ProposalForge← Back to home

Last Updated: March 27, 2026

Legal

Data Processing Agreement

This Data Processing Agreement ("DPA") describes how ProposalForge processes personal data on behalf of its users when providing the ProposalForge service at forgeproposals.com. This DPA is incorporated into and supplements our Terms of Service.

1. Introduction & Parties

This Data Processing Agreement ("DPA") supplements the ProposalForge Terms of Service and applies whenever ProposalForge("Processor") processes personal data on behalf of you, the user ("Controller").

When contractors use ProposalForge to manage client data in proposals, invoices, and estimates, the contractor is the data controller and ProposalForge is the data processor.

This DPA is effective as of the date you accept the Terms of Service and remains in effect for the duration of the agreement.

2. Definitions

The following terms have the meanings set forth below, consistent with the definitions in the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"):

  • "Personal Data"any information relating to an identified or identifiable natural person ("Data Subject").
  • "Processing"any operation performed on Personal Data, including collection, storage, alteration, retrieval, use, disclosure, or erasure.
  • "Data Subject"an identified or identifiable natural person whose Personal Data is processed.
  • "Controller"the natural or legal person that determines the purposes and means of Processing of Personal Data — in this context, the contractor using ProposalForge.
  • "Processor"the natural or legal person that processes Personal Data on behalf of the Controller — in this context, ProposalForge.
  • "Sub-Processor"a third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Breach"a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • "Supervisory Authority"an independent public authority established by an EU/EEA member state to monitor the application of the GDPR.

3. Scope & Purpose of Processing

The Processor processes Personal Data only to the extent necessary to provide the ProposalForge service. The categories of Personal Data processed include:

  • Client names and email addresses
  • Project addresses (included in proposals)
  • Invoice line items and amounts
  • Contractor business information
  • Document delivery metadata

Purpose: Processing is carried out solely to provide the ProposalForge service — generating, storing, delivering, and managing proposals, invoices, and estimates on behalf of the Controller.

4. Processing Instructions

The Processor will process Personal Data only on documented instructions from the Controller. Unless required by applicable law, the Processor will not process Personal Data for any purpose other than providing the ProposalForge service as described in this DPA and the Terms of Service.

If the Processor is required by law to process Personal Data beyond the Controller's instructions, the Processor will inform the Controller of that legal requirement before Processing, unless the law prohibits such notification on important grounds of public interest.

5. Data Security Measures

The Processor implements the following technical and organizational measures to protect Personal Data:

  • AES-256-GCM encryption for third-party integration tokens (QuickBooks, Stripe Connect)
  • SHA-256 hashing for IP addresses and device fingerprints (raw values never stored)
  • TLS 1.2+ encryption for all data in transit
  • Database connections require SSL/TLS
  • Role-based access control (Owner, Admin, Creator, Viewer)
  • Stripe handles payment card data (PCI DSS Level 1)
  • HTTP security headers configured
  • Webhook signature verification
  • Rate limiting via Upstash Redis

These measures are reviewed and updated periodically to ensure they remain appropriate to the risk presented by the Processing activities.

6. Sub-Processors

The Processor uses the following Sub-Processors to provide the ProposalForge service. Each Sub-Processor is bound by data processing obligations consistent with this DPA:

Sub-ProcessorData ProcessedPurpose
Anthropic (Claude AI)Proposal/invoice text contentAI document generation
StripePayment card data, billing infoPayment processing & subscriptions
ResendEmail addressesTransactional email delivery
Neon (PostgreSQL)All application dataDatabase hosting
GoogleName, email, avatarOAuth authentication
Upstash (Redis)User IDsRate limiting (1-hour TTL)
FingerprintJSBrowser characteristicsFraud prevention
Plausible AnalyticsNone (cookieless)Anonymous site analytics

We will notify the Controller of any changes to Sub-Processors with 30 days' notice. The Controller may object to a new Sub-Processor within that notice period.

7. International Data Transfers

Data is processed and stored in the United States. For transfers of Personal Data from the EU/EEA/UK, we rely on:

  • Standard Contractual Clauses (SCCs) as adopted by the European Commission
  • UK International Data Transfer Agreement where applicable

You may request copies of the transfer safeguards we have in place by contacting privacy@forgeproposals.com.

8. Data Subject Rights

The Processor will assist the Controller in responding to Data Subject requests, including:

  • Right of access (GDPR Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)

If the Processor receives a Data Subject request directly, it will promptly notify the Controller and will not respond to the request without the Controller's authorization, unless required by law.

9. Data Breach Notification

The Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach. The notification will include:

  • The nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to mitigate the breach

The Processor will cooperate fully with the Controller in investigating and remediating any Data Breach and in fulfilling any notification obligations to Supervisory Authorities or Data Subjects.

10. Audit Rights

The Controller may request documentation of the Processor's compliance with this DPA. The Processor will make available all information necessary to demonstrate compliance with the obligations set forth in this agreement.

Audits shall be conducted at the Controller's expense with reasonable prior notice. The Processor may charge reasonable fees for time spent assisting with audits beyond documentation review.

11. Data Retention & Deletion

Personal Data is retained in accordance with the retention schedule described in our Privacy Policy.

Upon account closure or the Controller's written request:

  • Personal Data will be deleted or anonymized within 90 days
  • Retention beyond 90 days only where required by applicable law
  • Controller should export any needed data before account closure

12. Term & Termination

This DPA is effective for the duration of the Terms of Service. It automatically terminates when the Terms of Service terminate.

Obligations regarding data security, confidentiality, and proper deletion of Personal Data survive termination of this DPA.

13. Governing Law

This DPA is governed by the laws of Florida, United States.

For EU/EEA Data Subjects, GDPR provisions take precedence where they conflict with local law. Nothing in this DPA limits or restricts the rights of Data Subjects under applicable data protection legislation.

14. Contact

For questions about this DPA or to exercise any rights described herein, please contact:

ProposalForge — Privacy Team

Florida, USA

Privacy: privacy@forgeproposals.com

Legal: legal@forgeproposals.com

© 2026 ProposalForge. Built for the trades.

Terms of ServicePrivacy PolicyAll Legal PagesHome