Data Processing Addendum
Effective: April 26, 2026 · Version 1.0
Who this is for
This Data Processing Addendum (“DPA”) is provided for enterprise customers who require documented data processing agreements for GDPR, CCPA, or internal procurement compliance. For the standard privacy policy that governs all users, see our Privacy Policy.
1. Parties
This DPA is entered into between International Tech Partners, LLC, doing business as SpendAdvisor (“SpendAdvisor,” “we,” “us”), and the entity accessing the SpendAdvisor service (“Customer,” “you”). This DPA supplements and is incorporated into any Terms of Service or agreement between the parties governing use of the SpendAdvisor platform.
2. Definitions
Personal Data
Any information relating to an identified or identifiable natural person, as defined under applicable data protection law (including GDPR Article 4(1) and CCPA § 1798.140).
Processing
Any operation performed on Personal Data, including collection, recording, storage, use, transmission, or deletion.
Controller
The party that determines the purposes and means of Processing Personal Data. In our context, Customer is the Controller with respect to contact information Customer chooses to submit.
Processor
The party that Processes Personal Data on behalf of the Controller. SpendAdvisor acts as Processor with respect to contact information submitted by Customer personnel.
Subprocessor
A third-party service provider engaged by SpendAdvisor to Process Personal Data on SpendAdvisor's behalf.
3. Nature and purpose of processing
Subject matter
SpendAdvisor processes telecom invoice documents and associated contact information submitted by Customer personnel for the purpose of generating bill analysis reports, savings estimates, and connecting Customers with telecom optimization specialists.
Duration
Processing of invoice content occurs in real time during the analysis and is not retained. Processing of contact information (name, email, company) continues until the Customer requests deletion or 24 months from the last interaction, whichever is sooner.
Categories of data subjects
Customer employees or agents who upload telecom invoices and/or submit contact information via the SpendAdvisor platform.
Categories of Personal Data
Name, business email address, company name. SpendAdvisor does not collect or retain account numbers, billing addresses, Social Security numbers, payment card information, or any special categories of data under GDPR Article 9.
4. SpendAdvisor's obligations as Processor
- Process Personal Data only on documented instructions from the Controller (i.e., to provide the agreed service) and not for any other purpose.
- Ensure that persons authorized to process the Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, destruction, or alteration.
- Respect the conditions for engaging Subprocessors set out in Section 6 of this DPA.
- Assist the Controller in fulfilling obligations to respond to data subject rights requests, to the extent technically feasible.
- Notify the Controller without undue delay (and within 72 hours where feasible) upon becoming aware of a personal data breach affecting Personal Data processed under this DPA.
- Delete or return all Personal Data upon termination of the service or written request, and delete copies unless retention is required by law.
- Make available all information necessary to demonstrate compliance with this DPA upon reasonable written request.
5. Customer's obligations as Controller
- Ensure that there is a lawful basis for providing Personal Data to SpendAdvisor for processing (e.g., legitimate interest, consent, or performance of a contract).
- Ensure that data subjects have been informed of the processing as required by applicable law.
- Not submit Personal Data that includes special categories of data (GDPR Article 9), payment card information, government-issued ID numbers, or health information.
- Promptly forward any data subject rights requests to privacy@spendadvisor.io so SpendAdvisor can assist in fulfilling them within required timelines.
6. Subprocessors
SpendAdvisor uses the following Subprocessors in connection with the service. Customer provides general authorization for SpendAdvisor to engage Subprocessors, subject to SpendAdvisor binding each Subprocessor to data protection obligations equivalent to those in this DPA.
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| AI Infrastructure Provider | Bill content analysis | Invoice text (transient — not retained) | US |
| Airtable | CRM / lead storage | Name, email, company name | US |
| Resend | Transactional email | Email address | US |
| PostHog | Product analytics | Usage events, email (if identified) | US |
| Vercel | Cloud hosting | IP address, request metadata | US / Global CDN |
SpendAdvisor will notify Customer of any intended changes to Subprocessors by updating this page. Customer may object to new Subprocessors by contacting privacy@spendadvisor.io within 30 days of the update.
7. International data transfers
SpendAdvisor is based in the United States. If Customer is located in the European Economic Area (EEA), UK, or Switzerland, the transfer of Personal Data to SpendAdvisor constitutes a transfer to a third country. SpendAdvisor relies on the EU Standard Contractual Clauses (SCCs, 2021 version) as the lawful transfer mechanism for EEA-to-US transfers. Customers requiring a signed copy of SCCs should email privacy@spendadvisor.io.
8. Security measures
SpendAdvisor implements the following technical and organizational measures:
- TLS encryption for all data in transit
- Invoice content processed entirely in server memory — never written to persistent storage
- Access controls and authentication for all administrative systems
- No invoice filenames or content logged — only random request IDs
- Subprocessors selected based on SOC 2 or equivalent certification where available
- Regular security reviews of code and infrastructure configuration
9. Data subject rights
SpendAdvisor will assist Customer in responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection) received by SpendAdvisor that relate to Personal Data processed under this DPA. Requests should be directed to privacy@spendadvisor.io. SpendAdvisor will respond within 30 days.
10. Breach notification
In the event of a confirmed personal data breach affecting Personal Data processed under this DPA, SpendAdvisor will notify Customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Notification will include: the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed to address the breach.
11. Term and termination
This DPA is effective for the duration of the service agreement between the parties. Upon termination, SpendAdvisor will delete all Personal Data within 90 days unless retention is required by law. Certain anonymized, non-identifiable data (market intelligence records containing no PII) may be retained after termination as they cannot be linked to any individual or organization.
12. Governing law
This DPA is governed by the laws of the State of Delaware, without regard to conflict of law principles. For EEA customers, GDPR-mandated terms shall prevail in the event of a conflict with this section.
13. Contact and execution
Customers who require a countersigned DPA for their procurement or legal teams may request one by emailing:
SpendAdvisor — Data Privacy
International Tech Partners, LLC
privacy@spendadvisor.io
We aim to respond to DPA execution requests within 5 business days.