Template · v1.0 · May 2026

Data Processing Addendum.

PARIE's standard DPA. Aligned with GDPR (EU + UK), CCPA / CPRA (California), and the Schrems-II requirements for transfers out of the EEA. Includes the EU Standard Contractual Clauses (SCCs) Module 2 (controller → processor) by reference.

This is a template, not a signed contract. Customer-specific fields are blank. To execute, contact hello@parie.io with subject DPA_REQUEST — PARIE returns a pre-signed copy. The DPA is incorporated by reference into the Master Subscription Agreement (parie.io/msa) and the published Terms of Service (parie.io/terms).

For EU/UK customers: The EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) Module 2 — controller to processor — and the UK International Data Transfer Addendum (IDTA) are incorporated by reference into this DPA. Annexes I, II, and III of the SCCs are populated by the Exhibits in this document. PARIE acts as data importer; Customer acts as data exporter.

1. Parties & effective date
2. Definitions
3. Scope & relationship of the parties
4. Processing of personal data
5. Security of processing
6. Sub-processors
7. Data subject rights
8. Personal data breach notification
9. International transfers (SCCs)
10. Audits & compliance reviews
11. CCPA / CPRA — California specifics
12. Term, deletion & return
13. General provisions
Signatures
Exhibit A — Description of processing
Exhibit B — Technical & organizational measures
Exhibit C — Sub-processors

1. Parties & effective date.

This Data Processing Addendum ("DPA") is entered into between:

Customer: ___________________________ ("Customer" or "Controller"), with offices at ___________________________; and
PARIE: PARIE, McKinney, Texas, USA ("PARIE" or "Processor"). Authorized signatory and full registered address provided on the executed copy.

This DPA takes effect on the Effective Date of the Master Subscription Agreement or, if none is in place, on the latest signature date below. It is incorporated by reference into the MSA and any Order Form.

2. Definitions.

Capitalized terms not defined here have the meaning given in the GDPR or, where the term is not defined in the GDPR, in the CCPA. Key terms:

GDPR	Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. References to "GDPR" include the UK GDPR as retained in the UK Data Protection Act 2018.
CCPA	The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (CPRA), and its implementing regulations.
Personal Data	Any "personal data" (GDPR) or "personal information" (CCPA) included in Customer Data that is processed by PARIE on behalf of Customer under the MSA.
Data Subject	The identified or identifiable natural person to whom Personal Data relates.
Personal Data Breach	A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, as defined in GDPR Art. 4(12).
Sub-processor	Any third party engaged by PARIE to process Personal Data on behalf of Customer.
SCCs	The Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2 (controller-to-processor), as supplemented by the UK Information Commissioner's International Data Transfer Addendum where applicable.

3. Scope & relationship of the parties.

Customer is the Controller of Personal Data and PARIE is the Processor. PARIE processes Personal Data only on documented instructions from Customer. The MSA, Order Form, this DPA, and any in-product configuration set by Customer's authorized administrators together constitute Customer's documented instructions to PARIE.

If PARIE believes an instruction violates the GDPR or other applicable data protection law, PARIE will inform Customer in writing without undue delay. PARIE has no obligation to assess whether instructions violate non-EU laws other than where it is the data importer in an SCC transfer.

4. Processing of personal data.

The subject matter, duration, nature and purpose of processing, the categories of Personal Data, and the categories of Data Subjects are set out in Exhibit A.

PARIE shall:

Process Personal Data only for the purposes set out in Exhibit A and only on documented instructions from Customer;
Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations;
Implement and maintain the technical and organizational measures set out in Exhibit B, designed to ensure a level of security appropriate to the risk;
Engage Sub-processors only in accordance with §6;
Assist Customer, taking into account the nature of the processing and the information available to PARIE, in fulfilling Customer's obligations under GDPR Articles 32–36 (security, breach notification, DPIAs, prior consultation);
At Customer's choice, return or delete Personal Data at the end of the provision of services, in accordance with §12;
Make available to Customer all information necessary to demonstrate compliance with this DPA and contribute to audits per §10.

