Data Processing Agreement
Last updated: June 2026
This Data Processing Agreement (“DPA”) forms part of the Master Subscription and Services Agreement (the “Agreement”) between Proofmap, LLC, a Texas limited liability company (“Proofmap”), and the client identified in the applicable Order Document (“Client”). This DPA is maintained at https://proofmap.com/dpa/ and is incorporated by reference into the Agreement.
1. Scope
This DPA applies to the extent performance of the Services requires Proofmap to process Personal Data on behalf of Client, and governs the use and protection of such Personal Data to ensure compliance with applicable privacy and data protection laws (“Data Protection Laws”), including the General Data Protection Regulation (“GDPR”) where applicable.
This DPA governs Personal Data only. Obligations relating to the export, return, and confidentiality of Client Data generally are governed by the Agreement, not this DPA.
Capitalized terms used but not defined in this DPA have the meanings given in the Agreement, including “Services,” “Order Document,” “Proofmap Platform,” “Proofbase,” “Contributor,” “Client Data,” and “Personal Data.” The terms “controller,” “processor,” “processing,” “data subject,” and “personal data breach” have the meanings given in applicable Data Protection Laws, and equivalent terms (such as “business,” “service provider,” and “personal information”) are read as the same.
2. Roles
For Personal Data processed in the performance of the Services, Client is the controller and Proofmap is the processor. Proofmap will process such Personal Data only on Client’s documented instructions — consisting of the Agreement, this DPA, the applicable Order Document, and Client’s configuration and use of the Proofmap Platform — unless required to do otherwise by applicable law.
Proofmap separately processes limited personal data for its own purposes as an independent controller — such as business contact details of Client personnel used for account management and billing, authentication details, service logs, and security and usage data needed to provide, manage, secure, and improve the Services. That processing is governed by the Proofmap Privacy Policy, not this DPA.
Client is responsible for the lawfulness of Personal Data made available to Proofmap, including providing any legally required notices to, and obtaining any legally required permissions from, Contributors and other data subjects before their Personal Data is captured or processed through the Services.
3. Description of Processing
Nature and purpose. Proofmap captures interviews and recordings of Contributors, transcribes them, extracts quotes and themes, and structures the results into the Proofbase within the Proofmap Platform — the system used to deliver the Services. Proofmap operates a Contributor approval workflow, in which each approval record may include the Contributor’s name, a timestamp, IP address, user agent, an immutable snapshot of the approved content, and an archived PDF. Proofmap also hosts, stores, and delivers recordings and approved content as part of the Services.
Categories of data subjects. Contributors — individuals associated with Client (such as Client’s customers, partners, or personnel) who participate in interviews or recordings — and Client personnel and other authorized users of the Services.
Categories of Personal Data. Identification and contact data (such as name, email address, job title, and organization); audio and video recordings of Contributors, including voice and likeness; transcripts and content derived from recordings, including quotes and attributions; approval records as described above; and related scheduling and communications data.
Duration. Processing continues for the duration of the Agreement and thereafter only as described in Section 8 (Return and Deletion).
4. Proofmap Obligations
Proofmap will: (a) ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations and receive appropriate privacy training; (b) implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including encryption of Personal Data in transit and at rest, role-based access controls, and logical separation of each client’s data; (c) assist Client, taking into account the nature of the processing and the information available to Proofmap, in meeting Client’s obligations under Data Protection Laws, including with respect to data subject requests, security, and breach notification; and (d) upon Client’s reasonable written request, make available information reasonably necessary to demonstrate compliance with this DPA.
AI capabilities. The Services include AI-assisted capabilities that operate on Client’s data to generate outputs for Client. Consistent with the Agreement, Client Data, including Personal Data, is not used to train general-purpose AI models and is not shared with or accessible to Proofmap’s other clients. Proofmap may use anonymized, de-identified usage data — stripped of personal identifiers and Client names — to improve the Proofmap Platform and Services.
5. Subprocessors
Client authorizes Proofmap to engage third-party subprocessors to assist in providing the Services. Proofmap’s current subprocessors are listed in the Subprocessor List below, which forms part of this DPA. Proofmap will keep the Subprocessor List up to date at this URL and will notify Client of material changes — including the addition or replacement of a subprocessor that will process Personal Data — by email to Client’s designated contact at least ten (10) business days before the new subprocessor begins processing Personal Data. If Client has a reasonable, good-faith objection to a new subprocessor on data protection grounds, the parties will work together to address it; if it cannot reasonably be resolved, Client may terminate the affected Services in accordance with the Agreement.
