Data Processing Addendum

Data Processing Addendum (DPA)

DDScore.ai | Effective date: 6 May 2026

2026.05.06 10:55

This Data Processing Addendum (“DPA”) forms an integral part of the DDScore.ai Terms of Service (“Agreement”) between Playful Pixels Oy (the “Processor”) and the User (the “Controller”).

1. Scope and Roles

This DPA applies to the processing of personal data contained within business documents uploaded by the Controller to the DDScore.ai service.

The User acts as the Data Controller for any third-party personal data (e.g., team members, founders, or other individuals) contained in the uploaded materials.

Playful Pixels Oy acts as the Data Processor, performing analysis using a combination of AI-powered methods and mathematical methods, including proprietary Advanced Probabilistic Analysis, strictly on behalf of and according to the documented instructions of the Controller.

2. Subject Matter and Duration

Subject Matter: Analysis of business documents (e.g., pitch decks, business plans) using AI-powered analysis combined with mathematical methods, including proprietary Advanced Probabilistic Analysis, and verification of professional backgrounds via public sources.

Duration of Processing:

(a) Uploaded source files: Extremely short-term — automatically and permanently deleted immediately upon completion of report generation.

(b) Generated analysis reports: Automatically and permanently deleted within 24 hours of report generation.

Limited exceptions to the deletion timetable above are set out in Section 6.

3. Processor’s Obligations

The Processor commits to:

Process personal data only on documented instructions from the Controller, unless required by EU or Member State law.
Ensure that personnel authorized to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. In the context of support-request handling, access to the Controller’s submitted materials is restricted to the Processor’s support team and development team and is not extended more broadly within the organization.
Implement rigorous technical and organizational measures to ensure a level of security appropriate to the risk, including TLS 1.3 encryption in transit and AES-256 encryption at rest.
If the Processor becomes aware of a personal data breach affecting the Controller’s data, notify the Controller without undue delay, and in any event within 48 hours of such awareness, providing all information reasonably required for the Controller to comply with its notification obligations under GDPR Article 33.
Assist the Controller in fulfilling their obligation to respond to requests for exercising data subject rights, to the extent possible given the deletion cycles set out in Sections 2 and 6.

4. Sub-processors

The Controller provides a general authorization for the Processor to engage sub-processors for cloud hosting and enterprise API services required to provide the Service.

The Processor ensures that these sub-processors are bound by data protection obligations at least as restrictive as those in this DPA.

No Training: The Processor shall not use the Controller’s data, uploaded documents, or generated reports to train or fine-tune any machine learning models. The same applies to the anonymous, aggregated statistical data described in Section 6(b) below — such data is not used for training or fine-tuning machine learning models and is not transferred to third parties.

5. International Transfers

Data is primarily stored and processed within the EU/EEA.

If data is processed outside the EEA, the Processor relies on Standard Contractual Clauses (SCCs) or other valid transfer mechanisms to ensure a level of protection equivalent to that guaranteed within the EU.

6. Zero Trace, Deletion, and Limited Exceptions

(a) Zero Trace baseline. In accordance with the Processor’s “Zero Trace Policy”:

Uploaded source files are automatically and permanently deleted immediately upon completion of report generation.
Generated analysis reports are automatically and permanently deleted within 24 hours of generation.

No backups of the processed business documents are maintained; once deleted, the data is unrecoverable.

(b) Anonymous statistical data. The Processor retains anonymous, aggregated statistical data consisting of the 12 section scores, GICS-based industry classification, country/region, and timestamp, as further described in the Terms of Service (Section 3.5). This data is statistical, contains no link to the Controller or to the submitted material, and is not personal data within the meaning of the GDPR. It is retained indefinitely for product development purposes only. It is not used to train or fine-tune machine learning models and is not transferred to third parties.

(c) Public sharing. If the Controller chooses to use the in-service share link function as set out in Section 7 of the Terms of Service, the published version of the report or main image is retained on the Processor’s servers for as long as the share link is active. Source files remain subject to the immediate-deletion rule in Section 6(a) and are not retained for the share function. Upon deletion of the share link or closure of the Controller’s account, the published version is removed from the Processor’s servers immediately.

(d) Support requests. Materials submitted with a support request — including the report (automatically attached) and any voluntarily attached source materials — are retained for up to 14 days from submission. Either the Controller or the Processor may request an extension where investigation requires more time; any extension requires the mutual agreement of both parties, which may be communicated via the email address or phone number (SMS) provided in the support request. The text content of the support ticket is retained per the standard support-ticket retention period set out in the Privacy Policy.

(e) Metadata and account records. The Processor remains responsible for the integrity of system metadata and account records, which are subject to separate retention periods defined in the Privacy Policy.