1. Parties and Scope

This DPA is entered into between Renew EcoMe LLC (“Processor”), a Maine limited liability company with principal place of business at Cape Elizabeth, Maine 04107, USA, and the customer entity (“Controller”) that has accepted the SmarterTariff / FutureScan Terms of Service.

This DPA supplements the Terms of Service and governs the processing of personal data that the Controller submits to the Platform. Where there is a conflict between this DPA and the Terms of Service on data protection matters, this DPA controls.

2. Definitions

Personal Data — any information relating to an identified or identifiable natural person submitted to the Platform by the Controller
Processing — any operation performed on Personal Data, including collection, storage, use, transmission, or deletion
Data Subject — the natural person whose Personal Data is being processed
Applicable Data Protection Law — GDPR (EU 2016/679), UK GDPR, PIPEDA (Canada), CCPA/CPRA (California), and any other applicable national or state privacy law
Sub-Processor — any third party engaged by Renew EcoMe LLC to process Personal Data on behalf of the Controller
SCCs — EU Standard Contractual Clauses (Commission Decision 2021/914, Module 2: Controller-to-Processor)

3. Processing Instructions

Renew EcoMe LLC shall process Personal Data only on documented instructions from the Controller, which are: (a) the Terms of Service; (b) this DPA; and (c) any subsequent written instructions provided by the Controller. Renew EcoMe LLC will promptly notify the Controller if it believes any instruction infringes Applicable Data Protection Law.

4. Subject Matter, Duration, and Nature of Processing

Subject matter	Provision of supply chain compliance auditing, accessibility scanning, disaster risk assessment, and related services
Duration	For the term of the Controller's subscription, plus the retention periods set out in Section 7 of the Privacy Policy
Nature	Automated processing, storage, AI analysis, and transmission to Sub-Processors for audit and compliance functions
Types of Personal Data	Name, email address, account credentials, billing information, IP address, audit URLs submitted, usage data, and any personal data embedded in documents uploaded for analysis
Categories of Data Subjects	Controller's employees, contractors, and end users who interact with the Platform

5. Processor Obligations

Renew EcoMe LLC agrees to:

Process Personal Data only for the purposes described in this DPA and the Terms of Service
Ensure all personnel with access to Personal Data are bound by appropriate confidentiality obligations
Implement and maintain technical and organizational security measures as described in Section 6 of this DPA
Assist the Controller in fulfilling Data Subject rights requests (access, rectification, erasure, portability, restriction, objection) within the timeframes required by Applicable Data Protection Law
Assist the Controller with data protection impact assessments (DPIAs) where required
Not sell, rent, or share Personal Data with third parties for their own independent purposes
Delete or return all Personal Data upon termination of the subscription within 30 days, and provide written confirmation upon request
Maintain records of processing activities as required by GDPR Article 30

6. Security Measures

Renew EcoMe LLC implements the following technical and organizational measures, consistent with GDPR Article 32, to protect Personal Data:

Encryption in transit — TLS 1.2+ for all data in transmission; HTTPS enforced via HSTS
Encryption at rest — AES-256 encryption for database storage (via Supabase)
Access controls — Role-based access control (RBAC) with least-privilege principles; admin routes protected by authentication middleware
Authentication — Supabase Auth with secure session management; no plaintext credentials stored
Security headers — Content-Security-Policy, X-Frame-Options (DENY), Strict-Transport-Security, and Permissions-Policy enforced on all responses
Audit logging — Admin actions logged with user ID, timestamp, and action type
Vulnerability management — Dependencies reviewed and updated regularly; critical patches applied within 72 hours of disclosure
Penetration testing — Periodic security reviews; results shared with Controller upon request under NDA

7. Sub-Processors

The Controller grants general authorization for Renew EcoMe LLC to engage the following Sub-Processors. We will notify the Controller of any intended changes (additions or replacements) at least 14 days in advance via email. The Controller has the right to object to new Sub-Processors within that period.

