# Summarize Pro: Data Processing Addendum

Updated Jul 2026. This addendum applies when you use Summarize Pro on documents containing personal data and you act as controller. It incorporates GDPR Article 28 processor duties.

## 1. Roles and scope
You are the controller of the documents you submit; Summarize Pro is the processor. Processing is limited to producing the summaries and cited claims you request, for the duration of your account.

## 2. Data categories and duration
Whatever personal data your documents contain (you must not submit GDPR Article 9 special-category data, per the terms), plus your account email. Source files are deleted at processing time; summaries persist until you delete them; account data persists until account deletion.

## 3. Subprocessors
Anthropic (model inference, no training on API data), Vercel (hosting, temporary file storage), Supabase (database, EU region), Stripe (billing), Resend (email), Google Analytics (aggregate usage only, no document content). Subprocessor changes are announced on summarizepro.com/dpa at least 14 days before they take effect.

## 4. Security
Encryption in transit everywhere; tokens and sessions stored only as hashes; access to production limited to the operator; source-file deletion implemented in code; per-account isolation on every query.

## 5. International transfers
Database storage is in the EU. Where subprocessors process data in the United States, transfers rely on the mechanisms in their data processing terms (EU-US Data Privacy Framework participation or standard contractual clauses, as applicable to each).

## 6. Assistance, audit, deletion
We assist with data subject requests affecting data we hold, notify you without undue delay of a personal data breach affecting your data, make our records available to demonstrate compliance, and on termination delete the account and all associated data.
