Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement between you (“Customer,” the controller) and NSD LLC, operating as “PerfCopilot” (“PerfCopilot,” the processor) under our Terms of Service (the “Agreement”). It applies where, and to the extent, PerfCopilot processes Personal Data on your behalf in providing the Service, and it applies to processing subject to the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and other data-protection laws that apply to that processing (“Data Protection Laws”).

You are the controller of the Personal Data you submit (or that is collected on your instruction); PerfCopilot is the processor acting on your documented instructions. Each party is responsible for complying with the obligations that apply to it under Data Protection Laws.

To put this DPA into effect, see Execute this DPA below. Once executed it is incorporated into, and governed by, the Agreement.

Capitalized terms not defined here have the meaning given in the Agreement. “Personal Data,” “processing,” “controller,” “processor,” “data subject,” and “personal data breach” have the meanings given in the GDPR. “Sub-processor” means a third party engaged by PerfCopilot to process Personal Data. “Customer Personal Data” means Personal Data within the Customer Content that PerfCopilot processes on your behalf.

3.1 Subject matter & duration

The subject matter is the provision of the Service described in the Agreement. Processing continues for the term of the Agreement and the limited deletion window described in section 11.

3.2 Nature & purpose

To aggregate work signals from your connected sources per review cycle, generate AI-assisted performance-review drafts, let managers edit and submit them, deliver sealed PDFs, and provide related support, security, and billing.

3.3 Categories of data subjects

Your Authorized Users and the employees or contractors you review (the review subjects), and where applicable peers who provide feedback.

3.4 Categories of Personal Data

• Identity & contact: name, work email, role, department, manager relationship.
• Account data: login credentials (hashed), authentication and 2FA metadata.
• Work-signal metadata from connected sources: e.g. ticket/PR/commit counts and statuses, deal stages, activity counts, attendance, goals (metadata, not message bodies).
• Review content: peer feedback, manager notes, ratings, and the generated and final review text.
• Usage & technical data: audit logs, IP address, and device/browser metadata.

You must not submit special-category data, government identifiers, or protected health information; the Service is not intended for them.

PerfCopilot will process Customer Personal Data only on your documented instructions, including as set out in the Agreement, this DPA, and your use and configuration of the Service, unless required by law (in which case we will inform you, where legally permitted). If we believe an instruction violates Data Protection Laws, we will tell you. You are responsible for ensuring you have a lawful basis and any notices or consents required for the data you submit and the reviews you conduct.

PerfCopilot ensures that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality and access it only as needed to provide the Service. Access is limited to personnel with a need to know and is logged.

PerfCopilot maintains technical and organizational measures appropriate to the risk, consistent with Article 32 GDPR, including:

• Encryption of data in transit (TLS) and of credentials/tokens at rest; passwords stored only as salted hashes.
• Tenant isolation, role-based access control, separate customer and operator authentication boundaries, and audit logging.
• Optional SSO (SAML/OIDC) and two-factor authentication for Authorized Users.
• We process work-signal metadata, not message bodies, minimizing the personal data handled.
• Encrypted, rotated backups (30-day rotation) and a documented restore process.
• Vulnerability management, least-privilege operational access, and security event monitoring.

Our current practices are summarized on our Security page. We may update measures over time provided protection is not materially reduced.

You authorize PerfCopilot to engage the sub-processors below to process Customer Personal Data, each bound by data-protection terms no less protective than this DPA:

• Anthropic: AI review generation (Claude API).
• OpenAI: AI review generation (GPT API), used as an alternative model provider.
• Google: AI review generation (Gemini API), used as an alternative model provider.
• Stripe: billing and payments.
• Resend: transactional email delivery.
• Sentry: error monitoring, with PII scrubbing enabled.
• PostHog: first-party product and website analytics.
• European cloud hosting provider: application and database hosting.

We will give you reasonable prior notice of any new or replacement sub-processor (for customers under this DPA, by email to your account contact). You may object on reasonable data-protection grounds within 14 days; if we cannot accommodate the objection, you may terminate the affected subscription and receive a pro-rated refund of pre-paid, unused fees as your sole remedy. PerfCopilot remains liable for its sub-processors' performance of these obligations.

Taking into account the nature of the processing, PerfCopilot will provide reasonable assistance — including through the self-service controls in the Service (export, edit, delete) — to help you respond to data-subject requests to access, rectify, erase, restrict, port, or object to processing. If a data subject contacts PerfCopilot directly about Customer Personal Data, we will refer them to you and not respond except on your instruction or as legally required.

PerfCopilot will notify you without undue delay, and in any case within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notice will describe, to the extent known, the nature of the breach, likely consequences, and the measures taken or proposed. PerfCopilot will take reasonable steps to mitigate and remediate, and will provide reasonable assistance with your own breach-notification obligations. Notice of a breach is not an acknowledgment of fault or liability.

Application servers and databases are hosted in Europe; some sub-processors (for example email delivery and the AI provider) operate in the United States. Where Customer Personal Data is transferred out of the EEA, the UK, or Switzerland to a country without an adequacy decision, the parties rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (and the UK Addendum / Swiss amendments as applicable), which are incorporated into this DPA by reference and completed with the details in sections 1 and 3. Where this DPA is executed, the SCCs prevail over any conflicting term for transfers they govern.

You may export Customer Personal Data through the Service at any time during the term. On termination, or on your earlier request, PerfCopilot will delete Customer Personal Data: data is retained in an inactive state for up to 30 days after termination and then permanently deleted, subject to encrypted backup rotation (also on a 30-day cycle) and any data we must retain to comply with law. On request we will confirm deletion in writing.

PerfCopilot will make available information reasonably necessary to demonstrate compliance with this DPA and will contribute to audits, including by providing our security documentation and responding to a reasonable security questionnaire. Where a Data Protection Law requires an on-site or hands-on audit, it will be conducted no more than once per year (unless required by a supervisory authority or following a breach), on reasonable prior notice, during business hours, under confidentiality, and in a manner that does not disrupt the Service or compromise other customers' data.

AI-assisted drafts are generated using third-party model providers (currently Anthropic's Claude, OpenAI's GPT, or Google's Gemini APIs; we may route to any of them). Each request transmits only the signals relevant to the active review — no historical context and no cross-organization data. We do not permit our model providers to use Customer Personal Data, in any form (including anonymized or aggregated), to train or improve their models. AI generation runs only when a manager chooses to generate or regenerate a draft, and Output is decision support that a person reviews and edits before use.

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. In the event of a conflict, for the processing of Personal Data this DPA prevails over the rest of the Agreement, and the Standard Contractual Clauses prevail over this DPA for the transfers they govern. This DPA is governed by the same law and dispute-resolution terms as the Agreement (the State of Florida, USA), except where Data Protection Laws or the SCCs require otherwise. If any provision is unenforceable, the remainder stays in effect.

To put this DPA in place for your organization, email legal@perfcopilot.com from your account's administrator address with your legal entity name and signatory. We will counter-sign and return an executed copy; once executed it is incorporated into your Agreement. Enterprise customers can also have it attached to their Order. Questions: legal@perfcopilot.com or /contact.