Data Processing Agreement (DPA)
Effective Date: March 14, 2026
This page summarizes PawPlacer's standard processor terms, subprocessors, and AI-related data flows when PawPlacer processes personal data on behalf of a customer in connection with the PawPlacer platform. It is not, by itself, a countersigned agreement. If you need an executed DPA for procurement or legal review, contact contact@pawplacer.com.
1. Roles of the Parties
The customer acts as the controller or business for the personal data it uploads or collects through PawPlacer. PawPlacer acts as the processor or service provider and processes that data only to provide the contracted services, to maintain platform security, and to comply with applicable law.
2. Subject Matter and Duration
This DPA covers the processing of personal data necessary to host, secure, support, and operate the PawPlacer platform, including optional product features that the customer enables. It remains in effect for as long as PawPlacer processes customer personal data under the applicable services agreement.
3. Nature and Purpose of Processing
PawPlacer processes customer personal data to provide rescue and shelter software for managing pets, adoptions, fosters, volunteers, forms, communications, documents, and related operations.
Optional AI features are customer-controlled. If enabled, PawPlacer may send limited feature-specific content to OpenAI to generate pet descriptions, suggest CSV header mappings, generate match explanations, or assist with text drafting. These AI features are designed as decision-support tools. The customer remains responsible for human review and final operational decisions.
4. Categories of Data Subjects and Data
Categories of data subjects and personal data may include the following, depending on how the customer uses the service:
- Account owners, team members, and workspace administrators
- Adopters, fosters, volunteers, applicants, and other people records created by the customer
- Pet and animal profile information, including notes and operational records entered by the customer
- Communications, contracts, uploaded files, and form responses stored in the service
- Billing and support contact information
5. Customer Instructions and Responsibilities
- The customer determines what data is entered into PawPlacer, which features are enabled, and which team members may access that data.
- The customer is responsible for establishing a lawful basis for its processing, delivering required privacy notices, and responding to data subject rights requests unless PawPlacer is required to assist.
- The customer should not submit social security numbers, payment card numbers, government-issued IDs, health information, or other highly sensitive data to optional AI features unless it has independently determined that doing so is lawful and appropriate.
- The customer is responsible for reviewing AI-enabled custom fields before sending them to optional AI features.
6. Confidentiality and Security
PawPlacer ensures that personnel with access to customer personal data are subject to confidentiality obligations and implements reasonable technical and organizational measures appropriate to the risk, including:
- TLS encryption for data in transit
- Role-based access controls and organization scoping
- Supabase Row Level Security and account-scoped queries
- Password hashing and managed authentication controls
- Environment-based secret management for provider credentials
- Auditability through application logs and operational monitoring
- Backups and disaster-recovery processes provided by infrastructure vendors
- Feature-level controls so customers can disable optional AI processing
7. AI-Specific Processing Terms
- AI processing is optional and disabled until enabled by the customer.
- Pet description generation may send pet profile information, including the pet's name, descriptive attributes, and AI-enabled custom fields selected by the customer.
- Matching may send compatibility context, selected pet attributes, AI-enabled custom fields, generated profile context, and explanation prompts needed to rank or explain shortlisted potential matches.
- CSV mapping suggestions send header names only, not row-level import data.
- AI output is assistive only. PawPlacer does not represent that AI output is accurate, complete, non-biased, or suitable as the sole basis for decisions about adopters, fosters, volunteers, or pets.
8. Subprocessors
PawPlacer uses the following subprocessors to deliver the service. Some subprocessors apply only when the corresponding optional feature is enabled.
| Vendor | Purpose | Data Categories | Location |
|---|
| Supabase | Primary database hosting, authentication, storage, and backups | Customer account data, pet records, adopter/foster/volunteer records, authentication data, uploaded files | United States |
| Vercel | Web hosting and application delivery | Application traffic, server-rendered content, limited operational logs | United States |
| OpenAI | Optional AI-assisted pet descriptions, matching, data-mapping suggestions, and drafting assistance | Only the prompts and feature-specific content needed for optional AI features selected by the customer | United States |
| Resend | Transactional email delivery when email features are enabled | Transactional email content, recipient names, recipient email addresses, and related delivery metadata | United States |
| Stripe | Subscription billing and payment processing | Billing contacts, payment-related metadata, subscription records, and transaction identifiers | United States |
9. International Transfers
PawPlacer primarily processes customer data in the United States. If your organization requires transfer terms such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or Swiss transfer language, request an executed DPA so the final agreement can be reviewed in context.
Customers remain responsible for assessing whether they may lawfully use optional AI features for their particular use case, including any transfer impact assessment, DPIA, or sector-specific review they may need to perform.
10. Assistance, Incidents, and Data Subject Rights
- Assistance with data subject requests, incident response details, and related processor obligations can be addressed in the parties' executed DPA, taking into account the nature of the processing.
- Customers evaluating optional AI features remain responsible for determining whether additional reviews such as transfer impact assessments, DPIAs, or sector-specific approvals are required.
- PawPlacer can provide product and subprocessor information to support those reviews on request.
11. Return, Deletion, and Audit Information
- During the term, customers can export data from available in-product export tools.
- Upon termination and documented request, PawPlacer will delete or return customer personal data from active systems, subject to legal retention requirements and ordinary backup retention cycles.
- Documentation requests, audit accommodations, and similar compliance terms can be addressed through the parties' executed DPA and related security documentation.
12. Annex Summary
- Annex I: The parties, subject matter, duration, categories of data subjects, and categories of personal data are described in Sections 1 through 4 above.
- Annex II: Technical and organizational measures are summarized in Section 6 above.
- Annex III: Current subprocessors are listed in Section 8 above.