Data Processing Agreement (Template)

This Data Processing Agreement ("DPA") supplements the Terms of Service between BarrelLogic, Inc. ("Processor") and the Customer identified on the order form ("Controller").

1. Definitions

Defined terms ("Personal Data", "Processing", "Data Subject", "Supervisory Authority") have the meanings assigned by the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR") and, where applicable, the UK Data Protection Act 2018 ("UK GDPR") and California Consumer Privacy Act ("CCPA").

2. Subject matter

Processor processes Personal Data on Controller's behalf in connection with the Service described in the Terms. The nature of Processing includes:

• Storing operational winery data (vessels, lots, chemistry, work orders, conversations, sensor readings).
• Storing Controller's customer lists and order history imported or synced from DTC commerce platforms.
• Providing AI specialist assistance that operates on Controller's data to produce recommendations, briefings, reports, and conversational responses.
• Sending transactional emails on Controller's behalf via Resend.
• Charging end-customer payment methods via Stripe (where Controller has opted into direct-to-consumer billing features).

3. Duration

Processing continues for the term of the Service, plus any purge or export period specified in the Terms (90 days post-termination).

4. Categories of Data Subjects

• Controller's staff (winery staff) — account data, audit trail.
• Controller's customers (wine buyers) — name, email, phone, billing + shipping addresses, order history, preference data.
• Sensor device metadata — not Personal Data under GDPR but subject to the same confidentiality obligations.

5. Categories of Personal Data

• Identity: name, email, phone.
• Address: billing and shipping addresses.
• Financial: order totals, payment method summaries (no full card data — Stripe holds that).
• Marketing preferences: opt-ins, segment memberships, engagement events.
• Audit trail: timestamps of actions, user-agent, IP address.

No "special categories" of data (health, religion, etc.) are in scope unless Controller explicitly uploads such data through custom fields.

6. Processor's obligations

Processor shall:

1. Process Personal Data only on documented instructions from Controller, including the Terms, this DPA, and Controller-configured settings in the Service.
2. Ensure personnel authorised to process Personal Data are under confidentiality obligations.
3. Implement appropriate technical and organisational measures per Annex A (Security Measures).
4. Assist Controller in fulfilling Data Subject requests (access, rectification, erasure, restriction, objection, portability) — Controller can self-serve via the Service's Data Export and Deletion features; Processor will support requests that require direct intervention.
5. Notify Controller within 72 hours of becoming aware of a Personal Data Breach, via the security contact on file.
6. Delete or return all Personal Data after termination per the Terms.
7. Provide the information necessary to demonstrate compliance with this DPA, including annual summaries of sub-processor audits where feasible.

7. Sub-processors

Controller authorises the sub-processors listed in Annex B. Processor will provide at least 30 days' notice before engaging a new sub-processor and give Controller a reasonable opportunity to object.

8. International transfers

Cross-border transfers of Personal Data outside the EU/EEA or UK are subject to:

• Standard Contractual Clauses (SCCs) per EU Commission Decision 2021/914 between Processor and each sub-processor located in a third country.
• The UK Addendum to the SCCs where UK Personal Data is transferred.
• Additional supplementary measures (encryption in transit + at rest, access controls, audit logging) described in Annex A.

9. Controller's responsibilities

Controller shall:

• Ensure it has valid legal bases to process the Personal Data it uploads.
• Provide Data Subjects with any required privacy notices.
• Configure the Service's data-processing settings (e.g. choice of region, retention, sub-processor opt-ins).
• Promptly respond to Data Subject requests that flow through the Service.

10. Liability

The liability regime is governed by Section 13 (Limitation of Liability) of the Terms.

11. Term and termination

This DPA remains in force for the duration of the Service and survives termination to the extent required to fulfill the parties' obligations relating to Personal Data.

Annex A — Security measures

See Section 5 of the BarrelLogic Privacy Policy and the internal docs/threat-model.md + docs/security-hardening.md. Highlights:

• TLS 1.2+ for transport; HSTS preload enabled on barrellogic.com.
• AES-256-GCM encryption at rest for integration credentials and other sensitive columns.
• Row-level security on every multi-tenant table, audited by an automated CI gate (scripts/audit-rls.ts).
• Append-only audit_log for all privileged actions; append-only security_events for forensic events.
• Rate limiting on all API endpoints; per-route policies for high-sensitivity endpoints (data export, signup, invites).
• Automated prompt-injection screening on conversation inputs.
• SOC 2 Type II readiness project scheduled for the first quarter of commercial operation.

Annex B — Sub-processors

See docs/sub-processors.md in the public repository (or, post-launch, barrellogic.com/legal/sub-processors) for the current list. As of execution of this DPA:

Controller-initiated optional sub-processors (e.g. Commerce7, QuickBooks) are engaged by Controller separately.

Signed Processor: BarrelLogic, Inc. Controller: [Customer name] Effective date: [date]