Data Processing Addendum

Effective date: 2026-05-11 · Last updated: 2026-05-11

This Data Processing Addendum ("DPA") supplements the Escalate Terms of Service ("Agreement") between Yash Patel Consulting Inc., a corporation registered in the Province of Ontario, Canada doing business as "Escalate" (the "Processor") and the Customer (the "Controller") and applies when Escalate processes Personal Data on behalf of the Customer in connection with the Service.

This DPA is offered as Escalate's standard form. A customer subject to PIPEDA, GDPR, UK GDPR, CCPA, or other applicable data-protection law may countersign this DPA by emailing privacy@tryescalate.com with the Customer's legal entity name and authorized signatory; Escalate will return a counter-signed PDF.

1. Definitions

Capitalized terms not defined here have the meanings in the Agreement. "Personal Data", "Controller", "Processor", "Data Subject", "Subprocessor", and "Processing" have the meanings given them under Regulation (EU) 2016/679 (the "GDPR"). "Personal Information" has the meaning given it under Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") and, separately, the meaning given it under the California Consumer Privacy Act, as amended by the CPRA (collectively, "CCPA"); "Service Provider" has the meaning given it under the CCPA.

2. Roles and scope

  • For Personal Data processed in connection with the Service, Customer is the Controller (or Business under CCPA; or "organization" that has Personal Information custody under PIPEDA) and Escalate is the Processor (or Service Provider under CCPA; or third-party processor under PIPEDA s. 4.1.3).
  • Escalate processes Personal Data only on documented instructions from Customer, which include (a) the Agreement, (b) this DPA, and (c) Customer's configuration of the Service.
  • Escalate does not sell or share Personal Data within the meaning of CCPA and does not use Personal Information for purposes beyond those identified in this DPA, consistent with PIPEDA Principles 4 (Limiting Collection) and 5 (Limiting Use, Disclosure, and Retention).

3. Categories of Personal Data and Data Subjects

3.1 Categories of Data Subjects

  • Customer's employees who participate in covered deal channels (typically: founder-CTO, AEs, GCs, security or compliance reviewers).
  • Customer's prospects, evaluators, and counter-parties whose names, organizations, or roles appear in messages or CRM records within covered deals.

3.2 Categories of Personal Data

  • Identifiers: name, email, Slack/Teams user ID, AAD object ID, Salesforce/HubSpot user ID.
  • Professional information: role, organization, deal-side (internal reviewer vs. external counter-party).
  • Workplace communications: messages posted in covered deal channels, classifier verdicts on those messages, and the founder's dismissal feedback on resulting alerts.
  • CRM record content: deal name, stage, amount, owner, stage-transition timestamps, and similar pipeline metadata.

Escalate does not process special-category data (health, religion, biometric, sexual orientation, etc.) unless Customer has elected to include it in covered channels (in which case Customer is responsible for the lawful basis). Escalate applies redaction patterns in logs to limit exposure but does not guarantee complete redaction of free-text content.

4. Nature and purpose of processing

  • Create dedicated chat channels for cross-functional deals.
  • Classify messages and detect stalled sub-threads.
  • Dispatch alert DMs to the founder when intervention is warranted.
  • Produce Coverage Reports and audit exports for Customer.
  • Operate, secure, and improve the Service as described in the Privacy Policy, subject to the no-cross-customer-training commitment in Section 9.

5. Duration

Processing continues for the term of the Agreement plus the 30-day read-only grace period that follows cancellation. After the grace period, Escalate deletes Personal Data on a scheduled deletion job, subject only to a 7-day point-in-time backup roll-off.

6. Subprocessors

Customer authorizes Escalate to engage the Subprocessors listed in the Privacy Policy §5. Escalate will notify Customer at least 30 days before adding a new Subprocessor whose engagement affects processing for existing customers. Customer may object on reasonable, data-protection-related grounds; if the objection cannot be resolved, Customer's remedy is to terminate the Agreement.

Escalate imposes data-protection obligations on each Subprocessor that are no less protective than this DPA, and remains liable to Customer for each Subprocessor's performance of those obligations.

7. Security measures

Escalate implements and maintains the following technical and organizational measures (collectively, "TOMs"), summarized from the more detailed posture in the Privacy Policy §8:

  • Tenant isolation: workspace-keyed row-level security policies on all database tables.
  • Encryption: TLS 1.2+ in transit; provider-managed encryption at rest.
  • Access control: production access limited to the founder; audit log on administrative actions.
  • Secret hygiene: a custom Sentry redactor strips credentials from error events before they leave compute.
  • Vulnerability management: dependency upgrades on a monthly cadence; critical CVE patches within 14 days of public disclosure.
  • Incident response: documented runbooks for Postgres outages, LLM provider outages, and cross-tenant RLS bypass (treated as code-red).
  • No training on customer data: the no-cross- customer-training commitment in Section 9 is enforced at the architectural level — the LLM classifier consumes context only from within a single workspace.

