Data Processing Agreement

Last updated: May 12, 2026

This DPA forms part of the Terms of Service between Crossbook (Data Processor) and the customer (Data Controller). By uploading a CSV to Crossbook, you accept the terms below.

1. Subject matter + duration

Crossbook processes the CSV contents you upload for the sole purpose of producing reconciliation reports, monthly delta digests, and the corrected CSV export. Processing continues for as long as your account is active, or until you trigger deletion via /privacy/delete.

2. Nature + purpose

The Processor will:

• Parse and normalize CSV records (Papa Parse, currency.js, date-fns)
• Compute fuzzy matches and surface conflicts (Fuse.js + custom Levenshtein)
• Submit normalized records to Anthropic Claude for plain-English explanations
• Store the resulting report and your decisions in Supabase Postgres (US-East)
• Compute month-over-month deltas and email a digest via Resend

3. Types of data + categories of data subjects

The CSV files typically contain: company names, contact emails, deal amounts, invoice amounts, dates, and statuses. Categories of data subjects: the Controller's customers, prospects, and (where present) sales/AR contacts.

4. Sub-processors

See the Privacy Policy for the current list. We will notify Controllers in advance of any new sub-processor.

5. Security

• All connections are TLS 1.2+.
• Supabase Postgres rows are protected by Row Level Security keyed off the Clerk JWT sub claim.
• Service-role credentials are server-only, never shipped to the browser.
• Raw CSV content is purged 30 days after upload.

6. Data subject rights

The Controller can fulfil access, rectification, portability, and erasure requests via /privacy/delete or by emailing dawiddeveloper@gmail.com.

7. International transfers

Standard Contractual Clauses (SCCs) apply to transfers outside the EEA, as flowed down from the sub-processors listed in the Privacy Policy.

8. Limitation + duration

This DPA is provided as a baseline. A countersigned long-form DPA is available for enterprise customers — request one via dawiddeveloper@gmail.com. Once a generator integration is wired (see DPA_GENERATOR_API_KEY), users will be able to download a countersigned PDF automatically.