Previa

Data Processing Agreement

This agreement governs how Previa processes personal data on behalf of its customers in compliance with applicable data protection laws.

Effective: February 18, 2026
Updated: February 18, 2026
Version 1.0

This Data Processing Agreement ("DPA") forms part of the agreement between Previa Inc. ("Previa," "Processor") and the entity agreeing to these terms ("Customer," "Controller") for the provision of the Previa prediction market intelligence platform (the "Services").

This DPA applies where and only to the extent that Previa processes Personal Data on behalf of Customer in the course of providing the Services, and such Personal Data is subject to Data Protection Laws.

1. Definitions

  • "Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including the GDPR (EU Regulation 2016/679), the UK GDPR, the CCPA/CPRA, and any other applicable data protection legislation.
  • "Personal Data" means any information relating to an identified or identifiable natural person that Previa processes on behalf of Customer in connection with the Services.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "Sub-processor" means any third party engaged by Previa to process Personal Data on behalf of Customer.

2. Scope of Processing

2.1 Categories of Data Subjects

Data subjects include Customer's authorized users of the Platform, including employees and contractors.

2.2 Types of Personal Data

Personal Data processed may include: name, email address, IP address, device identifiers, usage data, authentication tokens, and platform account identifiers (API keys, wallet addresses) provided for portfolio linking.

2.3 Processing Purposes

Previa processes Personal Data solely for the purposes of providing the Services as described in the agreement, including account management, platform operation, notification delivery, and analytics.

3. Obligations of Previa as Processor

Previa shall:

  • Process Personal Data only on documented instructions from Customer, unless required by applicable law
  • Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
  • Implement appropriate technical and organizational security measures, including encryption at rest and in transit, access controls, and regular security assessments
  • Not engage Sub-processors without Customer's prior written authorization (general or specific). Previa shall notify Customer of any intended changes to Sub-processors, providing Customer the opportunity to object
  • Assist Customer in responding to data subject rights requests, including access, rectification, erasure, restriction, portability, and objection
  • Assist Customer in ensuring compliance with obligations regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities
  • At Customer's choice, delete or return all Personal Data upon termination of the Services, and delete existing copies unless retention is required by applicable law
  • Make available to Customer all information necessary to demonstrate compliance with this DPA and allow for audits and inspections

4. Security Measures

Previa maintains the following security measures:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls with principle of least privilege
  • Regular vulnerability scanning and penetration testing
  • Incident response procedures with defined escalation paths
  • Employee security awareness training
  • Secure development lifecycle practices
  • Regular backup and disaster recovery procedures

5. Data Breach Notification

Previa shall notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data breach. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

6. Sub-processors

Previa's current Sub-processors include providers of cloud infrastructure, payment processing (Stripe), email delivery services, and analytics services. A current list is available upon request. Previa shall ensure that Sub-processors are bound by data protection obligations no less protective than those in this DPA.

7. International Transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland, Previa shall ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission (Module Two: Controller to Processor), or other transfer mechanisms recognized under applicable Data Protection Laws.

8. Data Subject Rights

Previa shall, taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures in fulfilling Customer's obligations to respond to data subject requests under Data Protection Laws.

9. Term and Termination

This DPA shall remain in effect for the duration of the agreement between Previa and Customer. Upon termination, Previa shall delete or return Personal Data within sixty (60) days, except where retention is required by applicable law or for legitimate backup and recovery purposes.

10. Governing Law

This DPA shall be governed by and construed in accordance with the laws governing the principal agreement between the parties, unless otherwise required by Data Protection Laws.

11. Contact

For questions about this DPA, contact:

Previa Inc. Email: legal@previa.app