← Trust center
Data processing agreement
Team owners accept the DPA in workspace settings before audit export, API keys, or SIEM forwarding.
1. Subject matter
Processor provides SupplierClear SaaS: supplier readiness assessments, report generation, and optional DTI assurance submission.
2. Duration
Term of the applicable subscription or enterprise agreement.
3. Nature and purpose
Processing of user account data, assessment inputs, report outputs, and audit events necessary to deliver the service.
4. Categories of data subjects
Customer employees and authorized users who run assessments.
5. Categories of personal data
Name, email, assessment metadata, payment references, audit logs. Technical file uploads may contain business-confidential data — not used for model training.
6. Sub-processors
| Sub-processor | Purpose | Region |
|---------------|---------|--------|
| Vercel / hosting provider | Application hosting | Configurable |
| PostgreSQL provider | Database | Configurable |
| Stripe | Payments (US/CA/UK/EU/AU/IN/UAE) | EU/US |
| Paystack | Payments (NG) | Nigeria |
| Object storage (S3-compatible) | PDF and evidence storage | Configurable |
| OpenAI (optional) | Plain-language clarity explanations when `OPENAI_API_KEY` configured | US |
| Resend (optional) | Transactional email | US |
| WorkOS (optional) | Enterprise SSO | US |
| PostHog (optional) | Product analytics | EU/US |
Customer will be notified of sub-processor changes with 30 days' notice.
7. Security measures
- Encryption in transit (TLS)
- Hashed API keys and session tokens
- Role-based org access
- Audit event logging for enterprise actions
8. Data subject requests
Processor assists Controller with export/delete requests via documented API and Settings UI.
9. International transfers
Standard Contractual Clauses (SCCs) apply where personal data transfers outside the EEA.
10. Signatures
Controller: _________________________ Date: _________
Processor (Bacenik Ltd): _________________________ Date: _________