Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of, and is incorporated by reference into, the SchemaForce Terms of Service or other written or electronic agreement between you (“Customer”) and SchemaForce, LLC (“SchemaForce,” “we,” “us”) governing Customer’s use of the SchemaForce service (the “Agreement”).

By accepting the Agreement, or by accessing or using the service, Customer agrees to this DPA on behalf of itself and, to the extent required, its Affiliates. The individual accepting this DPA represents that they have the authority to bind Customer to it. If you do not have that authority, or do not agree, do not use the service.

This DPA applies to the extent SchemaForce processes Personal Data on Customer’s behalf in the course of providing the service. Where Customer requires a signed copy of this DPA, Customer may request one at support@schemaforce.com; the substantive terms are the same.

Capitalized terms not defined here have the meaning given in the Agreement.

“Applicable Data Protection Law” means all privacy and data protection laws applicable to the processing of Personal Data under this DPA, including, as applicable, the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection, and US state privacy laws including the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”).

“Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” and “Personal Data Breach” have the meanings given in the GDPR, and their equivalents under other Applicable Data Protection Law (including “Business,” “Service Provider,” “Consumer,” “Personal Information,” “Sell,” and “Share” under CCPA/CPRA) apply correspondingly.

“Account Data” means Personal Data relating to Customer’s personnel who register for, administer, or use the service — for example, name, email address, authentication identifiers, billing contact, and usage records.

“Customer Personal Data” means Personal Data contained within the Salesforce Metadata that SchemaForce processes on Customer’s documented instructions.

“Salesforce Metadata” means the structural configuration of a Salesforce organization — including object and field definitions, picklist values, relationships, field descriptions, page and permission configuration, and change history — but excluding the contents of individual Salesforce records.

“Sub-processor” means any third party engaged by SchemaForce to process Customer Personal Data.

“Standard Contractual Clauses” (“SCCs”) means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to third countries, and any equivalent UK or Swiss transfer mechanism.

2.1 Customer Personal Data — processor relationship. With respect to Customer Personal Data, Customer is the Controller (or, where Customer is itself acting as a Processor on behalf of a third-party Controller, the Processor) and SchemaForce is the Processor (or Sub-processor, respectively). SchemaForce processes Customer Personal Data only to provide the service and only on Customer’s documented instructions as set out in Section 3.

2.2 Consultant and agency use. Where Customer uses the service to operate on a Salesforce organization belonging to Customer’s own client, Customer remains responsible as between the parties for establishing the lawful basis and instructions for that processing, and SchemaForce processes the relevant Customer Personal Data as a Sub-processor under the same terms of this DPA.

2.3 Account Data — controller relationship. With respect to Account Data, SchemaForce acts as an independent Controller and processes Account Data in accordance with the SchemaForce Privacy Policy, not under this DPA. This includes processing necessary to authenticate users, provide and secure the service, bill Customer, and meet legal obligations.

3.1 Documented instructions. SchemaForce processes Customer Personal Data only on Customer’s documented instructions, including with regard to transfers, unless required to do otherwise by law (in which case SchemaForce will inform Customer of that legal requirement before processing, unless the law prohibits it). The Agreement, this DPA, the configuration choices Customer makes within the service, and Customer’s use of the service’s features constitute Customer’s complete and final documented instructions.

3.2 Particulars of processing. The subject matter, duration, nature and purpose of processing, the types of Personal Data, and the categories of Data Subjects are described in Annex 1.

3.3 Lawfulness. Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired it, and warrants that it has provided all required notices and has a lawful basis to provide the Customer Personal Data to SchemaForce for processing under this DPA and the Agreement.

3.4 Notice of unlawful instruction. SchemaForce will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law, without obligation to conduct a legal review of the adequacy of Customer’s instructions.

4.1 Metadata scope. The service is designed to process Salesforce Metadata. SchemaForce does not access or process the contents of individual Salesforce records. Access to Customer’s Salesforce organization is constrained by a technical endpoint allowlist that limits retrieval to metadata.

4.2 Personal Data incidentally present in metadata. Customer acknowledges that Salesforce Metadata may incidentally contain Personal Data — for example, where a field label, description, or picklist value contains an individual’s name or other identifying information, or where such information is incorporated into enriched semantic text generated by the service. Any such Personal Data is treated as Customer Personal Data and processed under this DPA. SchemaForce does not represent that the metadata it processes contains no Personal Data; rather, it limits processing to the metadata layer as described in Section 4.1.

