Last updated June 17, 2026
Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of, and is incorporated by reference into, the Terms of Service or other written agreement (the “Agreement”) between Contents Team LLC (“Contents Team,” “we,” “us,” or “our”) and the customer that has accepted the Agreement (“Customer,” “you,” or “your”). It governs Contents Team’s processing of Personal Information contained in Customer Data on Customer’s behalf in connection with the Service.
If there is a conflict between this DPA and the Agreement with respect to the processing of Personal Information, this DPA controls.
1. Definitions
- “Applicable Data Protection Law” means all privacy and data protection laws applicable to the processing of Personal Information under this DPA, including the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), and other U.S. state privacy laws, as applicable.
- “Customer Data” has the meaning given in the Agreement and includes the photos, documents, claim, project, room, item, inventory, and related content that Customer or its users upload to or generate through the Service.
- “Personal Information” means information within Customer Data that identifies, relates to, describes, or could reasonably be linked with a particular individual, including information about policyholders and other third parties.
- “Process” / “Processing” means any operation performed on Personal Information, such as collection, use, storage, disclosure, or deletion.
- “Controller” (or “Business”) means the entity that determines the purposes and means of Processing. “Processor” (or “Service Provider”) means the entity that Processes Personal Information on behalf of the Controller.
- “Sub-processor” means a third party engaged by Contents Team to Process Personal Information in connection with the Service.
- “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information Processed by Contents Team.
2. Roles of the parties
With respect to Personal Information in Customer Data, Customer is the Controller / Business and Contents Team is the Processor / Service Provider. Customer determines the purposes and means of Processing; Contents Team Processes Personal Information only as described in Section 3. With respect to account, billing, website, and similar data it collects to operate its business, Contents Team acts as a Controller, as described in its Privacy Policy.
3. Scope and instructions
Contents Team will Process Personal Information only:
- to provide, operate, maintain, secure, and support the Service in accordance with the Agreement,
- in accordance with Customer’s documented lawful instructions (which include the Agreement, this DPA, and Customer’s configuration and use of the Service), and
- as required by applicable law, in which case Contents Team will, where legally permitted, inform Customer of the legal requirement before Processing.
Contents Team will promptly inform Customer if, in its opinion, an instruction violates Applicable Data Protection Law. Details of the Processing are set out in Annex A.
4. Service Provider / Processor obligations (CCPA/CPRA)
Contents Team is provided Personal Information solely to perform the services under the Agreement and:
- will not sell or share Personal Information (as “sell” and “share” are defined under the CCPA/CPRA),
- will not retain, use, or disclose Personal Information for any purpose other than the business purposes specified in the Agreement and this DPA, or as otherwise permitted by Applicable Data Protection Law,
- will not retain, use, or disclose Personal Information outside the direct business relationship between the parties,
- will not combine Personal Information with personal information obtained from other sources, except as permitted by Applicable Data Protection Law, and
- certifies that it understands and will comply with these restrictions.
Contents Team does not use Customer Data to train third-party or foundation AI models, and does not permit its AI service providers to do so. Contents Team will grant Customer the right to take reasonable and appropriate steps to help ensure that Contents Team uses Personal Information in a manner consistent with Customer’s obligations under Applicable Data Protection Law, and to stop and remediate unauthorized use of Personal Information.
5. Confidentiality
Contents Team will ensure that personnel authorized to Process Personal Information are bound by appropriate confidentiality obligations and Process Personal Information only as necessary to provide the Service.
6. Security
Contents Team will implement and maintain appropriate technical and organizational measures designed to protect Personal Information against a Security Incident, as described in Annex B, taking into account the nature of the Processing and the information available to it. Customer is responsible for its own use of the Service, including securing its account credentials and configuring access appropriately.
7. Sub-processors
Customer provides general authorization for Contents Team to engage Sub-processors to Process Personal Information. Contents Team’s current Sub-processors are listed in Annex C. Contents Team will:
- impose data protection obligations on each Sub-processor that are substantially similar to those in this DPA, and
- remain responsible for each Sub-processor’s performance of its obligations.