8. Personal Data breach notification

On becoming aware of a Personal Data breach affecting Customer's data, Escalate will:

  • Notify Customer's founder contact within 72 hours via the email on file, including (i) the nature of the breach, (ii) categories and approximate volume of data subjects affected, (iii) likely consequences, and (iv) mitigation steps taken or proposed.
  • Document the breach in a forensic snapshot retained for at least one year for regulatory inspection.
  • Reasonably cooperate with Customer's notification obligations to regulators and data subjects.

9. No training on customer data

Escalate does not use Customer Data to train or fine-tune any machine-learning model that another customer can benefit from. The per-customer corpus accumulated through Customer's use of the Service may be used to calibrate the Service for Customer's own account, and (under a separate opt-in addendum) may power V2 drafting features that reuse Customer's prior responses for Customer's own future deals. Cross-customer reuse is explicitly out of scope for V1 and V2.

10. Data subject rights

Customer is responsible for responding to data-subject requests under applicable law. Escalate will assist Customer by making Personal Data available in machine-readable form (NDJSON / CSV) via the audit-export tooling, and by deleting Personal Data on Customer's instruction (which may, in turn, instruct deletion in response to a data-subject erasure request).

11. International transfers

Escalate's corporate entity is in Ontario, Canada. Our compute and storage subprocessors are located in the United States (Virginia and Ohio regions). Data submitted to the Service therefore crosses the Canada–US border via our subprocessors.

11.1 EEA / UK / Swiss customers — Canada adequacy + onward US flow

The European Commission has issued an adequacy decision for Canadian commercial organizations subject to PIPEDA, which generally permits transfers from the EEA to Canada without additional safeguards. Because we onward-transfer data to US-based subprocessors, the parties additionally agree to be bound by the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, the "SCCs") for that onward leg, as follows:

  • Module Two (Controller to Processor) applies, with Customer as data exporter and Escalate as data importer.
  • Annex I is populated from the parties' names and addresses in the Agreement, and from Sections 3 (Categories) and 4 (Nature and purpose) of this DPA.
  • Annex II is populated from Section 7 of this DPA.
  • Annex III is populated from the Subprocessor list in the Privacy Policy §5.
  • For UK transfers, the International Data Transfer Addendum issued by the UK ICO supplements the SCCs.
  • For Swiss transfers, references to the GDPR in the SCCs are read as references to the Swiss FADP.

11.2 Canadian customers — outbound to US subprocessors

PIPEDA Principle 4.1.3 permits transfers of Personal Information to a foreign jurisdiction for processing provided we use contractual or other means to ensure a comparable level of protection. Our agreements with US-based subprocessors impose data-protection obligations consistent with this DPA. Customer acknowledges that Personal Information processed by US-based subprocessors may be subject to access by US authorities under US law (e.g., the Stored Communications Act and the CLOUD Act); we will challenge unlawful access requests where we have reasonable grounds to do so and will notify Customer (where lawful) of any binding order affecting Customer's Personal Information.

11.3 US-state customers

For California customers, Escalate acts as a Service Provider under the CCPA and does not sell or share Personal Information.

12. Audit rights

Escalate will respond to reasonable written audit requests by providing (a) the current Privacy Policy and DPA, (b) a written description of its TOMs, and (c) on Customer's reasonable request and at Customer's expense, summaries of relevant third-party assessments once Escalate has obtained them (e.g., SOC 2 once issued). On-site audits are not available at V1; this section will be revised when Escalate establishes a formal audit-readiness program.

13. Deletion or return of Personal Data

On termination of the Agreement, Customer may request export of all Personal Data via the audit-export tooling within the 30-day read-only grace period described in the Terms § 3.3. After the grace period, Personal Data is deleted on a scheduled deletion job and removed from backups within the 7-day backup roll-off, except where retention is required by applicable law.

14. Liability

The aggregate liability of each party under this DPA, taken together with the Agreement, is subject to the limitation of liability in the Agreement § 10.

15. Conflict

In the event of conflict between this DPA and the Agreement, this DPA controls solely as to the subject matter addressed here. The SCCs control over any conflicting provision of this DPA solely as to transfers covered by the SCCs.

16. Governing law

The governing law of this DPA is the law of the Province of Ontario, Canada and the federal laws of Canada applicable therein (consistent with the Agreement), except where applicable data-protection law mandates a different governing law (in which case the mandatory law applies to the relevant subject matter — for example, the SCCs are governed by the law of an EU Member State per Clause 17).

17. Contact

Data-protection inquiries: write to our Privacy Officer at privacy@tryescalate.com (or hello@tryescalate.com).

Yash Patel Consulting Inc.
Province of Ontario, Canada
Registered office address available on request.