Data Processing Agreement
Last updated: March 6, 2026
1. Definitions
This Data Processing Agreement ("DPA") forms part of the Master Subscription Agreement ("Agreement") between ProcureLabs Pte. Ltd. ("Processor") and the entity subscribing to ProcureLabs services ("Controller"). Terms not defined herein shall have the meanings set forth in the Agreement or in Regulation (EU) 2016/679 ("GDPR").
- Personal Data means any information relating to an identified or identifiable natural person processed under this DPA.
- Processing means any operation performed on Personal Data, including collection, storage, alteration, retrieval, use, disclosure, and erasure.
- Sub-processor means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
2. Scope and Purpose of Processing
The Processor shall process Personal Data solely for the purpose of providing the ProcureLabs procurement intelligence platform services as described in the Agreement. Categories of data subjects include Controller's employees, consultants, and authorized users. Categories of Personal Data include names, email addresses, job titles, organizational roles, IP addresses, and usage analytics.
3. Processor Obligations (GDPR Article 28)
- Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
- Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption at rest (AES-256) and in transit (TLS 1.2+), access controls with MFA enforcement, and regular security assessments.
- Not engage another processor without prior specific or general written authorization of the Controller. Where general authorization is given, the Processor shall inform the Controller of intended changes with 30 days' notice.
- Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, and objection).
- Assist the Controller in ensuring compliance with security, breach notification, and data protection impact assessment obligations.
- At the Controller's choice, delete or return all Personal Data upon termination of services, and delete existing copies unless retention is required by applicable law.
- Make available to the Controller all information necessary to demonstrate compliance and allow for and contribute to audits.
4. Sub-processors
The Controller grants general authorization for the Processor to engage sub-processors listed below. The Processor shall notify the Controller at least 30 days before adding or replacing sub-processors.
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting and infrastructure | US / EU (configurable) |
| Supabase Inc. | Database and authentication | US |
| Stripe Inc. | Payment processing | US |
| Anthropic PBC | AI language model processing | US |
| OpenAI Inc. | AI language model processing | US |
| Sentry Inc. | Error monitoring | US |
| Resend Inc. | Transactional email delivery | US |
Current as of the date above. See /subprocessors for the live list.
5. International Data Transfers
Where Personal Data is transferred outside the European Economic Area, the Processor shall ensure adequate safeguards are in place, including: (a) EU Standard Contractual Clauses (Module 2: Controller to Processor) as approved by Commission Implementing Decision (EU) 2021/914; (b) binding corporate rules where applicable; or (c) transfers to countries with an adequacy decision by the European Commission.
6. Data Breach Notification
The Processor shall notify the Controller without undue delay and in any event within 72 hours after becoming aware of a Personal Data breach. Notification shall include: (a) the nature of the breach including approximate number of data subjects affected; (b) the likely consequences of the breach; (c) measures taken or proposed to address the breach; (d) contact information for the Processor's data protection point of contact.
7. Security Measures
- Encryption at rest (AES-256) and in transit (TLS 1.2+)
- Multi-factor authentication enforcement for all users
- Row-level security with tenant isolation on all database tables
- Automated vulnerability scanning (Trivy, CodeQL, npm audit, Gitleaks) daily
- SOC 2 Type II aligned controls
- Session timeout enforcement (30 minutes of inactivity)
- CSRF protection with per-request tokens
- Content Security Policy with per-request nonces
- Rate limiting with distributed Redis enforcement
- 90-day data retention policies with automated cleanup
8. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests within 30 calendar days. The platform provides self-service data export, account deletion (via offboarding workflow), and access review capabilities.
9. Audit Rights
The Controller may audit the Processor's compliance with this DPA no more than once per calendar year, with 30 days' written notice. The Processor shall make available relevant compliance reports, certifications, and third-party audit summaries. Remote audits are preferred; on-site audits shall be conducted at the Controller's expense.
10. Term and Termination
This DPA shall remain in effect for the duration of the Agreement. Upon termination, the Processor shall, at the Controller's election, return or delete all Personal Data within 30 days. Certification of deletion shall be provided upon request.
Request A Signed Dpa
Enterprise customers can request a countersigned DPA by contacting support@procure-labs.com. We typically return signed DPAs within 2 business days.