Personal Data by the Processor; and (c) inform the Processor without undue delay if it becomes aware of any data protection issues relating to the Processing.

The Processor implements the following technical and organizational measures to protect Personal Data:

Tenant isolation — Every database query and mutation is scoped to the Controller's organization ID. Document-level ownership checks prevent cross-tenant access even if record identifiers are guessed.

Encryption at rest — All integration credentials (API keys, OAuth tokens) are encrypted with AES-256-GCM using a server-side key that is never exposed to the client.

Authentication — JWT-based sessions issued by Clerk with short expiry windows. Organization membership and roles are verified server-side on every request.

AI processing isolation — All AI workflows are stateless and tenant-scoped. Prompts are constructed from the Controller's data only and no tenant context persists between invocations. Data is not retained by the AI provider for model training.

Serverless architecture — The Service runs on Convex, a serverless platform where each function invocation is isolated. There are no shared in-memory states, connection pools, or mutable globals.

Access controls — Production infrastructure access is restricted to authorized personnel using multi-factor authentication. Credentials and API keys are never logged.

The Controller provides general authorization for the Processor to engage Sub-processors. The Processor shall: (a) maintain an up-to-date list of Sub-processors, as set out in this DPA; (b) inform the Controller of any intended changes to the list of Sub-processors, giving the Controller the opportunity to object to such changes within 30 days; (c) impose data protection obligations on each Sub-processor by way of a contract that provides at least the same level of protection as this DPA; and (d) remain fully liable for the acts and omissions of its Sub-processors.

Where Personal Data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, the Processor shall ensure that appropriate safeguards are in place in accordance with Applicable Data Protection Law. These safeguards may include: (a) Standard Contractual Clauses adopted by the European Commission; (b) the EU-US Data Privacy Framework, the UK Extension, or the Swiss-US Data Privacy Framework, where applicable; or (c) any other valid transfer mechanism under Applicable Data Protection Law.

The Processor shall promptly inform the Controller if, in its opinion, a transfer instruction infringes Applicable Data Protection Law.

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting the Controller's Personal Data. The notification shall include: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned; (b) the name and contact details of the Processor's point of contact for further information; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach and mitigate its effects.

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under Applicable Data Protection Law, including requests related to access, rectification, erasure, restriction of processing, data portability, and objection to processing. The Processor shall promptly inform the Controller if it receives a request from a Data Subject directly and shall not respond to such request unless instructed to do so by the Controller.

Upon termination or expiry of the agreement for the Service, the Processor shall, at the Controller's election, delete or return all Personal Data processed on behalf of the Controller, and delete existing copies unless Applicable Data Protection Law requires storage of the Personal Data. The Controller may request deletion or return of data at any time during the term of the agreement by contacting the Processor at hello@productbet.io.

Each party's total aggregate liability arising out of or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the agreement for the Service. Nothing in this DPA shall limit either party's liability for breaches of Applicable Data Protection Law to the extent that such limitation is not permitted by law.

This DPA shall be governed by and construed in accordance with the law that governs the agreement for the Service, unless otherwise required by Applicable Data Protection Law. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts specified in the agreement for the Service.