Data Processing Addendum
Effective date: February 10, 2026
This is a sample data processing addendum for product development and review — not legal advice. Have counsel review it before launch.
Overview
This Data Processing Addendum (DPA) forms part of the agreement, order form, terms of service, or other written agreement governing a customer's use of Matte's hosted inventory and workspace management service.
If there is a conflict between this DPA and the applicable agreement regarding the processing of Customer Personal Data, this DPA controls to the extent of the conflict. Capitalized terms not defined in this DPA have the meanings given in the agreement.
Definitions
Applicable Data Protection Laws means all privacy, data protection, and data security laws that apply to the processing of Customer Personal Data under the agreement, including where applicable the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection, the CCPA, and other U.S. state privacy laws.
Customer Personal Data means Personal Data that Matte processes on behalf of Customer through the Services, including Personal Data submitted by Customer or Authorized Users into Matte workspaces, records, imports, custom fields, API requests, files, avatars, custom emoji, and support requests.
Customer Personal Data does not include information that Matte processes as an independent controller for account administration, billing, fraud prevention, product analytics, marketing, legal compliance, or business operations, except to the extent Applicable Data Protection Laws require otherwise.
Data Subject means an identified or identifiable natural person to whom Customer Personal Data relates. GDPR means Regulation (EU) 2016/679, and UK GDPR has the meaning given in the UK Data Protection Act 2018.
Personal Data, Personal Information, processing, controller, processor, business, service provider, contractor, sell, and share have the meanings given in Applicable Data Protection Laws.
Restricted Transfer means a transfer of Customer Personal Data from the European Economic Area, United Kingdom, or Switzerland to a country that is not recognized as providing an adequate level of protection under applicable law.
Security Incident means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Matte. Security Incident does not include unsuccessful attempts or activities that do not compromise Customer Personal Data.
Services means Matte's hosted B2B SaaS application for inventory tracking, workspace data management, authentication, team permissions, imports, exports, API access, custom workspace domains, and related support services. Subprocessor means any third party engaged by Matte to process Customer Personal Data on behalf of Customer in connection with the Services.
Roles and Scope
For Customer Personal Data, Customer is the controller or business and Matte is the processor, service provider, or contractor, as applicable. If Customer acts as a processor for another controller, Matte acts as Customer's subprocessor.
Customer determines the purposes and means of processing Customer Personal Data. Matte processes Customer Personal Data only to provide, secure, maintain, improve, and support the Services; to comply with Customer's documented instructions; and as otherwise permitted by this DPA, the agreement, and Applicable Data Protection Laws.
Customer's documented instructions include the agreement, this DPA, Customer's configuration and use of the Services, instructions submitted through the Services or support channels, and any written instructions mutually agreed by the parties.
Matte will promptly inform Customer if, in Matte's opinion, an instruction infringes Applicable Data Protection Laws, unless prohibited by law. Customer is responsible for ensuring that it has all rights, notices, consents, legal bases, and authorizations necessary to submit Customer Personal Data to the Services.
Processing Limitations
Matte will not process Customer Personal Data for any purpose other than the limited and specified purposes described in this DPA, the agreement, and Customer's documented instructions.
Matte will not sell or share Customer Personal Data as those terms are defined by the CCPA, and will not retain, use, or disclose Customer Personal Data outside the direct business relationship between Customer and Matte except as permitted by Applicable Data Protection Laws.
Matte will not combine Customer Personal Data with Personal Data that Matte receives from another source or from Matte's own interaction with a Data Subject except as permitted by Applicable Data Protection Laws, including for security, fraud prevention, service delivery, debugging, short-term transient use, internal operations, or as otherwise instructed by Customer.
Matte will not use Customer Personal Data to train general-purpose artificial intelligence or machine learning models. Any future AI feature that processes Customer workspace content will process that content only on Customer's instruction and only under applicable contractual and technical controls.
Matte may create and use aggregated, anonymized, or de-identified information from operation of the Services, provided that such information does not identify Customer, Authorized Users, or Data Subjects and Matte does not attempt to re-identify it.
Confidentiality
Matte will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations or are subject to appropriate statutory confidentiality obligations.
Matte will restrict access to Customer Personal Data to personnel and Subprocessors who need access to provide, secure, maintain, support, or improve the Services.
Security Measures
Matte will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against Security Incidents and to provide a level of security appropriate to the risk of the processing.
Matte's current technical and organizational measures are described in Schedule 2. Matte may update those measures from time to time, provided that updates do not materially decrease the overall security of the Services.
Customer is responsible for using the Services securely, including configuring roles and permissions, limiting Authorized User access, protecting credentials and API keys, reviewing workspace members, using MFA where available, and not submitting data that is prohibited by the agreement or this DPA.
