DATA PROCESSING AGREEMENT
Effective Date: April 8, 2026
This Data Processing Agreement ("DPA") is entered into between the customer identified in the applicable Valmetric Terms of Service or Order Form ("Customer," "you," or "Controller") and Superior Street Group Inc., doing business as Valmetric ("Valmetric," "we," "us," or "Processor").
This DPA supplements and forms part of the Terms of Service ("Agreement") between Customer and Valmetric. In the event of a conflict between this DPA and the Agreement, this DPA will prevail with respect to the processing of Personal Data.
1. DEFINITIONS
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Valmetric on behalf of Customer through the Service.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
"Subprocessor" means any third party engaged by Valmetric to process Personal Data on behalf of Customer.
"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation, the California Consumer Privacy Act ("CCPA"), and any other applicable data protection or privacy legislation.
"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2. SCOPE AND ROLES
2.1 Customer is the Controller and Valmetric is the Processor with respect to Personal Data processed through the Service.
2.2 Valmetric processes Personal Data solely on behalf of and in accordance with Customer's documented instructions, as described in this DPA and the Agreement.
3. CATEGORIES OF DATA PROCESSED
| Data Category | Examples | Purpose |
|---|---|---|
| User account data | Name, email address, role assignments | Authentication, access control, and service delivery |
| Billing identifiers | Stripe customer ID, subscription ID | Subscription management (payment details are processed exclusively by Stripe and never touch Valmetric systems) |
| Optional contact fields on quotes | Customer name, email, company name entered on quotes | Quote generation and delivery |
3.1 Valmetric does not require or process sensitive personal data (e.g., health data, government IDs, financial account numbers, racial or ethnic origin, biometric data) as part of the Service.
3.2 Customer Data such as product names, pricing structures, price books, and discount schedules is commercial data, not Personal Data, unless Customer includes personal information within those fields.
4. PROCESSING INSTRUCTIONS
4.1 Valmetric will process Personal Data only in accordance with Customer's documented instructions, which include the operations necessary to provide the Service as described in the Agreement and this DPA.
4.2 If Valmetric believes an instruction from Customer infringes Data Protection Laws, Valmetric will promptly notify Customer.
4.3 Valmetric will not process Personal Data for any purpose other than providing the Service, unless required by applicable law. In such case, Valmetric will inform Customer of the legal requirement before processing, unless prohibited by law.
5. SUBPROCESSORS
5.1 Customer authorizes Valmetric to engage the subprocessors listed in our Subprocessor List, which may be updated from time to time.
5.2 Notification of Changes. Valmetric will provide at least 30 days' advance written notice before engaging a new subprocessor that processes Personal Data. Notice will be sent to the email address associated with Customer's account.
5.3 Objection Right. If Customer has a reasonable objection to a new subprocessor, Customer may notify Valmetric within 15 days of receiving notice. The parties will work in good faith to resolve the objection. If the objection cannot be resolved, Customer may terminate the affected portion of the Service without penalty.
5.4 Valmetric will impose data protection obligations on subprocessors that are no less protective than those in this DPA. Valmetric remains liable for the acts and omissions of its subprocessors.
Current Subprocessors:
| Subprocessor | Purpose | Data Residency |
|---|---|---|
| Supabase | Database, authentication, Edge Functions | AWS us-east-1 (USA) |
| Vercel | Application hosting and CDN | Global edge network (origin: USA) |
| Stripe | Payment processing and billing | USA (PCI DSS Level 1) |
| Railway | API server hosting | USA |
| Resend | Transactional email delivery | AWS us-east-1 (USA) |
| Anthropic | AI-powered pricing configuration (no PII) | USA |
| PostHog | Marketing analytics only (cookieless, no PII) | USA / EU |
6. DATA SECURITY
6.1 Valmetric implements and maintains appropriate technical and organizational measures to protect Personal Data, including:
- Encryption in transit: TLS 1.2 or higher on all connections.
