DATA PROCESSING ADDENDUM

How we process your data.

A plain-language summary of our data processing addendum for legal and privacy teams. Last updated July 10, 2026.

Roles and purpose

For the data your organization puts into VendorBenchmark, you are the controller and Redress Compliance acts as processor. We process your data for one purpose, providing the platform: storing your contracts, producing the benchmarks and deliverables you request, and operating the accounts your organization manages.

What we process

Security measures

Tenant isolation is enforced at the database with Postgres row-level security, so a session from one organization cannot return another organization’s rows. Data is encrypted in transit with TLS and encrypted at rest. TOTP multi-factor authentication is available to all users and mandatory for platform staff. Views and downloads of contract files are audit logged. The full architecture is described on the security overview.

Retention and deletion

Retention is set by you, the customer. The platform includes a hard-delete path that removes both the database rows and the stored files. On termination, we delete or return your data at your direction.

Subprocessing

We use a small set of subprocessors to run the service, each listed with its purpose and the data it touches on the subprocessor list.

Breach notification

If a breach affects your data, we notify your organization’s owners without undue delay, with the audit trail to show exactly what was touched.

The signed DPA

This page is a summary. The signed data processing addendum, with standard contractual clauses where they apply, is available on request via info@redresscompliance.com or your account team.