Subprocessors
Customer grants Matte general written authorization to engage Subprocessors to process Customer Personal Data in connection with the Services.
Matte will maintain a current list of Subprocessors and will provide notice of any intended addition or replacement of a Subprocessor before authorizing that Subprocessor to process Customer Personal Data.
Customer may object to a new Subprocessor on reasonable data protection grounds by notifying Matte in writing within 30 days after Matte provides notice. The parties will work in good faith to resolve the objection.
Matte will enter into a written agreement with each Subprocessor that imposes data protection obligations no less protective in substance than those imposed on Matte under this DPA. Matte remains responsible for each Subprocessor's performance of its data protection obligations.
Data Subject Requests
Taking into account the nature of the processing, Matte will provide reasonable assistance to Customer, through the Services or other reasonable means, to help Customer respond to requests from Data Subjects to exercise rights under Applicable Data Protection Laws.
If Matte receives a request from a Data Subject relating to Customer Personal Data, Matte will either direct the Data Subject to Customer or act on the request in accordance with Customer's documented instructions, unless Applicable Data Protection Laws require otherwise.
Customer is responsible for verifying the identity and authority of the requester and for determining whether and how to respond to the request.
Assistance With Compliance
Taking into account the nature of the processing and the information available to Matte, Matte will provide reasonable assistance to Customer with Customer's obligations relating to security, breach notification, data protection impact assessments, prior consultation with supervisory authorities, cybersecurity audits, risk assessments, and consumer privacy requests, as required by Applicable Data Protection Laws.
Matte may charge reasonable fees for assistance that is not available through standard Services functionality, unless the assistance is required because of Matte's breach of this DPA.
Security Incident Notice
Matte will notify Customer without undue delay and, where feasible, within 72 hours after Matte confirms a Security Incident affecting Customer Personal Data.
Matte's notice will include, to the extent known and lawfully disclosable, the nature of the Security Incident, affected categories and approximate volumes of Customer Personal Data and Data Subjects, likely consequences, measures taken or proposed, and a contact point for follow-up.
Matte will take reasonable steps to contain, investigate, and remediate the Security Incident and will provide reasonable cooperation to Customer. Matte's notice or cooperation is not an admission of fault or liability.
Audits and Information
Matte will make available information reasonably necessary to demonstrate compliance with this DPA. This may include security documentation, policies, technical summaries, subprocessors lists, answers to reasonable security questionnaires, or third-party audit reports if and when available.
Customer may request an audit no more than once in any 12-month period, unless required by a supervisory authority or following a Security Incident. Any audit must be conducted during normal business hours, on reasonable advance notice, in a manner that does not disrupt Matte's business or compromise other customers.
The parties will first seek to satisfy audit requests through documentation and remote review. On-site inspections or third-party technical testing require Matte's prior written approval, a mutually agreed scope, appropriate confidentiality obligations, and controls designed to protect the Services and other customers.
Customer may not access data, systems, environments, or information relating to other Matte customers.
Return and Deletion
During the term of the agreement, Customer may access and export Customer Personal Data through available Services functionality, including CSV exports and API access where enabled.
Upon termination or expiration of the agreement, Matte will, at Customer's choice and subject to the agreement, return or delete Customer Personal Data in Matte's possession or control, unless Applicable Data Protection Laws require or permit retention.
Unless a different period is stated in the agreement, Matte will delete Customer Personal Data from active production systems within 90 days after termination or Customer's written deletion request, and from backups according to Matte's ordinary backup retention cycles.
Matte may retain Customer Personal Data to the extent required by law, necessary to establish, exercise, or defend legal claims, or maintained in security logs, audit records, or immutable backup media, provided that retained data remains subject to this DPA.
International Transfers
Customer authorizes Matte and its Subprocessors to process Customer Personal Data in the United States and other locations where Matte or its Subprocessors maintain facilities, subject to this DPA and Applicable Data Protection Laws.
For Restricted Transfers from the European Economic Area, the parties incorporate by reference the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914. Module Two applies where Customer is a controller and Matte is a processor. Module Three applies where Customer is a processor and Matte is a subprocessor.
For Restricted Transfers from the United Kingdom, the parties incorporate the UK International Data Transfer Addendum to the EU SCCs. For Restricted Transfers from Switzerland, the EU SCCs apply with Swiss-law adjustments to the extent required by Swiss law.
The details of processing in Schedule 1 and the security measures in Schedule 2 serve as Annex I and Annex II of the EU SCCs. The Subprocessor list in Schedule 4 serves as Annex III of the EU SCCs.
If the EU SCCs, UK Addendum, or another transfer mechanism is amended, replaced, or invalidated, the parties will cooperate in good faith to implement a valid transfer mechanism.
