Data Processing Addendum

1. Parties

• Controller: the Draftovo customer identified in the executed Agreement or order form.
• Processor: Willow Wealth LLC, a California limited liability company doing business as Draftovo, with its principal place of business at 6178 Agee St Unit 151, San Diego, CA 92122.

2. Subject Matter & Duration

The subject matter of this DPA is the processing of Personal Data by Processor on behalf of Controller to provide the Draftovo AI content generation Service. This DPA applies for the duration of the Agreement and continues until all Personal Data has been returned or deleted in accordance with Section 12.

3. Nature & Purpose of Processing

Processor will process Personal Data solely to provide, secure, and support the Service and to comply with documented instructions from Controller. Processing activities include collection, storage, organization, retrieval, use, disclosure by transmission to approved subprocessors, and erasure of Personal Data.

4. Types of Personal Data

• Identifiers (name, email, account ID, IP address)
• Account and profile information
• Brand assets and any Personal Data contained in uploaded source material
• Prompts, instructions, and generated content
• Billing metadata (processed by Stripe)
• Usage, device, and log data

5. Categories of Data Subjects

• Controller's employees, contractors, and agents
• Controller's customers and prospects
• Any individual whose Personal Data is included in content Controller submits to the Service

6. Controller Obligations

• Controller is responsible for the lawfulness of Personal Data collection and for providing all required notices and obtaining all required consents from data subjects.
• Controller warrants it has the right to transfer Personal Data to Processor for processing under the Agreement.
• Controller is responsible for the accuracy, quality, and legality of Personal Data submitted to the Service.
• Controller will not submit special categories of data (GDPR Art. 9) unless expressly agreed in writing.

7. Processor Obligations (GDPR Article 28)

• Documented instructions: process Personal Data only on documented instructions from Controller, including the Agreement and this DPA.
• Confidentiality: ensure personnel authorized to process Personal Data are bound by written confidentiality obligations.
• Security: implement appropriate technical and organizational measures (see Section 10).
• Subprocessors: engage subprocessors only under the conditions in Section 8.
• Data subject rights: assist Controller, taking into account the nature of processing, in fulfilling Controller's obligation to respond to data subject requests.
• Breach notification: notify Controller without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach (see Section 11).
• Deletion on termination: at Controller's choice, delete or return all Personal Data after the end of the provision of services (see Section 12).
• Audit rights: make available to Controller all information necessary to demonstrate compliance with Art. 28 and allow for and contribute to audits, including inspections, conducted by Controller or an auditor mandated by Controller, subject to reasonable confidentiality and scheduling terms.
• DPIA assistance: assist Controller with data protection impact assessments and prior consultation with supervisory authorities.

8. Subprocessors

Controller provides general authorization for Processor to engage subprocessors as necessary to deliver the Service. Processor will impose data protection obligations on each subprocessor that are no less protective than those in this DPA. A current list of engaged subprocessors is available upon written request to privacy@draftovo.ai. Processor will notify Controller of any intended additions or replacements of subprocessors at least 30 days in advance. Controller may object to such changes on reasonable grounds related to data protection.

9. International Transfers

Where Processor transfers Personal Data of EU, UK, or Swiss data subjects outside the European Economic Area, United Kingdom, or Switzerland to a country not recognized as providing an adequate level of protection, the parties agree that such transfers are governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission (Module Two: Controller to Processor) and, where applicable, the UK International Data Transfer Addendum, which are incorporated herein by reference.

10. Security Measures

• Encryption of Personal Data at rest and in transit (TLS 1.2 or higher; AES-256 at rest where supported by storage providers).
• Role-based access control, least-privilege permissions, and multi-factor authentication for administrative access.
• Network segregation, firewalls, and managed hosting on reputable cloud providers.
• Continuous monitoring, logging, vulnerability scanning, and dependency auditing.
• Regular backups, disaster recovery testing, and documented incident response procedures.
• Personnel security training and background checks where permitted by law.

11. Data Breach Notification Procedure

Processor will notify Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Controller's Personal Data. Notice will be sent to the administrative contact on file and will include, to the extent known: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, measures taken or proposed to mitigate, and a point of contact for further information. Processor will cooperate with Controller in investigation and remediation.

12. Return or Deletion of Data

Upon termination or expiration of the Agreement, Processor will, at Controller's election, return or delete all Personal Data in its possession or control within 30 days, except to the extent retention is required by applicable law. Any such retained Personal Data will remain subject to the confidentiality and security obligations of this DPA.

13. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set forth in the Draftovo Terms of Service.

14. Governing Law

This DPA is governed by the laws of the State of California, without regard to its conflict of laws principles. The exclusive venue for any dispute arising out of or related to this DPA is the state and federal courts located in San Diego County, California, except where the SCCs apply and specify a different forum for EU/UK data subjects.