Skip to main content

Data Processing Agreement

Version 1.1 · Last updated April 30, 2026


Data Processing Agreement

Last Updated: April 30, 2026
Version: 1.1
Status: PUBLISHED


Overview

This Data Processing Agreement ("DPA") is incorporated by reference into the Denouement Terms of Service. It governs how Ridgecrest Works LLC ("Processor," "we") processes personal information on behalf of Denouement planners ("Controller," "you") in connection with the Denouement Platform.

By accepting the Terms of Service, you agree to this DPA.


1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person that is processed through the Platform on your behalf, including personal information of your clients, their guests, and any individuals named in documents you upload.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

"Sub-Processor" means any third party engaged by Processor to process Personal Data in connection with the Platform services.

"Data Subject" means the individual whose Personal Data is being processed.


2. Scope and Roles

You are the Controller of Personal Data you upload to the Platform. You determine the purposes and means of processing that data in connection with your event planning activities.

We are the Processor of that data. We process it only on your behalf and only to provide the Platform services.

We are also a Service Provider under the California Consumer Privacy Act (CCPA), and all processing by us is subject to the CCPA Service Provider restrictions described in Section 5.


3. Processing Instructions

We will process Personal Data only on your documented instructions, which consist of:

  • Providing the Platform features and services described in the Terms of Service
  • Security monitoring, fraud prevention, and bug fixing
  • Compliance with applicable law
  • Responding to data subject rights requests with your assistance

We will notify you promptly if, in our opinion, any instruction violates applicable law.


4. Our Obligations

As Processor, we shall:

  • Process Personal Data only as directed by you and as described in this DPA
  • Implement and maintain appropriate technical and organizational security measures (see our Security Policy)
  • Ensure that personnel with access to Personal Data are bound by appropriate confidentiality obligations
  • Assist you in fulfilling data subject rights requests (access, deletion, correction) within applicable legal timeframes
  • Notify you within 48 hours of becoming aware of any Personal Data breach affecting your data
  • Delete or return all Personal Data within 30 days of termination of the Terms of Service, unless longer retention is required by law
  • Make available to you all information reasonably necessary to demonstrate compliance with this DPA

5. CCPA Service Provider Restrictions

As a Service Provider under CCPA (Cal. Civ. Code §1798.140(ag)), we shall not:

  • Sell or share Personal Data
  • Retain, use, or disclose Personal Data for any purpose other than providing the Platform services
  • Retain, use, or disclose Personal Data outside the direct business relationship between you and us
  • Combine Personal Data with data obtained from other sources for purposes inconsistent with the permitted purposes
  • Use Personal Data to train AI models without your explicit written consent

6. Your Obligations

As Controller, you represent and warrant that:

  • You have obtained all necessary consents and have a lawful basis for processing the Personal Data you upload to the Platform
  • You have provided appropriate notice to your clients and their guests regarding their information being processed through the Platform
  • You will promptly notify us of any changes to applicable processing instructions
  • You will cooperate with us in responding to data subject requests

7. Sub-Processors

We maintain a list of approved sub-processors at denouement.ai/legal/subprocessors.

We will provide 30 days' advance written notice before engaging a new sub-processor or materially changing the role of an existing sub-processor. You may object to a new or changed sub-processor in writing within the notice period. If we cannot reasonably accommodate your objection, you may terminate this DPA on 30 days' written notice.

All sub-processors are bound by data processing obligations no less protective than those in this DPA.


8. Security

We implement the security measures described in our Written Information Security Program, consistent with California Civil Code §1798.81.5. These include encryption in transit and at rest, access controls, and regular security reviews. See [/security] for our public security page.


9. Data Breach Notification

In the event of a Personal Data breach:

  1. We will notify you within 48 hours of becoming aware
  2. Notification will include: nature of the breach, categories of data affected, approximate number of individuals, likely consequences, and measures taken or proposed
  3. We will cooperate with you in any required notification to affected individuals or regulators

10. Data Subject Rights

We will assist you in responding to data subject rights requests (access, deletion, correction, portability) in accordance with applicable law. We will forward any data subject requests we receive directly to you within 5 business days.


11. Audit Rights

Upon 30 days' written notice, you may:

  • Request documentation evidencing our compliance with this DPA
  • Review our most recent third-party security audit or certification
  • Conduct an audit of our data processing practices (at your expense, no more than once per year, subject to reasonable confidentiality protections)

12. International Transfers

The Platform is operated from the United States. If you or your clients are located outside the U.S., by using the Platform you consent to the transfer of Personal Data to the United States. If you anticipate processing personal data of EU/EEA residents, please contact us at legal@denouement.ai to discuss Standard Contractual Clauses or other appropriate transfer mechanisms.


13. Term and Termination

This DPA is effective for the duration of the Terms of Service. Upon termination, all Personal Data will be deleted or returned per Section 4 and our data retention obligations.


14. Contact

For DPA-related inquiries: legal@denouement.ai


© 2026 Ridgecrest Works LLC. All rights reserved. Denouement is a trademark of Ridgecrest Works LLC.