The Selling Table — Data Processing Addendum (DRAFT)
**Version:** 2026-06-29
**Status:** DRAFT — for attorney review. Pre-filled from client proposed positions.
---
1. Roles
- **Customer (Tenant)** = **Controller** for transaction party personal data
- **The Selling Table** = **Processor**
The platform is **controller** for Tenant account data, billing data, and platform security logs.
2. Subject Matter & Duration
Processing of personal data submitted through the platform for the term of the subscription and as described in the Privacy Policy.
3. Nature & Purpose
Storage, display, PDF generation, email delivery, e-signature coordination, audit logging, and support.
4. Categories of Data Subjects
Tenant employees and agents; buyers, sellers, and other parties on transactions.
5. Security Measures
Encryption in transit; encryption at rest via hosting provider; access controls; tenant isolation at application layer; optional database row-level security; logging and monitoring appropriate to a B2B SaaS platform.
6. Subprocessors
| Subprocessor | Processing activity | Data categories |
|--------------|----------------------|-----------------|
| **Stripe** | Billing | Tenant admin contact, company name, payment metadata |
| **Supabase** | Database hosting | All application data at rest |
| **Vercel** | Application hosting | Request metadata, compute logs |
| **Resend** | Email delivery | Recipient addresses, message content, attachments |
**Notice:** Thirty (30) days before adding a subprocessor that processes Tenant customer PII. **Objection:** Tenant may object on reasonable grounds; termination without penalty if unresolved within thirty (30) days.
7. Data Subject Requests
Tenant is responsible for responding to data subject requests regarding transaction data. Platform will assist with reasonable technical measures.
8. Breach Notification
Platform will notify Tenant without undue delay after becoming aware of a confirmed personal data breach affecting Tenant customer data processed on Tenant's behalf, and provide information reasonably required for Tenant's regulatory obligations.
9. Deletion & Return
On termination, Tenant may export data during the published retention window (**ninety (90) days** after cancellation). Thereafter, platform deletes or anonymizes Tenant customer PII per the Privacy Policy, except where retention is required by law or agreed in writing.
10. International Transfers
Processing is U.S.-primary. Subprocessors may process in other regions under their standard contractual terms.
11. Contact
privacy@thesellingtable.com