Last updated: March 25, 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between the entity agreeing to these terms (“Controller” or “Customer”) and DataRoom Snap (“Processor” or “we”) for the provision of AI-powered document analysis services (the “Service”). This DPA sets out the terms governing the Processor's processing of Personal Data on behalf of the Controller.
The entity that determines the purposes and means of the processing of Personal Data; in this context, the Customer using the Service.
The entity that processes Personal Data on behalf of the Controller; in this context, DataRoom Snap.
An identified or identifiable natural person whose Personal Data is processed.
Any information relating to a Data Subject that is processed by the Processor on behalf of the Controller through the Service.
Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
DataRoom Snap processes documents uploaded by the Controller for the purpose of AI-powered analysis. The Processor shall process Personal Data only in accordance with the Controller's documented instructions, which are defined by the Controller's use of the Service. The Processor shall not process Personal Data for any purpose other than providing the Service, unless required by applicable law.
Financial documents, corporate documents, pitch decks, 10-K filings, confidential information memoranda (CIMs), financial models, and other materials uploaded by authorized users for analysis.
User names, email addresses, organization names, roles, and authentication credentials necessary for providing the Service.
Logs, timestamps, IP addresses, and interaction data generated through the Controller's use of the Service.
Personal Data is processed solely for the following purposes:
The Controller authorizes the Processor to engage the following sub-processors. The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA.
Anthropic
AI-powered document analysis via the Claude API. Document contents are transmitted for analysis over encrypted connections. Anthropic does not use API inputs for model training.
Location: United States
Supabase
Database hosting, user authentication, and encrypted file storage. All data is stored with row-level security and AES-256 encryption at rest.
Location: United States (AWS us-east-1)
Vercel
Application hosting and global content delivery network. Processes standard web request data including IP addresses.
Location: Global (Edge Network)
Stripe
Payment processing and subscription billing. Processes billing contact information and payment method details.
Location: United States
The Processor shall notify the Controller of any intended changes to sub-processors at least 30 days in advance, giving the Controller the opportunity to object.
The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk. For comprehensive details, refer to our Trust Center. Key measures include:
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including GDPR Articles 15 through 22:
The Processor shall respond to any such request promptly and no later than 30 days from receipt.
Documents, analysis results, and associated Personal Data are retained for the duration of the Controller's active subscription.
Upon account closure or receipt of a GDPR erasure request, all documents, analysis data, and Personal Data shall be deleted within 30 days.
Audit logs are retained for 7 years for regulatory compliance purposes. Following an erasure request, audit logs are anonymized to remove Personal Data while preserving the audit trail.
Personal Data is processed and stored in the United States (AWS us-east-1, N. Virginia). Where Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland is transferred to the United States, such transfers are governed by Standard Contractual Clauses (SCCs) as adopted by the European Commission. Customers may request a copy of the applicable SCCs by contacting privacy@dataroomsnap.com. EU data residency is available on Enterprise plans upon request.
In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and in any event within 24 hours of becoming aware of a confirmed breach. The notification shall include the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.
This DPA is coterminous with the Controller's subscription agreement for the Service. The DPA shall automatically terminate when the subscription agreement expires or is terminated. Upon termination, the Processor shall delete or return all Personal Data to the Controller in accordance with Section 8 (Data Retention), unless retention is required by applicable law.
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Controller shall provide reasonable notice of any audit and conduct the audit in a manner that minimizes disruption to the Processor's operations.
For questions regarding this DPA or to exercise any rights hereunder, please contact:
DataRoom Snap - Privacy Team
Email: privacy@dataroomsnap.com
For a full overview of our security and compliance posture, visit our Trust Center.