Data Processing Addendum

Last updated · April 2026 · draft

DPA placeholder. Final version will be a standalone signable PDF countersigned on Enterprise contracts, aligned with the EU Standard Contractual Clauses. Summary of intent below.

Roles

The Customer is the data controller for any personal data contained in uploaded documents. Overlook is the data processor that processes such data solely on the Customer's instructions via the service.

Processing activities

• Ingesting documents the Customer uploads.
• Passing content to OpenAI's zero-retention API for extraction.
• Storing extracted fields + filled Excel outputs in the Customer's workspace.
• Providing access to the workspace members the Customer designates.

Sub-processors

Listed in the Privacy Policy. We give 30 days' notice of any new sub-processor.

International transfers

EU-based Customers can opt for EU-only hosting. Where data crosses borders, we rely on the EU Standard Contractual Clauses (June 2021) as the legal mechanism.

Security measures

TLS 1.3 in transit, AES-256 at rest, least-privilege access control, comprehensive audit logging, documented incident response. Details in the Security page.

Customer assistance

On reasonable request we assist the Customer in responding to data subject requests (access, erasure, portability) and in completing DPIAs. Contact privacy@overlook.ai.

Other documents

• Terms of Service
• Privacy Policy