SchemaForce ensures that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality, whether contractual or statutory, and are made aware of the confidential nature of the data. Access to Customer Personal Data is limited to personnel who require it to provide the service.

6.1 Measures. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to Data Subjects, SchemaForce implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures are described in Annex 2.

6.2 Updates. SchemaForce may update its security measures from time to time, provided that such updates do not materially reduce the overall level of protection.

7.1 General authorization. Customer provides general authorization for SchemaForce to engage Sub-processors to process Customer Personal Data, subject to this Section 7. SchemaForce’s current Sub-processors are listed in Annex 3 and maintained on the SchemaForce Security page.

7.2 Obligations on Sub-processors. SchemaForce imposes on each Sub-processor, by written contract, data protection obligations substantially equivalent to those in this DPA, in particular sufficient guarantees to implement appropriate technical and organizational measures.

7.3 Liability. SchemaForce remains liable to Customer for the performance of each Sub-processor’s obligations.

7.4 Notice and objection. SchemaForce will give Customer notice of any intended addition or replacement of a Sub-processor at least 30 days before that Sub-processor begins processing Customer Personal Data, by updating the list on the Security page and notifying the account’s administrators by email. Customer may object on reasonable data-protection grounds within 30 days of notice. The parties will work in good faith to resolve the objection; if they cannot, Customer may terminate the affected portion of the service as its sole remedy.

SchemaForce notifies Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will describe, to the extent known and as it becomes available, the nature of the breach, the likely consequences, and the measures taken or proposed to address it. SchemaForce provides reasonable cooperation and information to assist Customer in meeting Customer’s own breach-notification obligations. SchemaForce’s notification is not an acknowledgment of fault or liability.

Taking into account the nature of the processing and the information available to SchemaForce, SchemaForce provides reasonable assistance to Customer through appropriate technical and organizational measures, insofar as possible, to enable Customer to: (a) respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (Section 10); and (b) meet Customer’s obligations relating to security of processing, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.

SchemaForce may charge a reasonable fee for assistance that exceeds what is required to be provided without charge under Applicable Data Protection Law, on prior notice to Customer.

If SchemaForce receives a request from a Data Subject in respect of Customer Personal Data, SchemaForce will, unless legally prohibited, promptly direct the Data Subject to Customer and will not otherwise respond to the request except on Customer’s documented instructions. SchemaForce provides Customer with the functionality and reasonable assistance necessary for Customer to respond to such requests.

11.1 SchemaForce does not transfer Customer Personal Data outside of the United States except as necessary to provide the service and in compliance with this Section.

11.2 Where a transfer of Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland is subject to a transfer mechanism under Applicable Data Protection Law, the parties agree that the applicable Standard Contractual Clauses are incorporated into this DPA by reference and completed as set out in Annex 1, with SchemaForce as data importer and Customer as data exporter, using Module Two (Controller-to-Processor) and, where Section 2.2 applies, Module Three (Processor-to-Processor). The UK International Data Transfer Addendum and the Swiss amendments apply where relevant.

12.1 SchemaForce makes available to Customer information reasonably necessary to demonstrate compliance with this DPA, including documentation of the measures in Annex 2, responses to reasonable security questionnaires, and any third-party audit reports SchemaForce makes available.

12.2 Where the information made available under Section 12.1 is not sufficient to demonstrate compliance, Customer (or an independent auditor mandated by Customer and not a competitor of SchemaForce) may conduct an audit, subject to: reasonable prior written notice of at least 30 days; a frequency of no more than once in any twelve-month period (except where required by a supervisory authority or following a Personal Data Breach); conduct during business hours, under confidentiality, and in a manner that does not unduly disrupt SchemaForce’s operations; and Customer bearing its own and SchemaForce’s reasonable costs of the audit.

On termination or expiry of the Agreement, and at Customer’s choice, SchemaForce returns or deletes Customer Personal Data, and deletes existing copies, within 30 days, unless retention is required by law. Customer may export Customer Personal Data through the service prior to deletion. SchemaForce may retain Customer Personal Data to the extent and for the period required by Applicable Data Protection Law, during which time the data remains subject to the protections of this DPA.