- Encryption at rest: AES-256 encryption on all stored data (via Supabase/AWS encrypted EBS volumes).
- Access controls: Role-based access control and PostgreSQL Row Level Security (RLS) enforcing tenant isolation at the database layer.
- Authentication: SAML 2.0 SSO support for enterprise customers; secure email/password authentication with hashed credentials.
- API security: API keys stored as SHA-256 hashes; tenant-scoped access on all API requests.
- Infrastructure: All infrastructure managed by SOC 2 Type II certified providers. No self-managed servers.
6.2 Valmetric will regularly assess and improve these measures to maintain an appropriate level of security.
7. DATA SUBJECT RIGHTS
7.1 Valmetric will assist Customer in fulfilling its obligations to respond to Data Subject requests (access, rectification, erasure, portability, restriction, and objection) under Data Protection Laws.
7.2 If Valmetric receives a request directly from a Data Subject, Valmetric will promptly redirect the request to Customer, unless legally required to respond directly.
7.3 Valmetric provides data export functionality (CSV, JSON) within the Service. Customer may use these tools to fulfill portability requests.
8. SECURITY INCIDENT NOTIFICATION
8.1 Valmetric will notify Customer of a Security Incident without undue delay, and in any event within 72 hours of becoming aware of the incident.
8.2 Notification will include, to the extent available:
- Nature of the Security Incident, including categories and approximate number of Data Subjects affected;
- Name and contact details of the point of contact;
- Likely consequences of the incident;
- Measures taken or proposed to address the incident and mitigate its effects.
8.3 Valmetric will cooperate with Customer's investigation and remediation efforts and provide reasonable assistance to Customer in meeting its own breach notification obligations.
9. DATA RETENTION AND DELETION
9.1 Upon termination of the Agreement, Valmetric will delete Customer's Personal Data within 30 days, except:
- Finalized quotes are retained for up to 7 years as business records, with all user-identifying references removed (set to NULL);
- Billing reference identifiers (Stripe customer/subscription IDs) are retained for 90 days for reconciliation;
- Data retained as required by applicable law.
9.2 Customer may request earlier deletion of Personal Data at any time by contacting privacy@valmetric.com. Valmetric will process deletion requests within 30 days.
9.3 Data in infrastructure provider backups (e.g., Supabase point-in-time recovery) is retained for up to 7 days and expires automatically.
10. INTERNATIONAL DATA TRANSFERS
10.1 Customer acknowledges that Valmetric processes Personal Data in the United States.
10.2 Where transfers of Personal Data from the EEA, UK, or Switzerland to the United States are required, Valmetric relies on:
- Standard Contractual Clauses (SCCs): The EU Commission-approved Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated by reference into this DPA.
- UK International Data Transfer Addendum: For transfers subject to UK GDPR, the UK Addendum to the EU SCCs applies.
10.3 Valmetric will ensure that its subprocessors provide adequate safeguards for international transfers in compliance with Data Protection Laws.
11. AUDITS AND COMPLIANCE
11.1 Valmetric will make available to Customer, upon reasonable request and subject to confidentiality obligations, information necessary to demonstrate compliance with this DPA.
11.2 Valmetric will allow and contribute to audits, including inspections, conducted by Customer or a third-party auditor mandated by Customer, subject to reasonable advance notice (at least 30 days) and during normal business hours. Customer bears the cost of any such audit.
11.3 Where Valmetric's subprocessors maintain independent security certifications (SOC 2 Type II, ISO 27001, PCI DSS), Valmetric may provide these certifications or summaries in lieu of direct audit access to subprocessor infrastructure.
12. TERM AND TERMINATION
12.1 This DPA is effective upon execution and remains in effect for the duration of the Agreement.
12.2 The obligations under this DPA survive termination of the Agreement to the extent Valmetric retains any Personal Data.
13. CONTACT
For questions about this DPA or to request execution, contact:
Superior Street Group Inc. d/b/a Valmetric
Email: privacy@valmetric.com Address: 2895 S Superior St, Milwaukee, WI 53207