U.S. State Privacy Laws
This section applies where Customer Personal Data includes Personal Information subject to the CCPA or other U.S. state privacy laws with similar service provider, contractor, or processor requirements.
Customer discloses Personal Information to Matte only for the limited and specific business purposes described in Schedule 1 and the agreement.
Matte will comply with obligations applicable to Matte as a service provider, contractor, or processor under U.S. state privacy laws, including providing the same level of privacy protection required of service providers, contractors, or processors by those laws.
Matte will notify Customer if Matte determines that it can no longer meet its obligations under applicable U.S. state privacy laws.
Customer has the right to take reasonable and appropriate steps to help ensure that Matte uses Personal Information consistently with Customer's obligations under applicable U.S. state privacy laws, and upon notice, to stop and remediate unauthorized use of Personal Information by Matte.
Sensitive Data and Regulated Data
The Services are designed for business inventory and workspace management. Customer must not submit protected health information subject to HIPAA, payment card data subject to PCI DSS, government identification numbers, financial account credentials, children's data, biometric identifiers, criminal offense data, or special categories of Personal Data under GDPR unless the agreement expressly permits that data type and the parties have entered into any required additional terms.
This DPA is not a Business Associate Agreement. Matte does not agree to act as a HIPAA business associate unless the parties sign a separate Business Associate Agreement.
If Customer uses configurable fields, imports, notes, rich text, JSON fields, attachments, or API requests to submit sensitive or regulated data without Matte's prior written agreement, Customer remains responsible for that submission and for any additional compliance obligations arising from it.
Government and Third-Party Requests
If Matte receives a subpoena, court order, law enforcement request, regulator request, or other legal demand for Customer Personal Data, Matte will, to the extent legally permitted, promptly notify Customer and provide reasonable information so Customer may seek protective relief.
Matte will disclose only the Customer Personal Data that Matte reasonably believes is required to comply with the demand, unless Customer obtains protective relief or the demand is withdrawn.
Liability and Order of Precedence
Each party's liability under this DPA is subject to the exclusions and limitations of liability in the agreement, except to the extent prohibited by Applicable Data Protection Laws or the EU SCCs.
If there is a conflict between this DPA and the EU SCCs or UK Addendum, the EU SCCs or UK Addendum control with respect to the Restricted Transfer.
If there is a conflict between this DPA and the agreement regarding processing of Customer Personal Data, this DPA controls. If there is a conflict between this DPA and a Business Associate Agreement signed by the parties, the Business Associate Agreement controls for protected health information.
Term and Contact
This DPA remains in effect for as long as Matte processes Customer Personal Data.
Sections that by their nature should survive termination will survive, including confidentiality, security, return and deletion, international transfers, audit rights relating to the period during which Matte processed Customer Personal Data, liability, and any provisions required by Applicable Data Protection Laws.
Privacy contact: privacy@trymatte.com. Security contact: security@trymatte.com. Legal notices: legal@trymatte.com.
Schedule 1 - Details of Processing
Subject matter: Matte provides a hosted, multi-tenant B2B SaaS application for inventory tracking, workspace data management, team collaboration, authentication, security controls, imports, exports, API access, and related support.
Duration: Matte processes Customer Personal Data for the term of the agreement and any post-termination period required for export, deletion, backup retention, legal compliance, dispute resolution, or as otherwise described in this DPA.
Nature and purpose: Matte processes Customer Personal Data to create and manage workspaces and subdomains; authenticate users; provide role-based access, workspace memberships, object permissions, custom roles, departments, and security policies; host, store, retrieve, display, update, delete, restore, and export records and inventory data; process imports, API requests, API keys, idempotency keys, and rate limits; provide inventory ledger functionality; store workspace settings and media; send account and service emails; provide support; maintain reliability; prevent abuse; investigate security events; and comply with law.
Categories of Data Subjects may include Customer's employees, contractors, administrators, owners, Authorized Users, invited or removed workspace users, individuals referenced in Customer-created records, suppliers, vendors, contacts, business counterparties, and individuals included in imported files, notes, JSON fields, API payloads, avatars, images, custom emoji, or support requests.
Categories of Customer Personal Data may include account and identity data, authentication and security data, workspace data, inventory and operational record data, configurable field data, import/export and API data, image and file data, and support and communications data.
The Services are not intended for HIPAA protected health information, PCI cardholder data, children's data, biometric identifiers, criminal offense data, or GDPR special categories of Personal Data unless expressly agreed in writing.
Processing operations include collection, receipt, hosting, storage, organization, structuring, indexing, retrieval, consultation, display, transmission, disclosure to Authorized Users and Subprocessors, alignment, combination, restriction, logging, analysis for security and reliability, export, deletion, backup, restoration, and destruction.
