Data Processing Agreement

Subject matter: Provision of the Parvl decision intelligence platform.

Duration: For the term of the service agreement plus the data retention period defined in Section 9.

Nature and purpose: Storage, AI classification, embedding generation, semantic search, and analytics of organisational decision data to enable decision tracking, search, and intelligence. Where the Controller has opted in to the Service Improvement Program (Section 15), de-identified correction data may also be processed for model improvement purposes.

Types of Personal Data processed:

• Names and identifiers of decision participants
• Email addresses (via authentication provider)
• Professional roles and organisational membership
• Decision content that may contain personal data (Slack messages and, when connected, meeting notes, PR descriptions, and Jira issues)
• Usage data (page views, feature interactions)

Categories of data subjects: Employees, contractors, and authorised users of the Controller's organisation.

The Controller provides general written authorisation for the Processor to engage sub-processors. The current list of authorised sub-processors is maintained on our Sub-processors page.

Notification of changes: The Processor shall notify the Controller at least 30 days before adding or replacing a sub-processor. Notification will be sent via email to the organisation administrator's email address on file. The Controller may subscribe to sub-processor change notifications via the settings page.

Right to object: The Controller may object to a new or replacement sub-processor within 14 days of receiving notification, by providing written notice with reasonable grounds for objection. If the Controller objects and the Processor cannot reasonably accommodate the objection, either party may terminate the affected services with 30 days' notice.

Sub-processor obligations: The Processor shall impose the same data protection obligations as set out in this DPA on each sub-processor by way of a written contract, ensuring that each sub-processor provides sufficient guarantees regarding the security and protection of Personal Data.

Liability: The Processor shall remain fully liable to the Controller for the performance of each sub-processor's obligations.

Parvl provides the following technical capabilities to assist the Controller with data subject requests:

• Access and portability: Full data export in CSV and JSON formats via the Data Retention settings page or the /data-retention/export API endpoint.
• Per-user export (DSAR): Individual user data export via /data-retention/export/user/:userId.
• Erasure (Right to be forgotten): Anonymisation of all personal data for a specific user via /data-retention/erase/:userId. Replaces personal identifiers with anonymised values while preserving decision records for organisational continuity.
• Rectification: Users can update their profile information through Clerk. Decision data can be edited by organisation administrators.
• Legal hold (when configured): Decisions placed under legal hold are protected from automated deletion policies, with appropriate notification to the Controller.

The Processor shall respond to the Controller's requests for assistance with data subject rights within 10 business days.

In the event of a Data Breach, Parvl shall:

• Notify within 72 hours: Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the Data Breach, providing initial information about the nature of the breach.
• Provide details: As soon as reasonably practicable, provide the Controller with:
  • A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned.
  • The likely consequences of the breach.
  • The measures taken or proposed to address the breach, including measures to mitigate possible adverse effects.
  • The name and contact details of the Processor's data protection contact.
• Cooperate: Co-operate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each such breach.
• Preserve evidence: Take reasonable steps to preserve evidence and logs related to the breach for forensic investigation.
• No public disclosure: The Processor shall not notify any third party (including supervisory authorities or data subjects) of a Data Breach without the Controller's prior written consent, unless required by applicable law.

Upon termination of the service agreement:

• The Controller may export all data within a 30-day grace period using the export tools.
• After the grace period, Parvl shall delete all Personal Data within 60 days, including data held in backups and disaster recovery systems.
• Decisions placed under legal hold (when configured) will be retained until the hold is explicitly lifted by the Controller.
• The Controller may configure automated retention policies (default: 2 years) via the Data Retention settings.
• Upon request, the Processor shall provide written confirmation that all Personal Data has been deleted.

If Personal Data is transferred outside the European Economic Area (EEA), the Processor shall ensure that:

• The transfer is to a country recognised by the European Commission as providing an adequate level of data protection; or
• Standard Contractual Clauses (SCCs), as adopted by European Commission Implementing Decision (EU) 2021/914, are incorporated into the data processing arrangements with the relevant sub-processor; or
• Another valid transfer mechanism under GDPR Chapter V applies.

For transfers to the United States, the Processor relies on the EU-U.S. Data Privacy Framework where applicable, and on SCCs as a supplementary or alternative mechanism.

The Processor shall conduct transfer impact assessments where required and implement supplementary measures as necessary to ensure an essentially equivalent level of protection.

Current sub-processor locations are listed on the Sub-processors page.