Proofmap will impose on each subprocessor data protection obligations materially no less protective of Personal Data than those in this DPA, to the extent applicable to the services the subprocessor provides, and remains responsible for its subprocessors’ performance of those obligations.
6. Data Subject Requests
If Proofmap receives a request from a data subject (including a Contributor) to exercise rights under Data Protection Laws regarding Personal Data processed on behalf of Client, Proofmap will promptly forward the request to Client and will not respond directly except to acknowledge receipt and direct the data subject to Client, unless otherwise instructed by Client or required by law.
7. Personal Data Breach
Proofmap will notify Client without undue delay after becoming aware of a personal data breach affecting Personal Data processed on behalf of Client, will provide information reasonably available to Proofmap about the breach, and will reasonably cooperate with Client’s investigation and any legally required notifications.
8. Return and Deletion
During the term of the Agreement and for the thirty (30) day export window following termination or expiration described in the Agreement, Client may export Client Data, including Personal Data, using the export and self-serve media download capabilities of the Proofmap Platform. Following the export window, Proofmap will delete Personal Data processed on behalf of Client, except to the extent retention is required by applicable law or Proofmap retains Contributor approval records as reasonably necessary to evidence Contributor approvals. Retained Personal Data remains subject to this DPA for as long as it is retained.
9. International Transfers
Proofmap is established in the United States, and Personal Data is processed in the United States and in the locations identified in the Subprocessor List. To the extent Personal Data subject to the GDPR, UK GDPR, or Swiss FADP is transferred to a country not recognized as providing adequate protection, the parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (Controller-to-Processor), are deemed incorporated into this DPA, with Client as data exporter, Proofmap as data importer, and the annexes completed by the information in this DPA, including Section 3 and the Subprocessor List; for transfers from the UK, as modified by the UK International Data Transfer Addendum; and for transfers from Switzerland, with the modifications required under the FADP.
10. U.S. State Privacy Laws
Where the California Consumer Privacy Act, as amended (“CCPA”), applies, Proofmap acts as a “service provider,” processes Personal Data only for the limited and specified business purposes described in this DPA and the Agreement, and will not sell or share such Personal Data, retain, use, or disclose it for any other purpose, or combine it with personal information from other sources, except as permitted by the CCPA. Where other applicable U.S. state privacy laws apply, Proofmap will comply with its obligations as a “processor” under those laws.
11. General
Proofmap may update this DPA from time to time to reflect changes in Data Protection Laws, the Services, or subprocessors, provided that updates do not materially diminish the protection of Personal Data; the version posted at this URL governs. Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. This DPA takes effect by incorporation into the Agreement and does not require separate signature; at Client’s reasonable request, the parties will execute a copy of this DPA.
Questions about this DPA or the Subprocessor List may be directed to privacy@proofmap.com.
Subprocessor List
Last updated: June 2026
| Subprocessor | Purpose | Location |
|---|---|---|
| Platform Infrastructure | ||
| Google Cloud | Cloud hosting and infrastructure for the Proofmap Platform. | United States |
| Supabase | Backend database storage, authentication, and real-time data services (hosted on AWS). | United States |
| Vercel | Hosting and content delivery for the Proofmap web application. | United States |
| AI & Transcription | ||
| Google (Gemini) | AI processing of interview transcripts, including extraction of quotes and themes; not used to train general-purpose AI models on Client Data. | United States |
| Anthropic | AI processing in connection with Client activity and workflows on the Proofmap Platform, including generation of outputs grounded in Client’s data; not used to train general-purpose AI models on Client Data. | United States |
| AssemblyAI | Transcription of interview audio and video. | United States |
| Interview Capture & Media | ||
| Calendly | Scheduling of Contributor interviews and meetings. | United States |
| Riverside.fm | Remote video and audio recording of Contributor interviews. | United States; Israel |
| Descript | Transcription, audio/video editing, and content refinement of recordings. | United States |
| Adobe | Video editing and creative asset production involving recordings. | United States |
| Vimeo | Hosting, storage, and playback delivery of video content. | United States |
| Mux | Video streaming infrastructure: hosting, storage, and playback delivery of video content. | United States |
| Business Operations | ||
| Google Workspace | Email, document storage, and collaboration in connection with delivering the Services. | United States |
| Attio | Customer relationship management of Contributor and Client contact records used to deliver the Services. | United Kingdom; United States |
| SignNow | Electronic signature processing for service agreements and Contributor documentation. | United States |
| Slack | Team communication and notification handling in connection with delivering the Services. | United States |
| Canva | Creation and storage of visual assets and documents. | Australia; United States |
| QuickBooks (Intuit) | Billing, invoicing, and financial records. | United States |
| Stripe | Payment processing. | United States |