Data Processing Agreement
1. Definitions
In this DPA:
- "Customer Data" means any personal data submitted to or fetched by the service on behalf of the Customer — including user names, email addresses, business KPI metrics, and data retrieved from connected third-party systems such as accounting, CRM, billing, and project-management platforms.
- "Data Controller" means the entity that determines the purposes and means of processing personal data. In the context of this DPA, that is the Customer.
- "Data Processor" means the entity that processes personal data on behalf of a Controller. In the context of this DPA, that is Performance Vue.
- "Processing" means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, or deletion.
- "Personal Data" means any information relating to an identified or identifiable natural person that is contained within Customer Data.
- "Sub-processor" means a third party engaged by Performance Vue to process Customer Data in connection with the service.
- All other capitalized terms have the meanings given in the Terms of Service.
2. Roles and scope
The Customer acts as the Data Controller and Performance Vue acts as the Data Processor for Customer Data submitted to or processed through the service. Performance Vue processes Customer Data solely to provide the service as described in the Terms of Service and as further instructed by the Customer through use of the service's features and settings.
This DPA applies only to Customer Data. It does not apply to data that Performance Vue collects about its own business operations, to data submitted by Performance Vue's direct employees or contractors, or to aggregated and de-identified data derived from Customer Data that no longer identifies any individual.
3. Processing purposes and instructions
Performance Vue processes Customer Data exclusively to:
- provide, operate, and improve the Performance Vue service;
- store and display KPI metrics, dashboard configurations, and connector data to authorized users within the Customer's workspace;
- authenticate users and enforce workspace-level access controls;
- send transactional communications (account setup, billing receipts, security alerts) to Customer users;
- comply with applicable legal obligations.
Performance Vue will not process Customer Data for any purpose beyond the above without the Customer's prior written instruction, except where required by applicable law. The Customer's use of the service's features constitutes the Customer's processing instructions. If Performance Vue is required by law to process Customer Data in a way that conflicts with these instructions, it will notify the Customer before doing so unless prohibited by law.
4. Data we process
The table below describes the categories of Customer Data Performance Vue typically processes:
| Category | Examples | Source |
|---|---|---|
| User identity | Name, business email address | Customer signup / user invite |
| Authentication credentials | Hashed passwords (managed by AWS Cognito), OAuth tokens for connected apps | Customer login / OAuth consent |
| Business KPI metrics | Revenue figures, invoice totals, pipeline counts, user engagement stats, infrastructure costs | Connected third-party systems (QuickBooks, HubSpot, Stripe, Jira, Google Analytics, AWS, etc.) |
| Dashboard configuration | KPI definitions, goals, display preferences, workspace settings | Customer configuration within the service |
| Audit and activity logs | Login events, role changes, connector connection/disconnection events | Service activity |
Performance Vue does not intentionally collect or process sensitive categories of personal data (health data, financial account numbers, government identifiers, or similar). The service is designed for business metrics and should not be used to submit or store consumer-facing personal records. If the Customer connects a data source that contains sensitive personal data, the Customer is responsible for ensuring that connection is appropriate under applicable law.
5. Sub-processors
Performance Vue uses the following sub-processors to provide the service. By entering into this DPA, the Customer provides a general authorization for Performance Vue to engage these sub-processors:
| Sub-processor | Role | Data location |
|---|---|---|
| Amazon Web Services, Inc. | Cloud infrastructure, storage, compute, authentication (Cognito), email (SES) | US East (N. Virginia) — us-east-1 |
| Stripe, Inc. | Payment processing — billing name, email, and card data for subscription management. Stripe is a payment processor and does not receive KPI or connector data. | United States |
| Airtable, Inc. | Lead capture only — processes prospective customer contact details submitted via the public marketing site signup form. Airtable does not receive any Customer Data from active accounts. | United States |
Performance Vue will give the Customer at least 30 days' notice (by email or in-app notification) before adding or replacing a material sub-processor. If the Customer has a reasonable objection to a new sub-processor, it must notify Performance Vue in writing within 14 days of the notice. Performance Vue will use commercially reasonable efforts to accommodate the objection; if it cannot, the Customer may terminate the service on written notice without penalty for the current billing period.
6. Security measures
Performance Vue implements and maintains the following technical and organizational measures to protect Customer Data:
- Encryption in transit. All data transferred between the Customer's browser and the service, and between the service and connected third-party systems, is encrypted using TLS 1.2 or higher.
- Encryption at rest. Customer Data stored in the database (Amazon RDS PostgreSQL) and object storage (Amazon S3) is encrypted at rest using AES-256.
- Tenant isolation. Each Customer workspace is isolated using row-level security (RLS) policies enforced at the database layer and JWT-based tenant claims verified on every API request. One Customer cannot access another's data.
- Least-privilege access controls. AWS IAM roles, database users, and Lambda execution roles are scoped to the minimum permissions required. No broad admin credentials are used in production workloads.
- Audit logging. AWS CloudTrail captures API-level activity across the infrastructure. Application-level events (logins, role changes, connector activity) are logged in the service's audit log, accessible to Admins in the dashboard.
- Threat detection. Amazon GuardDuty is active in the production AWS account for continuous threat and anomaly detection.
