Legal Document

Plantel Data Processing Addendum

Plantel Inc. — Texas-incorporated.

Last updated 2026-05-18. Templated v1; outside counsel review pending.

1. Definitions

For purposes of this Data Processing Addendum (DPA), the following terms have the meanings set forth below:

  • Personal Data means any information relating to an identified or identifiable natural person.
  • Data Subject means the individual to whom Personal Data relates.
  • Controller means the entity that determines the purposes and means of processing Personal Data.
  • Processor means the entity that processes Personal Data on behalf of the Controller.
  • Processing means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, and erasure.
  • Sub-processor means any Processor engaged by Plantel to process Personal Data on behalf of the Controller.

2. Processing Details

The Customer acts as the Controller, and Plantel acts as the Processor. Plantel processes Personal Data as follows:

  • Subject Matter: Personal Data provided by Customer to use Plantel services, including account information, user profiles, content, and audit logs.
  • Duration: For the term of the Service Agreement, plus 90 days following termination (or as required by law).
  • Nature and Purpose: Processing occurs to provide the services, maintain audit logs, comply with legal obligations, and improve product quality.
  • Categories of Data Subjects: Customer employees, agents, and other authorized users accessing Plantel services.
  • Type of Personal Data: Names, email addresses, contact information, usage data, work product, and audit trail information.
  • Processing Location: Plantel uses self-hosted infrastructure and compliant third-party services, details available at subprocessors.plantel.ai.

3. Sub-processors

Plantel engages Sub-processors to process Personal Data. The current list of Sub-processors is maintained at subprocessors.plantel.ai and is updated as needed.

Customer authorizes Plantel to engage Sub-processors. Plantel shall provide at least 30 days written notice before adding or replacing any Sub-processor. If Customer objects to the addition of a Sub-processor on reasonable grounds relating to conflict of interest or inability to meet data protection obligations, Customer may terminate the affected services without penalty.

4. Standard Contractual Clauses

Where Customer is established in the European Union, United Kingdom, or any jurisdiction with equivalent data protection laws, and Personal Data is transferred to a jurisdiction without an adequacy decision, the Standard Contractual Clauses (Modules 1 and 2 as appropriate, as approved by the European Commission) are incorporated by reference and form part of this DPA.

Plantel shall comply with all requirements under the applicable Standard Contractual Clauses, including providing Data Subject rights information, cooperating with supervisory authorities, and maintaining supplementary measures to ensure an adequate level of protection.

5. Data Subject Rights

Plantel shall, in accordance with applicable law and the Service Agreement, assist Customer in fulfilling Data Subject requests, including:

  • Access to Personal Data
  • Correction of inaccurate Personal Data
  • Deletion of Personal Data
  • Restriction of processing
  • Data portability
  • Objection to processing
  • Rights related to automated decision-making

Customer shall be responsible for receiving and processing Data Subject requests and shall submit such requests to Plantel in writing at [email protected]. Plantel will provide reasonable assistance to Customer in responding to Data Subject rights requests within applicable timeframes.

6. Security Measures

Plantel implements and maintains technical and organizational measures to protect Personal Data, including:

  • Certification Status: SOC 2 Type II Aligned. ISO 27001:2022 Aligned. HIPAA Aligned. GDPR Aligned. CCPA Aligned.
  • Encryption in Transit: TLS 1.3 for all data in motion.
  • Encryption at Rest: AES-256 encryption for data at rest.
  • Access Controls: Role-based access controls and principle of least privilege.
  • Audit Logging: Comprehensive audit logs retained for 7 years.
  • Penetration Testing: Annual third-party security assessments.
  • Bug Bounty Program: Coordinated vulnerability disclosure with base reward of $500 and critical findings up to $25,000.
  • Incident Response: Documented procedures for identifying, containing, and remediating security incidents.

7. Breach Notification

In the event of a confirmed Personal Data breach affecting Customer data, Plantel shall notify Customer within 24 hours of confirmation. Notification shall include:

  • Description of the breach and Personal Data affected
  • Likely consequences of the breach
  • Measures taken or proposed to address and mitigate the breach
  • Plantel's point of contact for further inquiries

Customer remains responsible for notifying Data Subjects and supervisory authorities as required by applicable law.

8. Term and Termination

This DPA commences on the Effective Date of the Service Agreement and continues throughout the term thereof. Upon expiration or termination of the Service Agreement, Plantel shall:

  • Stop processing Personal Data, except as required by law
  • Return or securely delete Personal Data at Customer's written direction
  • Provide certifications of deletion upon request
  • Continue to comply with applicable data protection laws regarding any retained data

Customer may request return or deletion of Personal Data at any time during the term by contacting [email protected].

9. Cooperation with Regulators

Plantel shall cooperate with Data Protection Authorities and supervisory bodies, providing necessary assistance and information to fulfill Customer's data protection obligations. Plantel shall notify Customer of any regulatory request regarding Personal Data, unless legally prohibited.

10. Amendments

This DPA may be amended from time to time to reflect changes in applicable law or Plantel's security and compliance practices. Material amendments shall be communicated to Customer with at least 30 days notice.

Questions: [email protected]