Skip to content
version90

Legal

Data Processing Addendum

Last updated: July 11, 2026 · Incorporated into the Terms of Service for organizational customers

This Data Processing Addendum ("DPA") forms part of the Terms of Service between the customer organization ("Customer") and Latent Ape LLC, a Tennessee limited liability company ("Latent Ape"), and applies where Latent Ape processes personal data contained in Customer Content on Customer's behalf.

1. Roles and scope

Customer is the controller (or a processor acting for another controller) of personal data in Customer Content; Latent Ape is the processor. "Data protection laws" means the laws applicable to the processing, including the GDPR, UK GDPR and CCPA/CPRA where relevant. Details of the processing appear in Annex I.

2. Instructions

Latent Ape processes Customer personal data only: (a) to provide the Service as configured and used by Customer; (b) per the Terms, this DPA and Customer's documented instructions; or (c) as required by law (with notice unless prohibited). AI features run only on Customer's action or the automatic intake processing described in the product. Latent Ape does not sell Customer personal data and does not use it for advertising or for training machine-learning models — and contractually prohibits its AI subprocessors from doing so.

3. Confidentiality and personnel

Persons authorized to process Customer personal data are bound by confidentiality obligations and access it only as needed to operate and support the Service under least-privilege controls.

4. Security

Latent Ape implements appropriate technical and organizational measures, summarized in Annex II: encryption in transit and at rest, tenant isolation enforced at the application layer and covered by automated security tests, role-based access with per-organization scoping, immutable content-hashed document storage, and audit logging of processing actions.

5. Subprocessors

Customer authorizes the subprocessors in Annex III. Latent Ape will (a) bind each subprocessor to data-protection obligations no less protective than this DPA, (b) remain liable for their performance, and (c) give at least 30 days' notice (email or in-app) before adding or replacing a subprocessor that processes Customer personal data. Customer may object on reasonable data-protection grounds; if no resolution is found, Customer may terminate affected services and receive a pro-rata refund of prepaid fees.

6. Data subject requests and assistance

Taking into account the nature of the processing, Latent Ape will assist Customer in responding to data subject requests (the export, correction and deletion tooling in the product is the primary mechanism) and, as reasonably required, with data protection impact assessments and consultations. Requests received directly from data subjects about Customer Content will be referred to Customer.

7. Personal data breach

Latent Ape will notify Customer without undue delay (and within 72 hours) after becoming aware of a personal data breach affecting Customer personal data, providing the information reasonably needed for Customer's own notification obligations, and will take reasonable steps to contain and remediate.

8. International transfers

Processing occurs in the United States. For personal data subject to the GDPR or UK GDPR, the parties incorporate the EU Standard Contractual Clauses (Module 2, controller-to-processor) and the UK Addendum, with Annexes I–III supplying the required information; Latent Ape relies on equivalent transfer mechanisms with its subprocessors.

9. Deletion and return

During the term, Customer can export all Customer Content (every version, byte-for-byte) at any time. For 30 days after termination the export remains available; thereafter Latent Ape deletes Customer Content from production systems, with backups aging out on a rolling schedule not exceeding 90 further days, except where retention is legally required.

10. Audit

Latent Ape will make available information reasonably necessary to demonstrate compliance with this DPA (documentation, security summaries and, when available, third-party audit reports) and will permit audits as required by data protection laws, under reasonable confidentiality, scope and frequency conditions.

Annex I — Details of processing

  • Subject matter & duration: provision of the version90 Service for the subscription term plus the wind-down period in Section 9.
  • Nature & purpose: hosting, versioning, redlining, collaboration, AI-assisted review/extraction, archiving and export of Customer contract documents.
  • Categories of data subjects: Customer's personnel and users; counterparties and their personnel; signatories and other individuals named in contracts.
  • Categories of personal data: identification and contact details, professional details, and any personal data Customer's documents happen to contain. Customers should not upload special-category data unless necessary; contracts occasionally contain it (e.g., in employment matters) and it is processed only as part of the document.

Annex II — Technical and organizational measures (summary)

  • Encryption in transit (TLS) and at rest.
  • Application-level tenant isolation: every record organization-scoped; every query tenant-checked; enforced by an automated security test suite that only grows.
  • Role-based access control with per-organization capabilities; server-side permission checks.
  • Immutable, content-hashed document versions; append-only audit logging of processing decisions.
  • Least-privilege internal access; segregated production credentials via secret management.
  • Vulnerability management, dependency updates, and infrastructure hosted on providers with SOC 2 / ISO 27001 programs.

Annex III — Authorized subprocessors

Subprocessor Purpose Location Data involved
Google Cloud Platform (Google LLC) Application hosting: compute, databases, document storage, job processing United States All Customer Content and application data
Cloudflare, Inc. Website hosting/CDN, DNS, network security (DDoS/WAF) Global edge network (US-headquartered) Website traffic; application traffic metadata when proxied
Anthropic, PBC Large-language-model processing for AI features (review, extraction, explanation) United States Document content and context submitted for the requested AI action — contractually excluded from model training
Clerk, Inc. Authentication, user and organization identity management United States Names, email addresses, organization membership, authentication events
Stripe, Inc. Payment processing and subscription billing United States Billing contact and payment details (card data held by Stripe, not us)
Google Analytics (Google LLC) Marketing-website usage analytics (not used inside the application) United States Website usage events, device/browser data, truncated IP-derived location

Changes to this list are announced per Section 5. Questions: privacy@version90.com.