Sub-Processor	Purpose	Location	Transfer Mechanism
Supabase	Auth, database, file storage	United States	SCCs (C2P)
Vercel	Application hosting & edge delivery	United States / Global	SCCs (C2P)
Stripe	Payment processing, subscription billing	United States	SCCs (C2P)
Anthropic	Accessibility AI analysis (Claude)	United States	SCCs (C2P)
Google Cloud / Gemini	Supply chain AI, disaster risk, chatbot	United States	SCCs (C2P)
Mapbox	Interactive map rendering	United States	SCCs (C2P)
Heap Analytics	Anonymized usage analytics (consent-gated)	United States	SCCs (C2P)
Klaviyo	Transactional & marketing email (consent-gated)	United States	SCCs (C2P)
CanSpace (api.mastwoods.ca)	EEA API routing proxy (GDPR Art. 45)	Canada	Adequacy decision

Renew EcoMe LLC remains liable for Sub-Processor acts and omissions to the same extent it would be liable if performing the processing directly, including after termination of the main agreement.

8. International Data Transfers

Where Personal Data of EEA/UK residents is transferred outside the EEA/UK, Renew EcoMe LLC relies on the following transfer mechanisms:

EEA API traffic → Canada — Routed through CanSpace (api.mastwoods.ca). Canada holds an adequacy decision under GDPR Article 45. This routing has been active since December 2025
Other US-based Sub-Processors — EU Standard Contractual Clauses, Module 2 (Controller-to-Processor), Commission Decision 2021/914. Transfer impact assessments (TIAs) completed and available upon request
UK transfers — UK International Data Transfer Addendum (IDTA) to the EU SCCs, as approved by the UK ICO
Canadian residents — Transfers governed by PIPEDA and contractual safeguards with each Sub-Processor

To request copies of applicable SCCs or TIAs, contact hello@sustainable207.com.

9. Data Breach Notification

In the event of a Personal Data breach, Renew EcoMe LLC will:

Notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach (to enable the Controller to meet any 72-hour GDPR regulatory deadline)
Provide, at minimum: (a) the nature of the breach; (b) categories and approximate number of Data Subjects and records affected; (c) likely consequences; (d) measures taken or proposed to address the breach
Cooperate with the Controller's investigation and provide further information as it becomes available
Not make any public disclosure about the breach without prior written consent of the Controller, unless required by law

Breach notifications should be sent to the Controller's designated security contact. If no contact is specified, notifications will be sent to the account's primary email.

10. Data Subject Rights Assistance

Renew EcoMe LLC will assist the Controller in responding to Data Subject rights requests within the applicable regulatory timeframes:

GDPR/UK GDPR — 30-day response window (extendable to 90 days for complex requests)
CCPA/CPRA — 45-day response window (extendable by 45 days with notice)
PIPEDA — 30-day response window

Self-service tools for account deletion and data export are available in the Platform's profile settings. For requests that cannot be fulfilled via self-service, contact hello@sustainable207.com.

11. Audit Rights

The Controller may request evidence of compliance with this DPA once per calendar year by providing 30 days' written notice. Renew EcoMe LLC will, at its option:

Provide a completed security questionnaire and supporting documentation (SOC 2 Type II equivalents from Sub-Processors where available); or
Facilitate an on-site or remote audit at the Controller's expense, subject to reasonable confidentiality protections

For any audit triggered by a suspected breach or regulatory investigation, Renew EcoMe LLC will cooperate at no cost to the Controller.

12. Return and Deletion of Data

Upon termination or expiry of the Controller's subscription, Renew EcoMe LLC will, at the Controller's choice and within 30 days:

Delete all Personal Data from active systems and instruct Sub-Processors to do the same; or
Return a machine-readable export of the Controller's Personal Data prior to deletion

Billing records required for legal or tax purposes are retained for 7 years in accordance with U.S. IRS requirements. Renew EcoMe LLC will provide written confirmation of deletion upon request.

13. Liability and Indemnification

Each party shall be liable for its own violations of Applicable Data Protection Law. Renew EcoMe LLC's total liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either party's liability to Data Subjects or supervisory authorities.

14. Governing Law

This DPA is governed by the laws of the State of Maine, United States, consistent with the Terms of Service. For EU/EEA customers, the SCCs are governed by the law of the EU member state of the Controller's establishment, as required by the SCCs.

15. Requesting a Countersigned DPA

Enterprise customers who require a formally countersigned DPA may request one by emailing:

Data Protection Contact

Chris Edwards, Founder & Data Protection Point of Contact

Renew EcoMe LLC · Cape Elizabeth, Maine 04107, USA

Email: hello@sustainable207.com (subject: “DPA Request — [Your Company Name]”)

Response time: 5 business days

Please include your company name, jurisdiction, approximate number of Data Subjects affected, and whether you require SCCs, UK IDTA, or PIPEDA addendum.

Data Processing Agreement