Legal — Data Processing Addendum

Data Processing Addendum.

The terms under which Setell processes personal data on behalf of its customers. This page presents Setell's standard DPA terms. For a counter-signed copy, contact privacy@setell.ai.

Effective Date
May 19, 2026
Version
v1.0
Processor
Timber Ridge Capital LLC, a Washington limited liability company, operating as Setell.
Controller
The Setell customer that has executed an underlying service agreement and uses the Setell service in the course of its business.
Note.This page publishes Setell's standard DPA terms for transparency. Customers requiring a counter-signed copy, an exhibit reflecting their specific data categories, or the EU Standard Contractual Clauses bound as a schedule should email privacy@setell.aiwith the subject “DPA request.”

1. Definitions

Key terms used in this DPA

Capitalized terms have the meanings set out in Article 4 of the EU General Data Protection Regulation (Regulation 2016/679, the “GDPR”) unless otherwise defined here.

Controller
The natural or legal person that, alone or jointly with others, determines the purposes and means of the processing of Personal Data. The Setell customer is the Controller for the Personal Data it submits to or generates within the Setell service.
Processor
The natural or legal person that processes Personal Data on behalf of the Controller. Setell is the Processor for the Personal Data the Controller submits to the service.
Personal Data
Any information relating to an identified or identifiable natural person (the “Data Subject”) that the Controller submits to, generates within, or instructs Setell to process through the service.
Data Subject
An identified or identifiable natural person to whom Personal Data relates. For Setell customers, Data Subjects are principally the Controller's own customers, prospects, vendors, and end-users referenced in inbound emails, quotes, invoices, and connected-account records.
Sub-Processor
A third party engaged by Setell to process Personal Data on behalf of the Controller. The current list is published at setell.ai/legal/sub-processors.
Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

2. Scope & Roles

How the parties relate

Controller and Processor relationship
The Controller determines the purposes and means of processing. Setell, as Processor, processes Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries, unless required to do so by applicable law to which Setell is subject. In that case, Setell will inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
Description of the processing
Setell processes Personal Data to provide the service to the Controller, which includes:
  • Ingesting inbound email matching customer-quote patterns from the Controller's connected mailbox
  • Drafting and revising AI-generated quotes on the Controller's behalf
  • Sending outbound quote, invoice, and follow-up emails through the Controller's connected mailbox
  • Synchronizing customer, estimate, invoice, and payment records with the Controller's QuickBooks Online account
  • Posting status notifications to the Controller's connected Slack workspace, where configured
  • Maintaining job and quote history and retrieving prior context to assist with future quotes
Controller instructions
The terms of this DPA, together with the Controller's configuration of the service (connected integrations, autonomy mode settings, retention preferences), constitute the Controller's documented instructions to Setell. The Controller may issue additional written instructions consistent with the underlying service agreement; Setell will inform the Controller if, in its opinion, an instruction infringes applicable data protection law.

3. Data Categories

Categories of Personal Data & Data Subjects

Categories of Personal Data
  • Identification data — name, email address, phone number
  • Business contact data — company name, role, billing address
  • Communication content — email subject lines and bodies sent to or from the Controller's connected mailbox in connection with a quote
  • Commercial data — quote text, line items, prices, invoice numbers, payment amounts and statuses
  • Account identifiers — user IDs, customer IDs, and similar identifiers in connected systems (QuickBooks, Slack)
  • Technical data — IP addresses, user agents, and timestamps captured in access and audit logs
Categories of Data Subjects
  • The Controller's own customers and prospects who send or receive quote-related emails
  • The Controller's vendors, subcontractors, or other counterparties referenced in quote and invoice records
  • The Controller's authorized users of the Setell service (employees, owners, bookkeepers)
  • Any individual referenced by name or contact detail in email bodies, attachments, or records the Controller imports
Special categories
Setell does not require or invite the Controller to submit special categories of Personal Data (such as health, racial, religious, or biometric data) to the service. Where such data appears incidentally in an email body the Controller chooses to process, it is processed only to the extent necessary to render the service, and the Controller acknowledges responsibility for ensuring such submission complies with applicable law.

4. Duration

How long processing continues

Duration of processing
Setell processes Personal Data for the duration of the underlying service agreement between the parties, plus a thirty (30) day tail following termination during which the Controller may request export of its Personal Data in a portable format. After that thirty-day window, Setell will delete or return Personal Data in accordance with Section 11.

5. Processor Obligations

Setell's commitments as Processor

Confidentiality
Setell ensures that personnel authorized to process Personal Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality, and are granted access only on a need-to-know basis.
Security measures
Setell implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. The full set of measures is described at setell.ai/security.
Personnel
Access to production systems is limited to authorized personnel, requires multi-factor authentication, and is reviewed on a recurring basis. Former personnel access is revoked on departure.
Assistance to the Controller
Taking into account the nature of the processing, Setell assists the Controller, by appropriate technical and organizational measures, in fulfilling the Controller's obligation to respond to requests for exercising Data Subject rights and in meeting the Controller's obligations under GDPR Articles 32 to 36, including breach notification, data protection impact assessments, and prior consultation with supervisory authorities.