PARIE shall not (a) sell, share (as defined under CCPA), or disclose Personal Data outside the direct business relationship between PARIE and Customer; (b) retain, use, or disclose Personal Data outside the purposes specified in Exhibit A or for any "commercial purpose" other than performing the Service; or (c) combine Personal Data received from Customer with personal information received from another source, except as expressly authorized by Customer.

5. Security of processing.

PARIE has implemented and maintains appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The current measures are described in Exhibit B and the Trust Dossier at parie.io/dossier, which PARIE may update from time to time provided that the updated measures provide a level of protection at least equivalent to the level described in Exhibit B as of the Effective Date.

6. Sub-processors.

Customer provides general written authorization for PARIE to engage Sub-processors, subject to the requirements of this section.

The current list of Sub-processors is in Exhibit C and at parie.io/subprocessors. PARIE will inform Customer at least 30 days in advance of any intended changes concerning the addition or replacement of Sub-processors. Customer may object on reasonable grounds; if PARIE cannot reasonably accommodate the objection, Customer may terminate the affected Order Form for convenience without penalty (refund prorated for the unused portion of the Subscription Term).

PARIE shall:

Impose on each Sub-processor data-protection obligations at least as protective as those in this DPA, by way of a written contract;
Remain liable to Customer for the performance of each Sub-processor's data-protection obligations, as if PARIE were performing them directly.

7. Data subject rights.

Taking into account the nature of the processing, PARIE shall assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligation to respond to requests for exercising Data Subject rights under GDPR Chapter III and CCPA §§1798.100–1798.130 (rights to access, rectification, erasure, restriction of processing, data portability, and to object).

If a request from a Data Subject is made directly to PARIE, PARIE will, without undue delay and within 5 business days, refer the Data Subject to Customer or forward the request to Customer for handling. PARIE will not respond to such requests directly except (a) on Customer's documented instructions, or (b) where Required by Law.

The administrative tools in PARIE's admin portals enable Customer to access, correct, export, and delete Personal Data without PARIE's involvement, in most cases. Where Customer requires PARIE's assistance, PARIE will provide it within 30 days of a written request, free of charge for reasonable requests in connection with valid Data Subject rights.

8. Personal data breach notification.

PARIE shall notify Customer of a confirmed Personal Data Breach without undue delay and in any case within 72 hours after becoming aware of it. The notification will include, to the extent known at the time:

The nature of the breach, including (where possible) the categories and approximate number of Data Subjects and Personal Data records concerned;
The likely consequences of the breach;
The measures taken or proposed to address the breach, including measures to mitigate possible adverse effects;
A point of contact at PARIE for further information.

Customer is responsible for any notifications required to supervisory authorities (under GDPR Art. 33) and to Data Subjects (under GDPR Art. 34). PARIE will reasonably cooperate with such notifications, including by providing the information described above and by making personnel available to answer questions.

PARIE will not characterize the existence of a breach in marketing materials or public statements without Customer's prior written consent, except as Required by Law.

9. International transfers (SCCs).

To the extent that PARIE's processing of Personal Data on behalf of Customer involves the transfer of Personal Data from the European Economic Area (EEA), Switzerland, or the United Kingdom to a country not subject to an EU adequacy decision (a "Restricted Transfer"), the parties incorporate the SCCs (Module 2: controller-to-processor) into this DPA by reference. Customer acts as data exporter and PARIE acts as data importer.

The SCCs apply on the following basis:

Clause 7 (docking clause): the optional clause is included.
Clause 9 (sub-processors): Option 2, general written authorization, with at least 30 days' notice for changes (see §6 above).
Clause 11(a) (redress): the optional independent dispute resolution body is not selected; Data Subjects may bring complaints to the supervisory authority of their habitual residence.
Clause 17 (governing law): the laws of Ireland.
Clause 18(b) (forum): the courts of Ireland.
Annex I.A (parties): as listed in §1 above.
Annex I.B (description of transfer): as set out in Exhibit A.
Annex I.C (competent supervisory authority): the Irish Data Protection Commission.
Annex II (technical and organizational measures): as set out in Exhibit B.
Annex III (sub-processors): as set out in Exhibit C.

UK transfers. Where Restricted Transfers originate from the United Kingdom, the UK International Data Transfer Addendum to the SCCs (issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018) is incorporated and modifies the SCCs as required to reflect UK law.

