Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written or electronic agreement between StartupVision ("Processor" or "we") and you ("Controller" or "Customer") for the use of our services (the "Principal Agreement").

This DPA applies to the extent that we process Personal Data on your behalf in connection with providing our services. This DPA is designed to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable privacy regulations.

By using our services, you agree to this DPA. If you are entering into this DPA on behalf of an organization, you represent that you have the authority to bind that organization.

For the purposes of this DPA:

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by us on behalf of the Customer in connection with the services.

"Data Subject" means the individual to whom Personal Data relates.

"Processing" means any operation performed on Personal Data, including collection, storage, modification, retrieval, use, disclosure, and deletion.

"Controller" means the entity that determines the purposes and means of Processing Personal Data. In this context, the Customer is the Controller.

"Processor" means the entity that processes Personal Data on behalf of the Controller. StartupVision acts as the Processor.

"Sub-processor" means any third party engaged by us to process Personal Data on your behalf.

"Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, CCPA, and any implementing legislation.

"Security Incident" means any unauthorized access to, or acquisition, use, or disclosure of Personal Data.

Nature of Processing We will process Personal Data only as necessary to provide the services described in the Principal Agreement, including: - Providing AI-powered startup validation services - Generating compliance documents - Maintaining user accounts and authentication - Processing payments and subscriptions - Providing customer support

Types of Personal Data Categories of Personal Data we may process include: - Account information (name, email, company) - Business data (startup ideas, validation inputs) - Usage data (logs, analytics) - Payment information (processed via Stripe)

Data Subjects The Personal Data may relate to: - Your employees and contractors - Your customers and prospects - Other individuals whose data you submit to our services

Duration of Processing We will process Personal Data for the duration of the Principal Agreement and as described in our data retention policies.

As the Controller, you are responsible for:

Lawful Basis - Ensuring you have a valid legal basis for processing Personal Data - Obtaining necessary consents where required - Providing appropriate notices to Data Subjects

Instructions - Providing us with lawful processing instructions - Ensuring instructions comply with Data Protection Laws - Documenting processing instructions in writing

Data Accuracy - Ensuring Personal Data is accurate and up to date - Informing us of any corrections or updates

Data Subject Rights - Handling Data Subject requests with our assistance - Determining responses to Data Subject requests

Compliance - Complying with all applicable Data Protection Laws - Conducting data protection impact assessments when required - Maintaining appropriate records of processing activities

As the Processor, StartupVision agrees to:

Processing Limitations - Process Personal Data only on your documented instructions - Not process Personal Data for our own purposes - Inform you if we believe an instruction violates Data Protection Laws

Confidentiality - Ensure personnel processing Personal Data are bound by confidentiality - Limit access to Personal Data to authorized personnel only

Security - Implement appropriate technical and organizational security measures - Maintain measures described in our Security Policy - Regularly test and evaluate security effectiveness

Sub-processing - Not engage Sub-processors without your authorization - Ensure Sub-processors are bound by equivalent data protection obligations - Remain liable for Sub-processor compliance

Data Subject Rights - Assist you in responding to Data Subject requests - Provide necessary information and access - Implement appropriate measures to facilitate requests

Deletion and Return - Upon termination, delete or return Personal Data as you direct - Provide certification of deletion upon request - Retain data only as required by law

Authorized Sub-processors You authorize us to engage the following categories of Sub-processors: - Cloud infrastructure providers (Google Cloud Platform) - Payment processors (Stripe) - AI service providers (Google Vertex AI) - Email service providers (Postmark)

A current list of Sub-processors is available upon request.