6. Sub-Processors

Engagement of sub-processors

General authorization
The Controller provides general written authorization for Setell to engage Sub-Processors to assist with processing Personal Data. The current list of Sub-Processors is published at setell.ai/legal/sub-processors.
Notification of changes
Setell will give the Controller at least thirty (30) days' prior notice of the addition or replacement of any Sub-Processor that processes Personal Data, by updating the published Sub-Processor list and by email to anyone subscribed via subprocessor-updates@setell.ai.
Right to object
The Controller may object to the engagement of a new Sub-Processor on reasonable data protection grounds during the notice period. If the parties cannot resolve the objection within thirty (30) days, the Controller may terminate the affected portion of the service for convenience, with a pro-rata refund of prepaid fees for the unused period.
Flow-down terms
Setell will impose on each Sub-Processor data protection obligations no less protective than those set out in this DPA and remain fully liable to the Controller for the performance of each Sub-Processor's obligations.

7. International Transfers

Cross-border data transfers

Transfer mechanisms
Setell processes Personal Data primarily in the United States (AWS us-east-1 for application hosting; Neon, hosted on AWS us-east-2, for the primary database). Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a third country that has not received an adequacy decision, the parties agree that the Standard Contractual Clauses approved by the European Commission in Implementing Decision 2021/914 of 4 June 2021 (Module 2, Controller-to-Processor) apply and are incorporated by reference, with the Controller as the data exporter and Setell as the data importer. The UK Addendum to the EU Standard Contractual Clauses applies to transfers from the United Kingdom; the Swiss Federal Data Protection and Information Commissioner's adaptation applies to transfers from Switzerland.

8. Data Subject Rights

Assistance with Data Subject requests

Cooperation with the Controller
Setell will, taking into account the nature of the processing and insofar as possible, assist the Controller through appropriate technical and organizational measures in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising their rights under GDPR Articles 12 to 22, including:
  • The right of access (Art. 15)
  • The right to rectification (Art. 16)
  • The right to erasure / 'right to be forgotten' (Art. 17)
  • The right to restriction of processing (Art. 18)
  • The right to data portability (Art. 20)
  • The right to object (Art. 21)
  • The right not to be subject to a decision based solely on automated processing (Art. 22)

If a Data Subject submits a request directly to Setell, Setell will, without undue delay, forward the request to the Controller and will not respond to the Data Subject directly unless authorized to do so by the Controller or required by law.

9. Breach Notification

Personal Data Breach notification

Notification timing and contents
Setell will notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting the Controller's Personal Data. The notification will, at minimum and to the extent then known:
  • Describe the nature of the breach including, where possible, the categories and approximate number of Data Subjects and records concerned
  • Communicate the name and contact details of Setell's contact point for the breach
  • Describe the likely consequences of the breach
  • Describe the measures taken or proposed to address the breach and to mitigate its possible adverse effects

Setell will provide ongoing updates as the investigation progresses and will cooperate with the Controller's investigation and notifications to supervisory authorities and Data Subjects, as applicable.

10. Audit Rights

Controller audit and information rights

Information requests
Setell will make available to the Controller all information necessary to demonstrate compliance with this DPA, including:
  • The current security white paper at setell.ai/security
  • The current sub-processor list at setell.ai/legal/sub-processors
  • SOC 2 Type II reports, once available, on execution of a customary non-disclosure agreement
  • Summary results of the most recent independent penetration test, on execution of a customary non-disclosure agreement
On-site or third-party audits
The Controller may, no more frequently than once every twelve months and at the Controller's sole expense, commission a qualified independent third-party auditor (bound by confidentiality obligations) to audit Setell's compliance with this DPA, subject to thirty (30) days' prior written notice and reasonable scope and timing agreed by the parties. More frequent audits are permitted following a Personal Data Breach affecting the Controller and where required by a supervisory authority.

11. Return or Deletion

Return or deletion of Personal Data

At end of processing
At the Controller's choice, Setell will delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and will delete existing copies unless applicable law requires storage of the Personal Data. Specifically:
  • On termination of the underlying service agreement, the Controller has thirty (30) days to request export of its Personal Data in a portable format
  • After the thirty-day export window, Setell will delete the Controller's Personal Data from production systems
  • Backup copies containing Personal Data are purged within ninety (90) days of the termination effective date
  • Sub-Processors are instructed to delete the Controller's Personal Data on the same schedule, except where retention is required by applicable law
  • Setell will, on the Controller's written request, certify in writing that the deletion has been completed

12. Liability

Liability and indemnification

Limitation
Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability and exclusions of damages set forth in the underlying service agreement between the parties. Nothing in this DPA limits or excludes either party's liability for matters that cannot be excluded or limited under applicable law.

13. Governing Law

Governing law and order of precedence

Governing law
This DPA is governed by the laws of the State of Washington, United States, without regard to its conflict of laws principles, except where mandatory provisions of applicable data protection law (including the GDPR and the UK Data Protection Act 2018) apply.
Order of precedence
In the event of a conflict between this DPA and the underlying service agreement, this DPA prevails with respect to the processing of Personal Data. In the event of a conflict between this DPA and the Standard Contractual Clauses incorporated under Section 7, the Standard Contractual Clauses prevail.

14. Contact

Request a signed DPA

Customers needing a counter-signed Data Processing Addendum or wishing to discuss specific terms should contact us. We typically respond within two business days.

Email privacy@setell.ai
For privacy & data rights inquiries: privacy@setell.ai
For security concerns: security@setell.ai

Standard DPA terms, v1.0.
Effective May 19, 2026. Reviewed at least annually.