Schedule 2 - Technical and Organizational Measures
Matte will maintain measures designed to protect Customer Personal Data, including the measures below as applicable to the Services and production environment.
- Access control and tenant isolation: Customer workspaces are logically separated by workspace/company identifiers and workspace host routing. Server-side authorization checks enforce workspace membership, roles, permissions, API keys, exports, imports, and workspace administration.
- Authentication and session security: The Services use secure session cookies, CSRF validation, password hashing, hashed or encrypted verification and recovery secrets, MFA, passkeys/WebAuthn, trusted-device controls, session termination controls, rate limiting, and generic responses where appropriate.
- Network and application security: Production traffic is served over HTTPS/TLS; security headers protect API responses, downloads, redirects, and static assets; CORS is restricted to allowed origins and workspace subdomains; custom workspace domains are validated and isolated by host-based routing and cookie scoping.
- Data storage and cryptographic protections: Customer Personal Data is stored in production application databases and associated object or image storage. MFA authenticator secrets are encrypted at rest using application-level encryption keys. Matte uses access-restricted production storage and secrets management.
- Logging, monitoring, and auditability: The Services maintain security event records for important account and workspace actions and may maintain operational logs for reliability, debugging, abuse prevention, and incident investigation.
- Data lifecycle controls: Records, fields, objects, and views may be soft-deleted and moved to trash before permanent deletion according to Services functionality and retention settings. Deletion and revocation workflows reduce continued unauthorized access.
- Personnel and organizational controls: Matte personnel with access to Customer Personal Data are subject to confidentiality obligations, and Matte limits personnel access based on role and need to know.
- Availability and resilience: Production infrastructure is designed to serve the backend application, API, static assets, and persistent database storage. Customer Data is backed up according to Matte's production backup procedures for the applicable deployment.
Schedule 3 - International Transfer Details
For purposes of the EU SCCs and UK Addendum, Customer is the data exporter and Matte is the data importer. Customer acts as controller or processor, as applicable, and Matte acts as processor or subprocessor, as applicable.
Categories of Data Subjects, categories of Personal Data, sensitive data, nature of processing, purpose of transfer, and retention period are described in Schedule 1 and Section 11 of this DPA.
The frequency of transfer is continuous for the duration of the agreement. The purpose of transfer and further processing is to provide, secure, maintain, support, and improve the Services as instructed by Customer.
The competent supervisory authority is Customer's competent supervisory authority where Customer is established in the EEA; otherwise, the Irish Data Protection Commission unless another authority is required by Applicable Data Protection Laws.
Schedule 4 - Subprocessors
Matte uses or may use the following Subprocessors to provide the Services. No AI or large language model provider is an authorized Subprocessor for Customer workspace content as of the effective date of this DPA.
- Production hosting provider: hosting application servers, network infrastructure, persistent database volumes, backups, and operational infrastructure; processes Customer workspace data, account data, record data, logs, and metadata.
- Amazon Web Services, Inc.: email sending via SES and optional object storage via S3 for avatars, workspace logos, custom emoji, and uploaded image objects; processes email addresses, email metadata, verification messages, uploaded image/file objects, and object metadata where S3 is enabled.
- Google LLC: optional Google OAuth sign-in/sign-up if enabled by Matte and selected by a user; processes OAuth identifiers, email address, profile information returned by Google, and login metadata.
- Let's Encrypt / Internet Security Research Group: TLS certificate issuance for Matte domains and workspace/custom domains; processes domain names and technical certificate validation data.
- DNS provider, if configured: DNS hosting and DNS-01 certificate challenge support for wildcard/custom domain TLS; processes domain names and technical DNS records.
Schedule 5 - CCPA Business Purposes
For Personal Information subject to the CCPA, the specific business purposes for which Customer discloses Personal Information to Matte are listed below.
- Providing the hosted inventory and workspace management Services.
- Maintaining and servicing Customer accounts and workspaces.
- Providing authentication, security, integrity, fraud prevention, abuse prevention, debugging, and error repair.
- Processing or fulfilling requests, transactions, imports, exports, API calls, record updates, stock counts, and workspace administration actions.
- Providing customer service and technical support.
- Undertaking internal research for technological development and demonstration using de-identified or aggregated data where permitted.
- Maintaining quality, safety, and reliability of the Services.
- Complying with law, legal process, and enforceable governmental requests.
- Matte is prohibited from retaining, using, or disclosing Personal Information for any purpose other than these specific business purposes, the purposes described in the agreement and this DPA, or purposes otherwise permitted by the CCPA and its regulations.
Signature
This DPA may be executed by Customer and Matte through an order form, the agreement, or another written method accepted by both parties.
- Customer: authorized signature, name, title, date, and customer legal name.
- Matte: authorized signature, name, title, date, and Matte legal entity name.