Contents Team will provide notice of any intended addition or replacement of a Sub-processor (for example, by updating Annex C or via the Service or email) and a reasonable opportunity to object on reasonable data-protection grounds. If Customer reasonably objects and the parties cannot resolve the objection, Customer may terminate the affected portion of the Service.
8. Assistance to Customer
Taking into account the nature of the Processing, Contents Team will provide reasonable assistance to Customer, through appropriate technical and organizational measures and insofar as possible, to enable Customer to:
- respond to requests from individuals to exercise their rights under Applicable Data Protection Law (such as access, correction, and deletion). If Contents Team receives such a request directly relating to Customer’s Personal Information, it will, where permitted, refer the individual to Customer or promptly notify Customer, and
- meet its obligations regarding the security of Processing and Security Incident notification.
9. Security Incident notification
Contents Team will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer’s Personal Information, and will provide information reasonably available to it to assist Customer in meeting any notification obligations. Contents Team will take reasonable steps to mitigate and, where possible, remediate the Security Incident.
10. Return and deletion of Personal Information
Upon termination or expiration of the Agreement, Contents Team will, at Customer’s choice, make Customer Data available for export for the period stated in the Agreement, and thereafter delete or de-identify Personal Information in accordance with its retention practices and Applicable Data Protection Law, except where retention is required by law.
11. Audits
Contents Team will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Where Applicable Data Protection Law gives Customer an audit right, Contents Team will satisfy that right by providing relevant documentation (such as summaries of security measures or third-party assessments, if available) and, on reasonable prior written notice and no more than once per year (absent a Security Incident or legal requirement), by responding to a reasonable assessment that does not disrupt its operations or compromise the security of other customers’ data.
12. International transfers
Contents Team Processes Personal Information in the United States. The Service is directed to users in the United States. If the parties later agree that the Service will Process Personal Information subject to the EU or UK General Data Protection Regulation, the parties will implement an appropriate transfer mechanism (such as the EU-US Data Privacy Framework and/or the European Commission’s Standard Contractual Clauses, with the UK Addendum where applicable) before such Processing begins, and such mechanism will be incorporated into this DPA by reference.
13. Term
This DPA takes effect when Customer accepts the Agreement and remains in effect until the Agreement terminates and Contents Team has deleted or de-identified Personal Information in accordance with Section 10.
14. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
Annex A — Details of Processing
- Subject matter: Provision of the Service (documentation, organization, and AI-assisted analysis of contents inventories).
- Duration: For the term of the Agreement and until deletion under Section 10.
- Nature and purpose: Hosting, storage, processing, AI-assisted item identification, generation of inventories and reports, security, and support.
- Categories of data subjects: Customer’s authorized users; policyholders and other individuals whose property or information appears in uploaded content.
- Categories of Personal Information: Names and contact details of users; account and profile data; uploaded photos, documents, and inventory content that may include images of people, homes, interiors, and documents, and claim-related information.
- Sensitive data: Not intentionally collected. Customer is responsible for content it uploads.
Annex B — Security Measures
Contents Team maintains, at a minimum:
- Encryption of Personal Information in transit and at rest.
- Access controls, including authentication (via a managed identity provider), role-based access, and the principle of least privilege.
- Tenant isolation so that each customer organization’s data is logically segregated in the multi-tenant environment.
- Network and infrastructure security provided through reputable cloud infrastructure, including firewalls and monitoring.
- Logging and monitoring of access and system activity to support detection and investigation of incidents.
- Personnel measures, including confidentiality obligations and access on a need-to-know basis.
- Resilience, including backups and measures designed to restore availability of data in a timely manner after an incident.
- Vendor management of Sub-processors handling Personal Information.
Annex C — Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Hosting, storage, database, authentication, and AI-pipeline infrastructure | United States |
| Google (Gemini) | AI-assisted item identification and related processing | United States |
| Stripe | Payment processing | United States |
A current list of Sub-processors is available on request at support@contents.team.