Draft for attorney review. This text is not final or binding until approved by counsel and published by The Selling Table.

The Selling Table — Data Processing Addendum (DRAFT)

**Version:** 2026-06-29

**Status:** DRAFT — for attorney review. Pre-filled from client proposed positions.

---

1. Roles

  • **Customer (Tenant)** = **Controller** for transaction party personal data
  • **The Selling Table** = **Processor**

The platform is **controller** for Tenant account data, billing data, and platform security logs.

2. Subject Matter & Duration

Processing of personal data submitted through the platform for the term of the subscription and as described in the Privacy Policy.

3. Nature & Purpose

Storage, display, PDF generation, email delivery, e-signature coordination, audit logging, and support.

4. Categories of Data Subjects

Tenant employees and agents; buyers, sellers, and other parties on transactions.

5. Security Measures

Encryption in transit; encryption at rest via hosting provider; access controls; tenant isolation at application layer; optional database row-level security; logging and monitoring appropriate to a B2B SaaS platform.

6. Subprocessors

| Subprocessor | Processing activity | Data categories |

|--------------|----------------------|-----------------|

| **Stripe** | Billing | Tenant admin contact, company name, payment metadata |

| **Supabase** | Database hosting | All application data at rest |

| **Vercel** | Application hosting | Request metadata, compute logs |

| **Resend** | Email delivery | Recipient addresses, message content, attachments |

**Notice:** Thirty (30) days before adding a subprocessor that processes Tenant customer PII. **Objection:** Tenant may object on reasonable grounds; termination without penalty if unresolved within thirty (30) days.

7. Data Subject Requests

Tenant is responsible for responding to data subject requests regarding transaction data. Platform will assist with reasonable technical measures.

8. Breach Notification

Platform will notify Tenant without undue delay after becoming aware of a confirmed personal data breach affecting Tenant customer data processed on Tenant's behalf, and provide information reasonably required for Tenant's regulatory obligations.

9. Deletion & Return

On termination, Tenant may export data during the published retention window (**ninety (90) days** after cancellation). Thereafter, platform deletes or anonymizes Tenant customer PII per the Privacy Policy, except where retention is required by law or agreed in writing.

10. International Transfers

Processing is U.S.-primary. Subprocessors may process in other regions under their standard contractual terms.

11. Contact

privacy@thesellingtable.com

Data Processing Addendum · Version 2026-06-29

Back to signup · Pricing