Data Processing Addendum

Data Processing Addendum

Last updated: April 6, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service or other written agreement ("Agreement") between Plaw, Inc. ("Plaw," "Processor") and the entity agreeing to the Agreement ("Customer," "Controller") for the Veto platform services. This DPA applies where Plaw processes Personal Data on Customer's behalf.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Laws.
  • "Data Protection Laws" means all applicable laws relating to data protection, including GDPR (EU) 2016/679, UK GDPR, CCPA/CPRA, LGPD (Brazil), PIPEDA (Canada), APPI (Japan), and any successor or equivalent legislation.
  • "Sub-Processor" means any third party appointed by Plaw to process Personal Data on behalf of Customer.
  • "Processing" means any operation performed on Personal Data, including collection, recording, storage, adaptation, retrieval, use, disclosure, combination, restriction, erasure, or destruction.

2. Scope and Roles

Customer is the Controller and Plaw is the Processor of Personal Data submitted to the Services as part of tool-call payloads, policy content, decision records, approval workflows, and related operational data ("Customer Personal Data").

For data Plaw collects independently (account registration, billing, website analytics), Plaw acts as an independent Controller, governed by our Privacy Policy.

3. Processing Instructions

  • Plaw will process Customer Personal Data only on Customer's documented instructions, including those set forth in the Agreement and this DPA.
  • Plaw will not process Customer Personal Data for any purpose other than providing, maintaining, and securing the Services, unless required by law.
  • Plaw will not sell Customer Personal Data or use it for cross-context behavioral advertising.
  • Plaw will not retain, use, or disclose Customer Personal Data for any commercial purpose other than performing the Services.
  • If Plaw is required by law to process Customer Personal Data, Plaw will inform Customer before such processing (unless prohibited by law).

4. Security Measures

Plaw implements and maintains appropriate technical and organizational measures to protect Customer Personal Data, including:

  • Encryption in transit (TLS 1.2+) and at rest for databases and sensitive configuration
  • Hashed API key storage with scoped access controls
  • Role-based access control and least-privilege principles for personnel
  • Operational monitoring, structured logging, and intrusion detection
  • Regular security assessments and vulnerability management
  • Incident response procedures with defined escalation paths
  • Employee security awareness and confidentiality obligations

5. Sub-Processors

Customer authorizes Plaw to engage the Sub-Processors listed at veto.so/legal/subprocessors. Before engaging a new Sub-Processor:

  • Plaw will notify Customer at least 30 days in advance via email.
  • Customer may object to a new Sub-Processor within 14 days of notification by emailing team@plaw.io.
  • If Plaw cannot reasonably accommodate the objection, Customer may terminate the affected Services without penalty.
  • Plaw imposes data protection obligations on each Sub-Processor that are no less protective than those in this DPA.

6. Data Subject Rights

Plaw will assist Customer in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) to the extent Plaw holds the relevant data and taking into account the nature of the processing. Plaw will promptly notify Customer of any data subject request received directly, unless prohibited by law.

7. Data Breach Notification

Plaw will notify Customer without undue delay and in any event within 72 hours after becoming aware of a Personal Data breach affecting Customer Personal Data. Notification will include:

  • The nature of the breach, including categories and approximate number of records affected
  • Contact information for Plaw's security team
  • Description of likely consequences
  • Description of measures taken or proposed to address and mitigate the breach

8. International Transfers

Customer Personal Data may be transferred to and processed in the United States. Plaw implements the following transfer safeguards:

  • EU/EEA: EU-U.S. Data Privacy Framework and Standard Contractual Clauses (Commission Decision 2021/914)
  • United Kingdom: UK Extension to EU-U.S. DPF and UK Addendum to EU SCCs (International Data Transfer Agreement)
  • Switzerland: Swiss-U.S. Data Privacy Framework and Swiss Addendum to EU SCCs

Copies of executed SCCs are available upon request to team@plaw.io.

9. Audit Rights

Plaw will make available to Customer information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, by Customer or a mandated auditor. Audits will be:

  • Conducted at reasonable intervals and with reasonable advance notice (at least 30 days)
  • Subject to reasonable confidentiality obligations
  • Limited in scope to Plaw's processing of Customer Personal Data

Where available, Plaw may satisfy audit requests by providing SOC 2 reports, penetration test summaries, or equivalent third-party certifications.

10. Data Return and Deletion

Upon termination of the Agreement, Plaw will:

  • Make Customer Personal Data available for export for 30 days
  • Delete Customer Personal Data from production systems within 90 days of termination
  • Delete Customer Personal Data from backup systems within 180 days of termination
  • Provide written certification of deletion upon request

Plaw may retain Customer Personal Data where required by applicable law, in which case Plaw will isolate and protect such data and limit processing to the purpose required by law.

11. CCPA/CPRA Addendum

To the extent Customer Personal Data includes personal information of California consumers, Plaw certifies that it:

  • Will not sell or share Customer Personal Data
  • Will not retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement
  • Will not combine Customer Personal Data with personal information received from or on behalf of third parties, except as permitted by CCPA/CPRA
  • Grants Customer the right to take reasonable and appropriate steps to ensure compliance

12. LGPD Addendum

To the extent Plaw processes Personal Data subject to Brazil's LGPD, Plaw will process such data in compliance with LGPD requirements, including supporting Controller in responding to data subject requests within 15 days, implementing appropriate security measures, and notifying the ANPD of security incidents as required.

13. Term and Amendments

This DPA remains in effect for the duration of the Agreement and for as long as Plaw processes Customer Personal Data. Plaw may update this DPA to reflect changes in Data Protection Laws. Material changes will be notified 30 days in advance.

14. Contact

DPA inquiries, audit requests, and Sub-Processor objections: team@plaw.io

For enterprise customers requiring a countersigned DPA, contact team@plaw.io.

Terms of ServicePrivacy PolicySub-Processors