Schrems-II supplementary measures. PARIE represents that, to the best of its knowledge, the laws and practices of the United States that apply to PARIE's processing of Personal Data — in particular FISA §702 and Executive Order 12333 — do not prevent PARIE from fulfilling its obligations under the SCCs in respect of the categories of Personal Data described in Exhibit A, taking into account the supplementary measures described in Exhibit B (encryption in transit and at rest, multi-tenant rule-layer isolation, no retention of prompts at the sub-processor level per Anthropic's API terms, and Customer's right to use Customer-managed encryption keys for Enterprise tier).

10. Audits & compliance reviews.

PARIE will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and the GDPR (including completed industry questionnaires such as the CAIQ).

Customer may exercise audit rights under GDPR Art. 28(3)(h) not more than once per year, and only on at least 30 days' written notice. Customer's first request to satisfy audit rights shall be addressed by PARIE providing one or more of the following:

The current Trust Dossier (parie.io/dossier);
The most recent SOC 2 report (when available — currently roadmap, target Q4 2026);
The executive summary of the most recent third-party penetration test (under NDA);
Written responses to Customer's reasonable security and privacy questionnaire.

If, after reviewing the above, Customer reasonably believes additional information is necessary to demonstrate compliance, an on-site or remote audit may be conducted at Customer's expense, during normal business hours, with reasonable steps to avoid disruption of PARIE's operations and to protect the confidentiality of other customers' data. Customer may use a qualified third-party auditor that is not a competitor of PARIE.

11. CCPA / CPRA — California specifics.

The parties acknowledge that, with respect to Personal Information of California residents:

Customer is the "Business" and PARIE is a "Service Provider" / "Contractor" within the meaning of the CCPA;
Customer is disclosing Personal Information to PARIE only for the limited and specified Business Purpose of providing the Service;
PARIE is prohibited from (a) "selling" or "sharing" (as defined in the CCPA) Personal Information; (b) retaining, using, or disclosing Personal Information for any purpose other than the Business Purpose; (c) retaining, using, or disclosing Personal Information outside the direct business relationship with Customer; and (d) combining Personal Information received from or on behalf of Customer with Personal Information received from any other source, except as expressly permitted by the CCPA;
PARIE certifies that it understands the restrictions in this section and will comply with them, and will pass them through in writing to any Sub-processor that processes California Personal Information.

Customer has the right, on reasonable notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information by PARIE.

12. Term, deletion & return.

This DPA continues for as long as PARIE processes Personal Data on behalf of Customer under the MSA.

Deletion or return. On termination of the MSA, and at Customer's choice expressed in writing within 30 days of termination, PARIE will either return Personal Data to Customer in a commercially reasonable format or delete Personal Data and certify the deletion in writing, except to the extent that Union or Member State law (or U.S. law for Customers in the U.S.) requires retention of the Personal Data, in which case PARIE will continue to apply the protections of this DPA to that retained data and limit further processing to the purposes that require retention.

The 30-day Customer-data export window in MSA §16 satisfies this section's return obligation. After the 30-day window, PARIE may delete Customer Data, including the Personal Data within it, except as described above.

13. General provisions.

Order of precedence. In case of conflict between this DPA and the MSA, this DPA prevails for matters of data protection. The SCCs prevail over both for transfers in scope of the SCCs.
Liability. Each party's liability under this DPA is subject to the limitations of liability in the MSA, except where applicable data protection law prohibits such limitation (including for fines under GDPR Art. 82(2) and similar provisions).
Modification. The parties may amend this DPA from time to time as necessary to comply with applicable data protection law. Where SCC versions are updated by the European Commission, the parties shall execute a successor version within 90 days of its publication.
Severability. If any provision is unenforceable, the remainder remains in effect.
Counterparts & electronic signatures. This DPA may be executed in counterparts, including PDF and electronic signatures, each an original.

Signatures.

Customer (Controller / Data Exporter)

Entity name

Authorized signatory

Title

Date

Signature

PARIE (Processor / Data Importer)

Entity name

PARIE

Authorized signatory

Title

Date

Signature

Exhibit A — Description of processing.

