Data Processing Agreement — Pitchwright
Last updated: 2026-05-16
This Data Processing Agreement ("DPA") forms part of the Pitchwright Terms of Service between Kazzaz Labs ("Processor", "we") and the contracting party ("Controller", "you") and governs Kazzaz Labs' processing of personal data on the Controller's behalf when using the Pitchwright product.
This DPA is designed to comply with the Saudi Personal Data Protection Law (PDPL) and the EU General Data Protection Regulation (GDPR).
1. Subject matter
We process personal data on your instructions in order to provide the Pitchwright service: an agentic presentation tool that produces PowerPoint decks from your prompts and uploaded source material.
2. Duration
This DPA applies for as long as you have an active Pitchwright account. On termination, Section 4 (return / deletion) applies.
3. Nature and purpose of processing
- Account data (email, name, profile image) — to authenticate you and operate your account.
- Content data (brand kits, content sources, prompts, generations, decks, approved imagery, feedback) — to run the agent pipeline that produces decks, and to render the Pitchwright dashboard.
- Telemetry (anonymized usage statistics, error reports) — to operate, maintain, and improve the Service.
We do not use your content data to train third-party models. Anthropic (our LLM provider) does not use API content for training. See the underlying Privacy Policy §1–§3.
4. Categories of data subjects and personal data
| Subject | Data |
|---|---|
| Account holder | Name, email, profile image, authentication metadata |
| Your end users (if you share decks) | Whatever you put into prompts / content sources |
You are responsible for ensuring that you have a lawful basis under PDPL/GDPR for any personal data you input into the Service.
5. Controller obligations
- You will provide accurate instructions about how your data should be processed.
- You will ensure you have collected any necessary consents from individuals whose data appears in your content sources.
- You will not upload imagery or content that violates the privacy or publicity rights of third parties (see Acceptable Use in the Terms of Service §2).
6. Processor obligations
We will:
- Process personal data only on documented instructions from you (express instruction or implicit in your use of the Service).
- Ensure that personnel authorised to process personal data are bound by confidentiality obligations.
- Take appropriate technical and organisational measures (see §8).
- Assist you, where reasonable, in responding to data-subject requests under PDPL Articles 31–34 (access, correction, erasure, objection).
- Notify you without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach.
- On termination, delete or return all personal data within 30 days, except where retention is required by law.
7. Sub-processors
We use the following sub-processors. By using the Service, you authorise this list. We will give you 30 days' notice (via email or in-product banner) before adding new sub-processors.
| Sub-processor | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| Anthropic, PBC (Claude) | Large language model inference | United States | Standard Contractual Clauses; Anthropic does not use API content for training |
| Voyage AI, Inc. | Text embeddings for content retrieval | United States | Standard Contractual Clauses |
| DigitalOcean, LLC | Compute (Postgres + app servers + object storage) | Frankfurt, Germany (EU) | EU residency |
| Clerk, Inc. | Authentication | United States (data plane) | Standard Contractual Clauses |
| Sentry (Functional Software, Inc.) | Error tracking | Frankfurt, Germany (EU) | EU residency |
| PostHog, Inc. | Product analytics (opt-in only; page paths + random user ID + IP-derived location; no PII, no cookies) | EU Cloud (eu.i.posthog.com) | EU residency; processed only after explicit user consent |
| Resend (Resend, Inc.) | Transactional email | Tokyo, Japan (ap-northeast-1) | Standard Contractual Clauses |
| Stripe Payments Europe Ltd | Payment processing (international cards) | Ireland (EU) | EU residency |
| Cloudflare, Inc. | DNS only (not proxied) | Global | Public DNS — no personal data |
8. Security measures
- Encryption in transit: TLS 1.3 enforced via Cloudflare → Caddy.
- Encryption at rest: AES-256 on Postgres, Spaces, and Sentry.
- Access control: Clerk auth on all data routes; tenant isolation by
user_idfilter on every query. - Object storage: all uploaded files stored private; access via short-lived presigned URLs scoped to the owning user.
- PII scrubbing: Sentry events have user prompts and content fields redacted before transmission.
- Backups: nightly Postgres dumps to encrypted Spaces bucket, 30-day retention.
- Audit log: structured logs retained 90 days.
9. Data subject rights
You may use the following Pitchwright endpoints to fulfil PDPL/GDPR requests on behalf of your users:
- Export:
GET /api/v1/me/export— returns every row in JSON. - Delete:
DELETE /api/v1/me— cascades to every owned record.
UI equivalents are available at /dashboard/settings.
For requests outside the in-app flow, email abdulkarim.kazzaz@gmail.com with subject "PDPL request" or "GDPR request" — response within 30 days.
10. International transfers
Your data lives in Frankfurt (EU). When your content is sent to Anthropic (US), Voyage AI (US), Clerk (US), or Resend (Tokyo) it is covered by the Standard Contractual Clauses incorporated by reference from each sub-processor's DPA.
Saudi customers: EU residency is the default. If your contract requires data residency within the Kingdom of Saudi Arabia, contact us before creating an account.
11. Audits
We will make available to you all information reasonably necessary to demonstrate compliance with this DPA. Where Controller-led audits are required, we will work with you in good faith on scope and timing (reasonable advance notice; on-site only where remote review is insufficient; subject to confidentiality).
12. Liability
The Limitation of Liability in the Terms of Service §8 applies to this DPA. Nothing in this DPA limits any liability that cannot be limited under applicable law.
13. Contact
Data Protection contact at Kazzaz Labs:
Email: abdulkarim.kazzaz@gmail.com Subject prefix: "PDPL request" or "GDPR request"
14. Order of precedence
To the extent of any conflict, the order of precedence is:
- This DPA
- The Terms of Service
- The Privacy Policy