Data Processing Addendum

Effective 2026-05-28 · DUEX (duex.app) · Toronto, Canada

DUEX is an early-stage product operated by Arvinder Singh from Toronto, Canada ("DUEX", "we", "us"). Contact: [email protected].

This page is the standing Data Processing Addendum (DPA) for DUEX pilots. If your team needs a counter-signed copy before sending real deal data, email [email protected] and we will return a signed PDF within one business day. For pilots that involve personal data of EU, UK, or Swiss data subjects, the Standard Contractual Clauses (SCCs) and UK Addendum referenced below apply.

This DPA forms part of the pilot agreement between DUEX (the "Processor") and the customer signing the pilot (the "Controller"). It sets out the terms on which the Processor processes Personal Data on the Controller's behalf to deliver the DUEX service.

1. Roles

The Controller decides why and how Personal Data is processed. The Processor processes Personal Data only on the Controller's documented instructions, including the instructions set out in the pilot agreement, these Terms, and this DPA.

2. What data is processed

Categories of Personal Data: the sales deal context the Controller submits to DUEX — which may include names, business contact details, internal commercial notes, deal values, and any other personal data the Controller chooses to include.
Categories of data subjects: the Controller's employees and authorized agents who use DUEX; named individuals in deal context (such as customer contacts, signers, or stakeholders); any other people whose personal data the Controller submits.
Special-category data: not allowed. The Controller will not submit health, biometric, racial, political, religious, sexual-orientation, trade-union, or other special-category data to DUEX, unless the parties have agreed in writing that the pilot is configured for it. The Acceptable Use Policy has the full list.
Purpose of processing: to run the review, produce decision records, secure and operate the service, and — during early pilot — debug and improve the review engine.
Duration: for the duration of the pilot agreement, plus the retention periods set out in section 7.

3. Confidentiality and access

The Processor ensures that anyone authorized to process Personal Data is bound by confidentiality. Access to Controller Personal Data is limited to authorized DUEX personnel with a need to operate, secure, or support the pilot — currently the founder.

4. Security measures

The Processor maintains the technical and organizational measures described on the Security page and any pilot-specific addenda. These include: HTTPS/TLS in transit; AES-256 encryption at rest on the managed database; secrets stored outside source code; least-privilege access; operational event logging; periodic review of subprocessor security posture; and incident response.

5. Subprocessors

The Controller authorizes the Processor to engage the subprocessors listed at duex.app/subprocessors. The Processor will give the Controller at least 15 days' notice before adding a new subprocessor that would process the Controller's Personal Data; the Controller may object as set out in the Subprocessors page. The Processor stays responsible for its subprocessors' performance under this DPA.

6. International transfers

The Processor operates from Canada, and its subprocessors may process Personal Data in Canada, the United States, the European Economic Area, the United Kingdom, and other locations where they operate.

For Personal Data of EU/EEA data subjects: the parties rely on (i) the European Commission's adequacy decision for Canada's commercial-sector processing, where applicable, and (ii) the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914), Module 2 (Controller-to-Processor) and Module 3 (Processor-to-Processor) where relevant, which are incorporated into this DPA by reference and apply to onward transfers to subprocessors in non-adequacy jurisdictions.
For Personal Data of UK data subjects: the UK International Data Transfer Addendum to the EU SCCs (UK IDTA / UK Addendum) is incorporated by reference and applies.
For Personal Data of Swiss data subjects: the EU SCCs apply with Swiss-law adaptations under FADP guidance.

7. Retention and deletion

Pilot data is retained in active DUEX systems during the pilot and deleted within 30 days after the pilot ends or on the Controller's written request, whichever is earlier — unless the parties have agreed otherwise in the pilot agreement, or retention is required by law for security, legal, or billing reasons.
Operational and security logs are typically retained up to 90 days unless needed for an investigation.
Copies of data may persist in encrypted backups or in provider logs until they expire under normal retention cycles. Earlier deletion is provided where it is technically feasible.
On request, the Processor will certify deletion in writing.

8. Assistance with data subject rights and impact assessments

The Processor will, taking into account the nature of the processing and the information available, give the Controller reasonable assistance to:

respond to data subject requests (access, rectification, erasure, restriction, portability, objection, withdrawal of consent);
carry out data protection impact assessments and any prior consultations with supervisory authorities;
meet the Controller's security, breach-notification, and other obligations under applicable data protection law.

9. Breach notification

If the Processor becomes aware of a Personal Data Breach affecting the Controller's data, the Processor will notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware. The notice will describe the nature of the breach, the categories and approximate volume of data and individuals affected, the likely consequences, and the measures taken or proposed.

10. Audits

The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, and will respond to reasonable written audit questions. On-site audits, if requested, will be coordinated to avoid disrupting the service and may be subject to confidentiality and reasonable cost-recovery terms agreed in the pilot agreement.

11. Return or deletion at end of contract

On termination of the pilot agreement, the Controller may choose to have the Processor return or delete all Controller Personal Data. The Processor will complete return or deletion within 30 days, subject to legal retention obligations and the backup-expiration timeline in section 7.

12. Sensitive data restriction

The Controller will not submit, and will not authorize anyone to submit, protected health information, payment card data, government IDs or classified information, children's data, biometric identifiers, or other regulated sensitive data to DUEX unless the parties have agreed in writing that the pilot is configured for it.

13. Liability

Liability under this DPA is subject to the limitations and exclusions in the Terms of Service and the pilot agreement.

14. Order of precedence

If a conflict arises between this DPA, the Terms of Service, and the signed pilot agreement, the signed pilot agreement controls; this DPA controls over the Terms of Service for matters concerning personal-data processing.

15. Changes

The Processor may update this DPA as DUEX grows. Material changes will be notified to active pilot customers before they take effect; the effective date at the top reflects the most recent revision.

16. Signatures

When a customer asks for a countersigned copy of this DPA for their records, both sides sign below. The Processor returns the countersigned PDF within one business day of the request.

For the Processor (DUEX)

Name: Arvinder Singh

Title: Founder, DUEX

Signature: __________________________

Date: __________________________

For the Controller (Customer)

Name: __________________________

Title: __________________________

Company: __________________________

Signature: __________________________

Date: __________________________

Contact

Questions or to request a countersigned copy: [email protected].