14.1 Service Provider status. To the extent SchemaForce processes Personal Information subject to the CCPA/CPRA, SchemaForce acts as a Service Provider and processes such Personal Information solely to perform the services under the Agreement (the “Business Purpose”).

14.2 Restrictions. SchemaForce will not: (a) Sell or Share Personal Information; (b) retain, use, or disclose Personal Information for any purpose other than the Business Purpose, or as otherwise permitted by the CCPA/CPRA; (c) retain, use, or disclose Personal Information outside the direct business relationship with Customer; or (d) combine Personal Information received from Customer with Personal Information from other sources, except as permitted by the CCPA/CPRA.

14.3 Certification. SchemaForce certifies that it understands and will comply with the restrictions in this Section 14.

14.4 Cooperation. SchemaForce provides reasonable assistance to enable Customer to respond to verifiable consumer requests and notifies Customer if it determines it can no longer meet its obligations under the CCPA/CPRA.

15.1 Precedence. In the event of a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA controls.

15.2 Liability. Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

15.3 Changes. SchemaForce may update this DPA from time to time, provided that no update materially reduces the protections for Customer Personal Data. Material changes will be notified in accordance with the Agreement.

15.4 Governing law. This DPA is governed by the law and jurisdiction set out in the Agreement, except where Applicable Data Protection Law requires otherwise.

15.5 Severability. If any provision of this DPA is held invalid or unenforceable, the remainder continues in effect.

Subject matter. Provision of the SchemaForce metadata documentation and intelligence service to Customer.

Duration. The term of the Agreement, plus the retention and deletion period in Section 13.

Nature and purpose. Retrieval, storage, indexing, enrichment, analysis, comparison, and documentation of Salesforce Metadata in order to provide Customer with a searchable data dictionary, change history, access analysis, and related features.

Types of Personal Data. Personal Data incidentally contained within Salesforce Metadata — for example, individual names or identifiers appearing in field labels, descriptions, picklist values, or enriched semantic text. (Account Data processed by SchemaForce as a Controller — administrator name, email, authentication identifiers, and billing details — is governed by the Privacy Policy and is listed here for completeness only.)

Categories of Data Subjects. Customer’s personnel and administrators; and any individuals whose Personal Data incidentally appears within the Salesforce Metadata of Customer’s organization (which may include Customer’s employees, contractors, customers, or contacts, depending on how Customer has configured its Salesforce organization).

Controller / Processor. Customer: Controller (or Processor, per Section 2.2). SchemaForce: Processor (or Sub-processor).

SchemaForce maintains the following measures, which may be updated in line with Section 6.2.

Access limitation by design. A technical endpoint allowlist constrains the service to retrieving Salesforce Metadata and prevents access to the contents of individual Salesforce records.

Encryption. Salesforce credentials and access tokens are encrypted at rest, and data in transit is protected using TLS.

Tenant isolation. Customer data is logically isolated between tenants using row-level security controls.

Access control. Access to production systems and Customer data is restricted to authorized personnel on a least-privilege basis and protected by authentication controls.

Secret handling. Tokens and identifiers are kept out of URLs, and secrets are stored in a managed secrets system rather than in source code or logs.

Resilience. The service runs on managed cloud infrastructure with automated database backups.

Personnel. Personnel with access to Customer data are subject to confidentiality obligations and security practices.

Vendor management. Sub-processors are subject to contractual data-protection obligations as described in Section 7.

SchemaForce engages the Sub-processors below. The current list is maintained on the SchemaForce Security page. All are located in the United States.

Sub-processors that may process Customer Personal Data (metadata, including any incidental Personal Data): Supabase (database, authentication, and storage); Vercel (application hosting and edge delivery); Anthropic (language-model generation for the assistant, using schema context only); OpenAI (semantic search and metadata enrichment); and Google (only where Customer elects to export metadata to its own Google Sheets or Drive, scoped to the drive.file permission).

Sub-processors that process Account Data only (controller-level, governed by the Privacy Policy and listed here for transparency): Stripe (subscription billing and payments); WorkOS (authentication, single sign-on, and directory sync); Resend (service and notification email); and PostHog (product analytics and monitoring).