The Controller may audit the Processor's compliance with this DPA, subject to the following conditions:

• The Controller shall provide at least 30 days' written notice of an audit request.
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
• The Controller may engage a qualified, independent third-party auditor, subject to confidentiality obligations.
• The Processor shall make available relevant records, facilities, and personnel to the extent necessary to verify compliance.
• Audit frequency shall be limited to once per year, unless a Data Breach or regulatory investigation necessitates additional audits.
• Third-party assessment substitution: Where the Processor holds a current SOC 2 Type II report, ISO 27001 certification, or equivalent third-party security assessment, the Processor may provide a copy of such report in lieu of an on-site audit, provided the report covers the systems and controls relevant to the processing of Personal Data under this DPA. The Controller retains the right to request a supplementary audit if the report does not adequately address specific concerns raised in writing.

Parvl Pty Ltd complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). In addition to the GDPR obligations set out above, the Processor commits to the following:

• APP 8 — Cross-border disclosure: Where Personal Data is disclosed to overseas recipients (including sub-processors located in the United States), the Processor takes reasonable steps to ensure those recipients comply with the Australian Privacy Principles, including through binding contractual obligations.
• Notifiable Data Breaches scheme: The Processor complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. In the event of an eligible data breach likely to result in serious harm, the Processor will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required, in addition to the breach notification obligations in Section 8 of this DPA.
• OAIC cooperation: The Processor will cooperate with any investigation or inquiry by the OAIC relating to the processing of Personal Data under this DPA, and will provide reasonable assistance to the Controller in responding to any OAIC inquiry or complaint.

The Controller acknowledges that Parvl processes workplace communications (Slack messages) and that certain Australian states and territories impose specific requirements on workplace surveillance:

• New South Wales: The Workplace Surveillance Act 2005 (NSW) requires employers to give employees at least 14 days' written notice before commencing computer surveillance, specifying the kind of surveillance, how it will be carried out, and when it will start (s 10).
• Australian Capital Territory: The Workplace Privacy Act 2011 (ACT) requires 14 days' written notice before workplace surveillance begins (s 13), and the employer must consult in good faith with any employee who raises concerns during the notice period.
• South Australia: The Surveillance Devices Act 2016 (SA) covers “data surveillance devices” (programs that monitor computer input/output). Implied consent is sufficient, but employers should ensure employees are informed via a written workplace policy.
• Other states and territories: Queensland, Victoria, Western Australia, Tasmania, and the Northern Territory do not have specific legislation mandating a notice period for digital workplace communication monitoring. However, employees must be made aware that their communications are being monitored.
• Federal (Privacy Act 1988): APP 5 requires notification at or before the time of collection. Note: the employee records exemption (s 7B(3)) currently exempts private sector employers from the APPs for employee records directly related to the employment relationship. Regardless, notification is strongly recommended.

Controller obligation: The Controller is responsible for ensuring compliance with applicable state/territory workplace surveillance laws before activating Parvl on their Slack workspace. Parvl provides an employee notification template to assist with this obligation.

Best practice: Regardless of jurisdiction, Parvl recommends the Controller provide at least 14 days' notice to employees before activating monitoring, to build trust and maintain a defensible position.

The Controller may opt in to the Service Improvement Program (“SIP”) via the Organisation Settings panel. SIP is disabled by default. When SIP is enabled:

• De-identified correction data: The Processor may use de-identified, aggregated correction data (confirm, reject, and edit actions on extracted decisions) to improve the accuracy of the Processor's classification models. No original message text is retained or used for this purpose. The legal basis for this processing is legitimate interest (GDPR Article 6(1)(f)), balanced against the minimal privacy impact of de-identified correction patterns.
• Customer-specific model adapters: The Processor may train customer-specific model adapters using that Controller's correction data, solely to improve service accuracy for that Controller. These adapters are deleted within 30 days of SIP deactivation or contract termination, whichever is earlier.
• Published benchmarks: The Processor may publish aggregate, de-identified performance metrics (e.g., precision rates, correction frequencies, classification accuracy) in benchmarks or research papers. No data identifying the Controller, its employees, or their communications will be included. This processing is permitted under GDPR Article 89 (research exemption) with appropriate safeguards including pseudonymisation and data minimisation.

Disabling SIP: The Controller may disable SIP at any time via Organisation Settings. Disabling SIP stops future collection of correction data for model improvement. Data already incorporated into aggregate (non-customer-specific) models is not affected. Customer-specific adapters are deleted within 30 days of deactivation.

Legitimate Interest Assessment: The Processor has conducted and documented a Legitimate Interest Assessment for SIP processing, which is available upon request.