Data Processing Agreement

Effective date: February 26, 2026

This Data Processing Agreement ("DPA") is entered into between Saul Inc. ("Processor") and the customer accessing the Service ("Controller"). This DPA is incorporated into and forms part of the Saul Terms of Service.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person contained within evidence files or account data processed through the Service.

"Processing" means any operation performed on Personal Data, including storage, retrieval, use, transcription, and analysis.

"Sub-processor" means any third party engaged by Saul to process Personal Data in connection with the Service.

2. Scope and Purpose

Saul processes Personal Data solely to provide the transcription and AI analysis services described in the Terms of Service, and only on documented instructions from the Controller (i.e., the actions taken within the platform).

3. Data Location

All Personal Data is stored and processed exclusively within the United States. Saul does not transfer Personal Data outside the United States.

4. Security Measures

Saul implements the following technical and organizational security measures:

  • AES-256 encryption at rest for all stored evidence files
  • TLS 1.3 encryption in transit
  • Role-based access controls with audit logging
  • Isolation of customer data by user account
  • Automatic deletion of unpaid/abandoned uploads after 7 days

5. Sub-Processors

Saul uses the following sub-processors, all located in the United States:

  • Amazon Web Services — file storage and transcription
  • OpenAI — transcript analysis
  • Vercel — application hosting
  • Stripe — payment processing (payment data only, not evidence files)

Saul will notify the Controller of any intended changes to sub-processors that may affect the processing of Personal Data.

6. Confidentiality

Saul ensures that all personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.

7. Data Subject Rights

Saul will assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, portability) to the extent technically feasible. Requests should be submitted to hello@usesaul.com.

8. Breach Notification

In the event of a Personal Data breach, Saul will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, providing sufficient information to allow the Controller to meet any applicable notification obligations.

9. Deletion on Termination

Upon termination of the Service relationship, Saul will delete or return all Personal Data within 30 days, unless retention is required by applicable law.

10. Contact

For DPA inquiries: hello@usesaul.com