Resolve/Legal

Data Processing Agreement

Last updated: March 13, 2026

This Data Processing Agreement ("DPA") supplements the Terms of Service between Resolve ("Processor") and the Customer ("Controller") and governs the processing of personal data by Resolve on behalf of the Customer, in accordance with Article 28 of the General Data Protection Regulation (GDPR).

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the Service.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope of Processing

DetailDescription
Subject matterProvision of the Resolve decision acceleration platform
DurationFor the term of the service agreement plus the data retention period
Nature and purposeStorage, processing, and AI-assisted analysis of decision-related data to provide the Service
Categories of data subjectsController's employees, contractors, and authorized team members
Types of Personal DataNames, email addresses, profile data, decision content, stakeholder inputs, workspace activity

3. Obligations of the Processor

Resolve shall:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries (unless required by law).
  • Ensure that persons authorized to process Personal Data have committed to confidentiality obligations.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
    • Encryption at rest (AES-256) and in transit (TLS 1.2+)
    • AES-256-GCM encryption for integration credentials
    • Access controls and authentication via Clerk
    • Regular security monitoring
    • Content Security Policy and security headers
  • Not engage another processor without prior written authorization from the Controller (general or specific). The current list of sub-processors is available at Sub-processor List.
  • Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection).
  • Assist the Controller in ensuring compliance with GDPR obligations related to security, breach notification, impact assessments, and prior consultation.
  • At the Controller's choice, delete or return all Personal Data after the end of services, and delete existing copies unless storage is required by law.
  • Make available to the Controller all information necessary to demonstrate compliance with Article 28 obligations and allow for reasonable audits.

4. Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors. The current list is maintained at resolve.app/legal/subprocessors.

  • The Processor shall inform the Controller of any intended changes to sub-processors at least 30 days in advance.
  • The Controller may object to changes within 14 days of notification. If the objection cannot be resolved, the Controller may terminate the agreement.
  • The Processor shall impose equivalent data protection obligations on sub-processors via written agreements.
  • The Processor remains fully liable for the performance of sub-processors.

5. Data Breach Notification

  • The Processor shall notify the Controller of any Data Breach without undue delay and no later than 72 hours after becoming aware of it.
  • Notification shall include: nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.
  • The Processor shall cooperate with the Controller in investigating and remediating the breach.

6. International Transfers

Primary data storage is in the EU (Supabase, Ireland). Where Personal Data is transferred to sub-processors outside the EEA, such transfers are protected by:

  • EU-U.S. Data Privacy Framework certifications (where applicable)
  • Standard Contractual Clauses as adopted by the European Commission
  • Supplementary technical measures including encryption and access controls

7. Audit Rights

  • The Controller may audit the Processor's compliance with this DPA, subject to reasonable notice (at least 30 days) and during normal business hours.
  • Audits shall not unreasonably interfere with the Processor's operations and shall be limited to once per year unless a Data Breach has occurred.
  • The Processor may satisfy audit requests by providing relevant certifications, audit reports (SOC 2 or equivalent), or written responses to reasonable audit questionnaires.

8. Data Deletion

Upon termination of the service agreement or upon the Controller's written request:

  • The Processor shall delete all Personal Data within 30 days, including backups and vector embeddings.
  • Deletion shall be propagated to all sub-processors.
  • The Processor shall certify deletion in writing upon the Controller's request.
  • Exceptions: billing records may be retained for up to 7 years to comply with tax and legal obligations.

9. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service.

10. Contact

To request a signed copy of this DPA or for any questions regarding data processing, contact us at privacy@resolve.app.