my.proposal Back to home

Data Processing Agreement

This page summarises the obligations My Proposal, Inc. ("Processor") undertakes when processing personal data on behalf of customers ("Controller") under GDPR Article 28. Enterprise customers can request the full signed DPA below.

Subject matter and purpose

The Processor processes personal data on behalf of the Controller solely to provide the My Proposal platform services as described in the Terms of Service. Processing includes storing, retrieving, and transmitting proposal content, client personal data, and engagement analytics.

Nature of processing

Storage, retrieval, transmission, deletion, and display of personal data via the My Proposal web application and associated APIs.

Types of personal data

Name, email address, IP address, device identifiers, proposal content (which may include the personal data of the Controller's end clients), electronic signature data, and payment-related identifiers.

Categories of data subjects

Employees, contractors, and clients of the Controller who interact with the My Proposal platform.

Duration

For the duration of the Controller's subscription. Personal data is deleted within 90 days of account closure, subject to legal retention requirements.

Processor obligations

The Processor shall: (a) process personal data only on documented instructions from the Controller; (b) ensure that persons authorised to process the data are bound by confidentiality; (c) implement appropriate technical and organisational security measures (see Security page); (d) assist the Controller in responding to data subject rights requests; (e) delete or return all personal data upon termination of services; (f) make available all information necessary to demonstrate compliance with Article 28.

Sub-processors

The Processor uses the following authorised sub-processors: Supabase (database and storage infrastructure), Vercel (application hosting), Resend (transactional email), Green Invoice / Morning API (payment processing). The Processor will notify the Controller of any intended changes to sub-processors with reasonable notice.

International transfers

Data is processed in the US and EU. All international transfers rely on Standard Contractual Clauses (SCCs) issued by the European Commission or other approved adequacy mechanisms.

Request the full signed DPA

Enterprise and Agency plan customers can request a fully executed Data Processing Agreement signed by My Proposal, Inc. Email us with your company name and jurisdiction and we'll turn it around within 2 business days.

Request DPA → privacy@myproposal.app