Legal / Data Processing Addendum
Effective 2026-05-19

Data Processing Addendum

30-second summary: For business customers who need a formal data-processing agreement (DPA): we act as processor of your data, you remain the controller. We process only as instructed, keep it confidential, secure it, and help you respond to data-subject requests. Sign + return the countersigned PDF to legal@agora-virtual.com.

1. Roles and scope

Customer ("you") is the data controller. Mycontracts ("we") is the data processor. We process personal data on your behalf solely to provide the Mycontracts service per these terms and your documented instructions.

2. Categories of data + subjects

  • Categories of data: business identifiers, contact info, billing details, usage telemetry, AI-generated outputs.
  • Categories of data subjects: your employees, your authorized users, contacts within your business profile.
  • Sensitive data: we do not knowingly process special categories (health, race, religion, biometric). You must not upload such data.

3. Processing purposes

Solely:

  • Providing the contracted Mycontracts services (matching, AI features, billing, support).
  • Complying with legal obligations.
  • Improving the service in an anonymous, aggregated form (opt-out available).

4. Subprocessors

You authorize the subprocessors listed at /subprocessors. We will notify you 30 days before adding or replacing a subprocessor. You may object — if we can't resolve the objection, you can terminate.

5. Security

We implement technical and organizational measures appropriate to the risk. Highlights:

  • TLS 1.2+ in transit; field-level Fernet encryption for PII at rest.
  • Auth0 OIDC + MFA enforcement on paid tiers; strict CSP and CSRF.
  • Audit logging of every sensitive action.
  • Annual SOC2 audit (Type 1 by Q1 2026, Type 2 by Q2 2026).
  • Full posture documented at /security.

6. Personal-data breaches

We notify you without undue delay (within 72 hours of becoming aware) of any personal-data breach affecting your data. The notification includes nature, scope, likely consequences, and mitigation measures.

7. Data subject requests

When a data subject (your employee/user) sends us a request directly, we forward it to you and assist your response. We do not respond independently except as legally required.

8. International transfers

For transfers from the EU/UK to the United States, we rely on the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) and UK IDTA where applicable. Copies available on request.

9. Audit rights

You may audit our compliance once per calendar year on 30 days notice, at your expense, during business hours, subject to confidentiality. Alternatively, we share our SOC2 report (when available) under NDA.

10. Return or deletion

On termination, you may export your data via the platform. After 30 days we delete unless legally required to retain (tax records, audit trails — those are retained up to 7 years and access-controlled).

How to execute this DPA

Email legal@agora-virtual.com with your company name + signatory. We will send a countersigned PDF within 2 business days.