Skip to content

Data Processing Agreement

Last updated: May 2026.

1. Scope

This Data Processing Agreement ("DPA") forms part of the agreement between the customer organization ("Data Controller") and MAS Pilot, LLC ("Data Processor") for the processing of personal data in connection with the MAS Pilot compliance platform. This DPA applies to all personal data processed by MAS Pilot on behalf of the Data Controller when providing compliance validation, document generation, and regulatory guidance services.

2. Data Processed

MAS Pilot processes the following categories of data on behalf of the Data Controller:

  • User account information (name, email address, role)
  • Organization details (legal name, UEI, CAGE code, SAM.gov registration data)
  • Contract and pricing data submitted for TDR validation
  • Compliance validation results and audit trail records
  • Uploaded documents (TDR files, modification attachments)
  • Usage analytics and session data (with consent)

3. Processing Purpose

Data is processed solely for the purpose of delivering the compliance services described in the Terms of Service. MAS Pilot will not process personal data for any purpose other than as instructed by the Data Controller or as required by applicable law. MAS Pilot does not sell, rent, or share personal data with third parties for marketing purposes.

4. Sub-Processors

MAS Pilot uses the following sub-processors to deliver its services:

  • Supabase (AWS us-east-2) — Database hosting, authentication, file storage
  • Vercel — Application hosting and edge compute
  • Resend — Transactional email delivery
  • Stripe — Payment processing (PCI DSS Level 1 compliant)
  • Sentry — Error monitoring (PII redacted before transmission)
  • PostHog — Product analytics (consent-gated)

MAS Pilot will notify the Data Controller before engaging any new sub-processor. The Data Controller may object to a new sub-processor within 30 days of notification.

5. Security Measures

MAS Pilot implements appropriate technical and organizational measures to protect personal data, including:

  • Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Row-level security enforcing organization-level data isolation
  • Multi-factor authentication support for all user accounts
  • Immutable audit trail for compliance-relevant actions
  • Automated PII redaction in error monitoring and logging
  • CSRF protection, rate limiting, and security headers (CSP, HSTS, X-Frame-Options)

6. Data Retention

Contract-related records are retained for a minimum of three (3) years from the date of final contract payment, in accordance with FAR 4.703. Compliance audit trail records are retained for seven (7) years. Upon account termination, non-contract personal data is deleted within 30 days. The Data Controller may request early deletion of non-contract data at any time through account settings.

7. Data Subject Rights

MAS Pilot will assist the Data Controller in fulfilling data subject requests including access, rectification, erasure, and data portability. The Data Controller may initiate data export or account deletion through the Settings page or by contacting support. MAS Pilot responds to all data requests within 30 days.

8. Breach Notification

In the event of a personal data breach, MAS Pilot will notify the Data Controller without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include the nature of the breach, categories of data affected, approximate number of records involved, and measures taken to address the breach.

9. International Transfers

All primary data processing occurs within the United States (AWS us-east-2 region). MAS Pilot does not transfer personal data outside the United States unless required by the sub-processors listed in Section 4, each of which maintains appropriate data transfer mechanisms.

10. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, MAS Pilot will delete or return all personal data to the Data Controller, subject to the retention requirements described in Section 6. The Data Controller may request a copy of their data prior to deletion.