Data Processing Agreement

1. Definitions

Terms used in this DPA have the meanings assigned to them in the GDPR. “Customer Data” means any Personal Data that Customer transmits to, uploads through, or generates in the BarZero platform. “Subprocessor” means any third party engaged by BarZero to process Customer Data.

2. Roles of the Parties

For the purposes of this DPA, Customer is the Controller (or Processor acting on behalf of its own Controllers, in which case BarZero is a Subprocessor), and BarZero is the Processor of Customer Data. Each party shall comply with its respective obligations under applicable Data Protection Laws.

3. Scope and Purpose of Processing

BarZero will Process Customer Data solely for the purpose of providing the Services as described in the Terms of Service and documented Customer instructions. BarZero will not Process Customer Data for any other purpose, and specifically will not use Customer Data to train any machine-learning model.

4. Data Minimization by Architecture

BarZero operates a zero-knowledge, zero-retention architecture. Customer Data submitted to the Services is:

• Encrypted client-side via AES-256-GCM before transmission
• Decrypted only in ephemeral, volatile-memory compute environments
• Cryptographically destroyed at the end of each session
• Never written to persistent storage on BarZero-controlled infrastructure

The batch folder review feature — where Customer points the Services at a folder of contracts and each is reviewed against a single playbook — runs entirely on the Controller's device in the mode shipped in this release (“tab-open” mode). File bytes are read by the browser via the File System Access API, extracted to text locally, and sent through the same ephemeral inference path described above. No batch metadata or contract text is written to BarZero-controlled persistent storage under tab-open mode. A future optional “background” mode will be disclosed here prior to its availability to Customer, with corresponding updates to the Subprocessor schedule and transfer analysis.

5. Subprocessors

Customer grants BarZero general authorization to engage Subprocessors. Current Subprocessors include:

• Anthropic PBC — AI inference provider, operating under a Zero Data Retention agreement
• Fly.io — ephemeral compute infrastructure for per-session containers
• Cloudflare — edge network, WAF, and DDoS protection
• Supabase — authentication metadata and billing only (no Customer Data)
• Stripe — payment processing (no Customer Data)
• Upstash (QStash) — message queue for background-mode batch review; the queue transports Customer Data briefly in transit to the BarZero worker and does not retain message bodies after delivery acknowledgement. Only invoked when Customer explicitly opts into background-mode batches.
• Google LLC / Microsoft Corporation — Drive and OneDrive / SharePoint are sub-processors of Customer Data only when Customer elects to connect those drives as a batch source. Customer remains the controller of its tenant; BarZero accesses only the files Customer explicitly selects via the provider's file picker at the OAuth scope granted (drive.file for Google — per-file access limited to pick-time consent; Files.Read.All offline_access for Microsoft). Customer-supplied webhook endpoints (for result delivery) are not BarZero subprocessors — they are Customer-controlled receivers.

BarZero will notify Customer of the addition or replacement of any Subprocessor at least 30 days in advance and will give Customer a right to object on reasonable data-protection grounds.

6. Security Measures

BarZero maintains technical and organizational measures appropriate to the risk, including end-to-end encryption, hardware-rooted key management, ephemeral compute environments, continuous vulnerability monitoring, principle-of-least-privilege access controls, and annual third-party penetration testing. Our full measures are described in the Security Whitepaper.

7. Data Subject Rights

BarZero will provide reasonable assistance to Customer in responding to requests from data subjects to exercise rights under the GDPR (access, rectification, erasure, portability, objection, restriction). Because BarZero holds no Customer Data in persistent storage, most such requests can be fulfilled directly by Customer without BarZero involvement.

8. International Transfers

Where BarZero transfers Customer Data outside the EEA or UK, the transfer is governed by the European Commission Standard Contractual Clauses (Module Two: Controller-to-Processor) and the UK International Data Transfer Addendum, both of which are incorporated into this DPA by reference.

9. Breach Notification

BarZero will notify Customer without undue delay, and in no event later than 48 hours, after becoming aware of a Personal Data Breach affecting Customer Data, and will provide Customer with all information reasonably required to meet its own notification obligations under applicable law.

10. Deletion and Return of Customer Data

By default, BarZero holds no persistent Customer Data. Upon termination of the Services, BarZero will delete any residual Customer Data within its control (such as encrypted backups held by Customer through the optional E2EE Sync feature) within 30 days of termination.

11. Audits

Customer may audit BarZero's compliance with this DPA once per calendar year, upon at least 30 days written notice, during regular business hours, and subject to reasonable confidentiality obligations. BarZero will also make available its most recent SOC 2 Type II report on request.

12. Execution

This DPA is incorporated into and forms part of the Terms of Service. Customer may sign a countersigned copy by contacting our privacy team. No signature is required for the DPA to take effect — it applies automatically to all Customers using the Services.