DATA PROCESSING ADDENDUM
How we process your data.
A plain-language summary of our data processing addendum for legal and privacy teams. Last updated July 10, 2026.
Roles and purpose
For the data your organization puts into VendorBenchmark, you are the controller and Redress Compliance acts as processor. We process your data for one purpose, providing the platform: storing your contracts, producing the benchmarks and deliverables you request, and operating the accounts your organization manages.
What we process
- Contract documents and their metadata,
- user account data, meaning name and corporate email,
- usage and audit data generated as your team uses the platform.
Security measures
Tenant isolation is enforced at the database with Postgres row-level security, so a session from one organization cannot return another organization’s rows. Data is encrypted in transit with TLS and encrypted at rest. TOTP multi-factor authentication is available to all users and mandatory for platform staff. Views and downloads of contract files are audit logged. The full architecture is described on the security overview.
Retention and deletion
Retention is set by you, the customer. The platform includes a hard-delete path that removes both the database rows and the stored files. On termination, we delete or return your data at your direction.
Subprocessing
We use a small set of subprocessors to run the service, each listed with its purpose and the data it touches on the subprocessor list.
Breach notification
If a breach affects your data, we notify your organization’s owners without undue delay, with the audit trail to show exactly what was touched.
The signed DPA
This page is a summary. The signed data processing addendum, with standard contractual clauses where they apply, is available on request via info@redresscompliance.com or your account team.