New Sub-processors - We will notify you before engaging new Sub-processors - You may object to new Sub-processors within 14 days - If we cannot address your objection, you may terminate affected services

Sub-processor Agreements We ensure all Sub-processors are bound by: - Written data processing agreements - Equivalent data protection obligations - Appropriate security measures

Transfer Mechanisms For transfers of Personal Data outside the EEA, UK, or Switzerland, we rely on:

Standard Contractual Clauses (SCCs) - EU Commission approved SCCs are incorporated by reference - Module 2 (Controller to Processor) applies to this DPA - You act as data exporter; we act as data importer

Supplementary Measures We implement additional safeguards including: - Encryption of data in transit and at rest - Access controls and authentication - Security monitoring and incident response

Transfer Impact Assessments - We conduct assessments of data transfer risks - We monitor legal developments affecting transfers - We will notify you of any changes affecting transfer validity

Alternative Mechanisms Where applicable, we may also rely on: - Adequacy decisions by competent authorities - Binding Corporate Rules - Approved certifications or codes of conduct

We implement the following technical and organizational measures:

Technical Measures - Encryption at rest (AES-256) and in transit (TLS 1.3) - Access control and authentication systems - Intrusion detection and prevention - Regular vulnerability assessments - Automated backup and recovery

Organizational Measures - Information security policies and procedures - Employee security training and awareness - Background checks for personnel - Incident response procedures - Regular security audits

Ongoing Security - Continuous monitoring and improvement - Regular testing of security measures - Updates to address new threats - Compliance with industry standards

Full details are available in our Security Policy.

Notification In the event of a Personal Data breach, we will: - Notify you without undue delay (within 48 hours where feasible) - Provide available information about the breach - Continue to provide updates as more information becomes available

Breach Information Our notification will include: - Nature of the breach - Categories and approximate number of affected Data Subjects - Categories and approximate number of affected records - Likely consequences of the breach - Measures taken or proposed to address the breach

Assistance We will: - Assist you in meeting your breach notification obligations - Take reasonable steps to mitigate the breach - Preserve evidence for investigation - Cooperate with supervisory authorities as required

Documentation We maintain records of all Personal Data breaches, including: - Facts relating to the breach - Effects of the breach - Remedial action taken

Information Access Upon request, we will provide you with: - Information necessary to demonstrate compliance with this DPA - Copies of relevant security certifications and audit reports - Responses to security questionnaires

Audit Procedures You may conduct audits of our processing activities: - With reasonable advance notice (minimum 30 days) - During normal business hours - At your expense - Subject to appropriate confidentiality obligations

Third-Party Audits You may use a qualified third-party auditor: - Subject to our approval (not unreasonably withheld) - Bound by confidentiality obligations - Following our security and access procedures

Audit Reports We will make available: - SOC 2 Type II reports (when available) - ISO 27001 certification (when obtained) - Penetration testing summaries (redacted)

Liability Allocation Each party's liability under this DPA is subject to the limitations set forth in the Principal Agreement.

Indemnification We will indemnify you for damages arising from: - Our breach of this DPA - Our violation of Data Protection Laws - Our Sub-processors' non-compliance

You will indemnify us for damages arising from: - Your breach of this DPA - Processing instructions that violate Data Protection Laws - Your violation of your Controller obligations

Limitation Neither party's liability for data protection breaches is limited where such limitation is prohibited by law.

Term This DPA commences when you agree to it and continues until the Principal Agreement terminates.

Effect of Termination Upon termination: - We will stop processing Personal Data except as required by law - We will delete or return Personal Data per your instructions - Deletion will occur within 90 days unless legal retention is required - We will certify deletion upon request

Survival The following provisions survive termination: - Confidentiality obligations - Sections relating to data deletion - Audit rights for a reasonable period - Any accrued rights or obligations

Governing Law This DPA is governed by the laws specified in the Principal Agreement, except where Data Protection Laws require otherwise.

Conflicts In case of conflict between this DPA and the Principal Agreement, this DPA prevails regarding data protection matters.

Amendments We may update this DPA to: - Comply with changes in Data Protection Laws - Address new regulatory guidance - Improve our data protection practices

Material changes will be notified to you in advance.

Severability If any provision is found unenforceable, the remaining provisions continue in effect.

Entire Agreement This DPA, together with the Principal Agreement, constitutes the complete agreement regarding data processing.

For questions about this Data Processing Agreement or to exercise your rights:

Data Protection Inquiries Email: dpo@startupvision.ai

Legal Inquiries Email: legal@startupvision.ai

Mail: StartupVision Attn: Data Protection Officer [Address to be added]

To request a signed copy of this DPA with the Standard Contractual Clauses, please contact legal@startupvision.ai.