Data Processing Agreement

Last updated: June 27, 2026

This page describes how DeepMyst, Inc. (“Life is a Pitch”, “we”, “us”) processes personal data on behalf of business customers and how to put a formal Data Processing Agreement (“DPA”) in place. It is a summary for convenience. Where you and DeepMyst, Inc. have executed a signed DPA, that signed agreement governs and prevails over this page. To request our standard DPA for review or signature, email admin@deepmyst.com.

1. Definitions

Terms used here have the meanings given in applicable Data Protection Law. For convenience:

• Controller— the entity that determines the purposes and means of processing Personal Data (the “business” under U.S. state laws).
• Processor— the entity that processes Personal Data on behalf of the Controller (the “service provider” under U.S. state laws).
• Sub-processor— a third party engaged by the Processor to process Personal Data on the Controller's behalf.
• Personal Data— any information relating to an identified or identifiable natural person that is processed under this DPA.
• Processing— any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
• Data Subject— the individual to whom Personal Data relates.
• Data Protection Law— all privacy and data-protection laws applicable to the processing, including the EU General Data Protection Regulation (EU GDPR), the UK GDPR, and the California Consumer Privacy Act as amended by the CPRA (CCPA), as each is in force.
• SCCs— the Standard Contractual Clauses approved by the European Commission in Commission Decision (EU) 2021/914, and, for UK transfers, the UK International Data Transfer Addendum (IDTA).

2. Roles and scope

When you use the Services to process Personal Data of your own users or contacts (for example, content you include in a deck), you are the Controller (the “business”) and DeepMyst, Inc.is the Processor (the “service provider”). This DPA applies to that processing. For Personal Data we process about you for our own purposes, we act as a controller under our Privacy Policy.

3. Details of processing

The subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I below.

4. Processor obligations

DeepMyst, Inc., acting as Processor, will:

• (a) Documented instructions.Process Personal Data only on the Controller's documented instructions, including the instructions set out in this DPA and the Terms of Use, unless required to do otherwise by applicable law (in which case we will inform the Controller unless the law prohibits it).
• (b) Confidentiality. Ensure that personnel authorized to process Personal Data are bound by appropriate obligations of confidentiality.
• (c) Security. Implement and maintain the technical and organizational measures described in Annex II, appropriate to the risk, as required by Article 32 of the GDPR.
• (d) Sub-processors. The Controller provides a general authorization for DeepMyst, Inc. to engage the Sub-processors listed in Annex III. We will give the Controller advance notice of any intended addition or replacement of a Sub-processor so the Controller has the opportunity to object on reasonable data-protection grounds, and we will impose data-protection terms on each Sub-processor that are no less protective than those in this DPA (flow-down).
• (e) Data-subject requests. Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects to exercise their rights.
• (f) Assistance. Assist the Controller in ensuring compliance with its obligations relating to security of processing, personal-data-breach notification, and data protection impact assessments and prior consultation, as set out in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to us.
• (g) Breach notification.Notify the Controller without undue delay after becoming aware of a Personal Data breach affecting the Controller's Personal Data, and provide the information reasonably available to us to help the Controller meet its own notification obligations.
• (h) Return or deletion.At the Controller's choice, delete or return all Personal Data on termination of the Services, and delete existing copies, except to the extent applicable law requires us to retain it.
• (i) Audits. Make available to the Controller the information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, on reasonable prior notice, during business hours, and subject to confidentiality.

5. International transfers

We and our Sub-processors may process Personal Data in the United States and other countries. Where this DPA covers a transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of protection, the parties agree that the SCCs (Commission Decision (EU) 2021/914) apply, supplemented by the UK IDTA for UK transfers. The Annexes to this DPA populate the corresponding annexes of the SCCs.

6. CCPA service-provider terms

Where the CCPA applies and DeepMyst, Inc. acts as a service provider, we will not: sell or share the Personal Data; retain, use, or disclose it for any purpose other than the specific business purpose of performing the Services, or as otherwise permitted by the CCPA; retain, use, or disclose it outside the direct business relationship between the parties; or combine it with Personal Data received from another source, except as permitted by the CCPA. We certify that we understand and will comply with these restrictions.

7. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in our Terms of Use.

8. Term

This DPA takes effect when the Controller begins using the Services to process Personal Data and continues for as long as we process Personal Data on the Controller's behalf. The obligations relating to return or deletion, confidentiality, and liability survive termination.

Annex I — Description of Processing

• Categories of Data Subjects.The Controller's authorized users of the Services, and the individuals whose Personal Data the Controller chooses to include in prompts, decks, or other content submitted to the Services.
• Categories of Personal Data. Identifiers and contact data (such as name and email address); account data; any Personal Data contained in content the Controller submits (prompts, deck content, and uploads); and usage and log data generated through use of the Services.
• Special categories of Personal Data. Not requested or required by the Services. The Controller should not submit special categories of Personal Data through the Services.
• Nature and purpose of processing. Generating, editing, rendering, storing, exporting, and sharing presentations using AI, and operating, securing, and supporting the Services.
• Frequency of processing. Continuous, for the duration of the Services.
• Duration of processing. The term of the agreement between the parties, plus any additional period for which retention is required by applicable law.

Annex II — Technical and Organizational Measures

DeepMyst, Inc. maintains technical and organizational measures appropriate to the risk, summarized below and described more fully on our Security page:

• Encryption of data in transit (TLS) and at rest.
• Access controls and least-privilege, scoped service credentials.
• Authentication managed by Clerk, with short-lived sessions.
• Tenant isolation through per-account ownership checks.
• Logging, monitoring, and alerting to detect and investigate issues.
• Regular, encrypted backups of the production database.
• Due diligence on and contractual controls over Sub-processors.
• A responsible-disclosure / vulnerability-reporting channel.

Annex III — Sub-processors

DeepMyst, Inc. engages the following Sub-processors, each processing Personal Data for the stated purpose and located in the United States:

• Clerk— authentication and user management. United States.
• Stripe— payment processing. United States.
• Resend— transactional email delivery. United States.
• Render— application hosting and managed PostgreSQL database. United States.
• Cloudflare— object storage (R2) and DNS / edge network. United States.
• DeepMyst— AI generation engine. United States.
• OpenAI— AI model provider (via DeepMyst) that processes content to return AI results. United States.
• Anthropic— AI model provider (via DeepMyst) that processes content to return AI results. United States.
• PostHog— product analytics. United States.

How to request a signed DPA

Enterprise customers receive a signed DPA as part of their contract. To request our standard DPA for review or signature, email admin@deepmyst.com. Life is a Pitch is operated by DeepMyst, Inc., 474 Hyde Park Ave, Roslindale, MA 02131.