Subject matter of processing	Provision of the PARIE software-as-a-service platform to Customer's Authorized Users.
Duration of processing	The Subscription Term as set forth in the applicable Order Form, plus any retention period required by §12.
Nature of processing	Hosting, storage, retrieval, transmission, and AI-augmented retrieval of Customer Data, including knowledge-base documents, end-user prompts, and audit logs.
Purpose of processing	Delivery of the Service: in-app guidance, training, and AI-grounded answers to end users; multi-tenant administration; usage metering; security and audit.
Categories of Data Subjects	Customer's employees, contractors, and other Authorized Users of the Service; individuals identified or referenced in knowledge-base documents that Customer chooses to upload.
Categories of Personal Data	Account data: name, email, role, tenant identifier. Authentication data: tokens, hashed passwords. Usage data: prompts entered by Authorized Users (which may incidentally contain Personal Data), call counts, latency. Page-context data: visible UI labels of the active tab when the Chrome extension is invoked. Customer's chosen knowledge-base documents may also contain Personal Data depending on what Customer uploads.
Special categories of data	None unless Customer chooses to upload special-category data into the knowledge base. For Customers routing health data, the Business Associate Agreement at parie.io/baa additionally applies.
Frequency of transfer	Continuous, on a per-request basis throughout the Subscription Term.
Retention period	Account & KB data: lifetime of account + 30 days. Audit logs: indefinite (immutable). Usage logs: 13 months rolling. AI prompts at Anthropic: 0 days (no retention per Anthropic API terms).

Exhibit B — Technical & organizational measures.

The full technical and organizational measures, including the Schrems-II supplementary measures referenced in §9, are described in PARIE's Trust Dossier at parie.io/dossier. Summary as of the Effective Date:

Encryption. AES-256 at rest (Google Cloud default); TLS 1.2+ in transit; secrets in Google Secret Manager; Customer-Managed Keys (CMK) available on Enterprise tier.
Access control. Multi-factor authentication for administrative access; role-based access matrix; immutable audit log of privileged operations.
Multi-tenant isolation. Firestore Security Rules enforce tenant isolation at the storage layer; automated tests on every release validate isolation invariants.
Personnel. Confidentiality agreements with all personnel; security training on hire and annually thereafter.
Logging & monitoring. Append-only audit logs; Cloud Logging anomaly alerting; on-call escalation.
Backup & recovery. Daily Firestore backups to GCS; quarterly restore tests; documented DR runbook.
Incident response. 72-hour breach notification; written post-mortem within 14 days for multi-tenant incidents.
Data minimization. Chrome extension reads only visible UI labels — never form values, table rows, or customer records — and only when explicitly invoked by the user.
Vulnerability management. Dependabot dependency scanning; ESLint security rules; annual third-party penetration test (next: June 2026).
Vendor management. Sub-processor list maintained and updated 30 days in advance of changes; flow-down clauses in all sub-processor agreements.

Exhibit C — Sub-processors.

The current list of Sub-processors with location and purpose. Public source of truth: parie.io/subprocessors.

Sub-processor	Location	Purpose
Google LLC (Google Cloud / Firebase)	United States (default); EEA / UK / APAC available on request	Hosting, database, authentication, file storage, Cloud Functions
Anthropic PBC	United States	LLM inference (Claude API); no retention per API terms
Stripe, Inc.	United States	Subscription billing — billing metadata only; no card data on PARIE
Wildbit LLC (Postmark)	United States	Transactional email — system notifications and password resets
Namecheap, Inc.	United States	Domain registrar and DNS
GitHub, Inc. (Microsoft)	United States	Source code repository — PARIE source only, no Customer Data

Contents

1. Parties & effective date.

2. Definitions.

3. Scope & relationship of the parties.

4. Processing of personal data.

5. Security of processing.

6. Sub-processors.

7. Data subject rights.

8. Personal data breach notification.

9. International transfers (SCCs).

10. Audits & compliance reviews.

11. CCPA / CPRA — California specifics.

12. Term, deletion & return.

13. General provisions.

Signatures.

Customer (Controller / Data Exporter)

PARIE (Processor / Data Importer)

Exhibit A — Description of processing.

Exhibit B — Technical & organizational measures.

Exhibit C — Sub-processors.