- Web application firewall. AWS WAF is applied at both the CloudFront distribution and API Gateway layers with managed rule sets for common threats and known-bad inputs.
- Secrets management. API keys, OAuth credentials, and database passwords are stored in AWS Secrets Manager and never embedded in source code or environment variables.
- Annual security review. Performance Vue conducts an internal security review of its infrastructure and application code at least annually.
No system is perfectly secure. Performance Vue does not guarantee that Customer Data will never be accessed by unauthorized parties, but we commit to the measures above and to prompt notification if a breach occurs.
7. Personal data breach notification
If Performance Vue becomes aware of a confirmed personal data breach affecting Customer Data, it will notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach.
The notification will include, to the extent known at the time: (a) a description of the nature of the breach; (b) the categories and approximate number of individuals and records affected; (c) the likely consequences; and (d) the measures taken or proposed to address the breach. Performance Vue may provide a preliminary notice followed by supplementary details as the investigation progresses.
The Customer is responsible for notifying its own users, regulators, or other required parties under applicable law. Performance Vue will provide reasonable cooperation to assist the Customer in meeting its notification obligations.
8. Data subject rights
As the Data Controller, the Customer is responsible for responding to requests from individuals (data subjects) who exercise rights under applicable privacy law — such as the right to access, correct, delete, or port their personal data.
Performance Vue will provide reasonable assistance to enable the Customer to respond to such requests. If Performance Vue receives a data subject request directly that relates to Customer Data, it will promptly forward the request to the Customer at the contact email on the account. Performance Vue will not respond to data subject requests regarding Customer Data without the Customer's written instruction, except as required by law.
Responses to data subject requests will be facilitated within 30 days of receiving a confirmed instruction from the Customer.
9. Data retention and deletion
Performance Vue retains Customer Data for the duration of the active subscription and for 30 days after the subscription ends (whether by cancellation, non-renewal, or termination). This grace period allows the Customer to export or retrieve data before it is permanently deleted.
At the end of the 30-day grace period, Performance Vue will permanently delete Customer Data from production systems and databases. Backup copies may persist for up to an additional 30 days within encrypted backup systems before being purged on the normal backup rotation cycle.
The Customer may request earlier deletion by emailing dpa@performancevue.com. Performance Vue will action such requests within 30 days of receipt and confirm completion in writing.
Notwithstanding the above, Performance Vue may retain data that it is legally required to keep (such as billing records) for the period required by applicable law.
10. International data transfers
All Customer Data is processed and stored in the United States on AWS infrastructure in the us-east-1 (N. Virginia) region. Performance Vue does not currently transfer Customer Data outside the United States.
Performance Vue is a US-based service operated under Texas law and is intended for business customers in the United States. If the Customer is located outside the United States or is subject to data-transfer restrictions under regulations such as the EU General Data Protection Regulation (GDPR) or similar frameworks, the Customer is responsible for determining whether use of the service is permissible under those frameworks. Performance Vue does not currently offer EU Standard Contractual Clauses or other cross-border transfer mechanisms, as the service is not marketed to or directed at EU residents or customers.
11. Confidentiality
Performance Vue ensures that personnel authorized to process Customer Data are bound by written confidentiality obligations, whether through employment agreements, contractor agreements, or equivalent arrangements. Access to Customer Data is restricted to personnel who need it to provide or support the service.
12. Return or deletion on request
Upon written request from the Customer at any time during the subscription — or upon termination — Performance Vue will, at the Customer's election:
- Return: provide a machine-readable export of the Customer's KPI definitions and metric data in JSON or CSV format; or
- Delete: permanently delete all Customer Data from production systems within 30 days of the request and confirm deletion in writing.
To make a request, email dpa@performancevue.com with the subject line "Data Return Request" or "Data Deletion Request" from the account Owner email address.
13. Audits and compliance
Performance Vue will provide the Customer with information reasonably necessary to demonstrate compliance with this DPA on written request. For the current stage of the business (early-access / startup), this takes the form of a written summary of security controls and practices rather than a formal third-party audit report (SOC 2, ISO 27001, or similar). Performance Vue intends to pursue a formal compliance certification as the business scales and will notify existing Customers when that certification is available.
If the Customer requires a formal on-site or technical audit, the parties will agree in writing on the scope, timing, and cost allocation before it proceeds. Any such audit must not unreasonably disrupt Performance Vue's operations or compromise the security or data of other customers.
14. Relationship to Terms of Service
This DPA forms part of the agreement between Performance Vue and the Customer and is governed by the laws of the State of Texas, consistent with the Terms of Service. In the event of any conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA controls. All other terms of the Terms of Service remain in full effect.
This DPA does not create any rights for data subjects (individuals) as third-party beneficiaries. It governs the relationship between Performance Vue and the Customer as businesses.
15. Changes to this DPA
Performance Vue may update this DPA to reflect changes in legal requirements, sub-processors, or security practices. We will give at least 30 days' advance notice of material changes by email or in-app notification. Continued use of the service after the effective date of an updated DPA constitutes acceptance of the changes.
16. Contact
For DPA requests, data subject assistance, deletion requests, or questions about data processing:
- Email: dpa@performancevue.com
- Mail: Performance Vue LLC, 3751 Main St., Suite 600 #167, The Colony, TX 75056
For general questions about these terms, contact info@performancevue.com.