This Data Processing Agreement ("DPA") is entered into pursuant to Article 28 of the General Data Protection Regulation (GDPR) and governs the processing of personal data by TAV GROUP LLC ("Processor") on behalf of you ("Controller").
This DPA supplements the Terms of Service and applies when you, as a freelancer using TAV, enter client data into the platform.
1. Parties
Controller: You, the freelancer who enters client personal data into TAV.
Processor: TAV GROUP LLC, Email: support@usetav.com
2. Scope and Purpose
2.1 When Does This DPA Apply?
This DPA applies when you:
- Add client contact information (name, email, address)
- Create and send invoices, offers, or contracts containing client data
- Store client records in TAV
2.2 Purpose of Processing
TAV processes client data solely to provide you with:
- Document generation (invoices, offers, contracts as PDF)
- Email delivery of documents to your clients
- Digital signature workflows
- Client management and record keeping
- Payment tracking and reminders
2.3 Categories of Data
- Client name and company name
- Client email address
- Client business address
- Client tax identification number
- Invoice amounts and payment status
- Contract terms and signature data
2.4 Data Subjects
The data subjects are your clients — the individuals or representatives of businesses you work with.
3. Processor Obligations
TAV shall:
- Process personal data only on your documented instructions (i.e., your use of TAV features)
- Ensure that persons authorized to process the data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures (see Section 5)
- Not engage sub-processors without prior notification (see Section 4)
- Assist you in responding to data subject requests (access, deletion, portability)
- Assist you with data protection impact assessments where required
- Delete or return all personal data upon termination, except where retention is legally required
- Make available all information necessary to demonstrate compliance with this DPA
4. Sub-processors
TAV uses the following sub-processors to deliver the Service:
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase Inc. | Database hosting, file storage, authentication | All application data | United States |
| Stripe Inc. | Subscription billing | Freelancer email, name, payment method | United States |
| Resend Inc. | Transactional email delivery | Recipient email, document metadata | United States |
| SignatureAPI | Digital contract signatures | Signer names, emails, contract documents | United States |
| Vercel Inc. | Application hosting and delivery | Request metadata, IP addresses | United States |
We will notify you via email before adding or replacing a sub-processor. If you object, you may terminate your account within 30 days of notification.
5. Security Measures
TAV implements the following technical and organizational measures:
Technical
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Passwordless authentication via time-limited magic links
- Row-level security (RLS) ensuring data isolation between users
- Automated database backups
- Secure document storage with access controls
Organizational
- Principle of least privilege for system access
- No third-party analytics or tracking scripts
- Regular security reviews
- Incident response procedures (see Section 6)
6. Data Breach Notification
In the event of a personal data breach, TAV will notify you without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:
- The nature of the breach and categories of data affected
- Approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
7. International Transfers
All data processing occurs in the United States. For transfers of personal data from the EU/EEA to the United States, the following safeguards are in place:
- EU-U.S. Data Privacy Framework certifications of our sub-processors (where applicable)
- Standard Contractual Clauses (SCCs) maintained by sub-processors
8. Data Subject Requests
If TAV receives a request from one of your clients regarding their personal data (access, correction, deletion), we will promptly redirect the request to you and assist you in responding.
You can fulfill most data subject requests directly through TAV: editing client records, deleting clients, or exporting data.
9. Audits
You have the right to verify TAV's compliance with this DPA. Upon reasonable request and with at least 30 days notice, TAV will provide relevant documentation or facilitate a third-party audit at your cost.
10. Duration and Termination
This DPA remains in effect for the duration of your use of TAV. Upon termination of your account:
- Client data is deleted within 30 days, unless legally required to be retained
- Financial records (invoices, contracts) are retained for 7 years per legal requirements
- You may export all data before account closure
11. Liability
Liability under this DPA is subject to the limitations set out in the Terms of Service.
12. Contact
For questions about data processing or to exercise your rights under this DPA, contact us at:
TAV GROUP LLC
Email: support@usetav.com
Version: 2.0 | Last updated: February 18, 2026