Legal
Data Processing Agreement
Last updated: July 18, 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between the customer identified in the applicable Order Form (“Customer”) and SuiteMigration, Inc. (“SuiteMigration,” “we,” “us,” or “our”) governing Customer’s access to and use of SuiteMigration’s software (the “Software”) (the “Agreement”).
This DPA reflects the parties’ agreement on the processing of Personal Data in connection with the Software. Where this DPA conflicts with the Agreement, this DPA controls with respect to the processing of Personal Data.
1. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person that SuiteMigration processes on Customer’s behalf under the Agreement.
- “Customer Data” means any data provided by or on behalf of Customer that is accessed by, processed through, or otherwise used with the Software, as defined in the Agreement.
- “Processing” means any operation performed on Personal Data, whether automated or not (collection, storage, retrieval, use, disclosure, deletion, etc.).
- “Controller,” “Processor,” “Data Subject,” and “Supervisory Authority” have the meanings given under applicable Data Protection Laws.
- “Data Protection Laws” means all laws applicable to the processing of Personal Data under the Agreement, including the California Consumer Privacy Act as amended (“CCPA/CPRA”) and other U.S. state privacy laws.
- “Sub-processor” means any third party engaged by SuiteMigration to process Personal Data in connection with the Software.
2. Roles of the Parties
For Personal Data processed under the Agreement, Customer is the Controller (or processor acting on behalf of a third-party controller) and SuiteMigration is the Processor (or sub-processor). For purposes of the CCPA/CPRA, SuiteMigration acts as a Service Provider and processes Personal Data solely to perform the Software’s function for Customer.
3. Scope and Purpose of Processing
SuiteMigration processes Personal Data only:
- to provide, secure, support, and maintain the Software;
- in accordance with Customer’s documented instructions, including those set out in the Agreement, the applicable Order Form, and this DPA; and
- as required by applicable law (in which case SuiteMigration will, where legally permitted, inform Customer of the requirement before processing).
The Software facilitates the movement and transformation of data between source and destination systems selected and controlled by Customer, including reading from and writing to those systems as configured by Customer. The subject matter, nature, categories of Data Subjects, and types of Personal Data are described in Annex A.
4. Customer Obligations
Customer is responsible for the accuracy and legality of Customer Data and for having an appropriate legal basis to provide it to SuiteMigration for processing. Customer is responsible for validating migration and mapping configurations in a pre-production environment prior to any production use, as set out in the Agreement.
5. Confidentiality
SuiteMigration ensures that personnel authorized to process Personal Data are bound by appropriate obligations of confidentiality and access Personal Data only on a need-to-know basis.
6. Security Measures
SuiteMigration maintains technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. A summary appears in Annex C.
7. Use of Artificial Intelligence; No Model Training
The Software includes an optional, user-initiated feature that uses AI to suggest field mappings during a migration. This feature is off by default — Customer Data is only sent for AI processing when a user affirmatively chooses to use it for a given mapping task.
When used, this feature runs through AWS-managed Amazon Bedrock, within SuiteMigration’s own AWS account and infrastructure — not a separate third-party AI vendor. Under AWS’s published Amazon Bedrock documentation, AWS states that Bedrock:
- does not store customer input data or model output data;
- does not share that data with the third-party model providers whose models it hosts — each model provider operates within a dedicated model deployment account that the provider cannot access, and model-invocation traffic stays within the AWS network; and
- does not use that data to train any models.
Accordingly:
- No model training. Customer Data and Personal Data are not used to train, fine-tune, or otherwise develop or improve any third-party foundation models or generalized machine-learning models.
- Purpose limitation; opt-in only. Personal Data sent for AI-assisted mapping is limited to what is needed to generate mapping suggestions for the requesting user’s own migration, and is only sent when that user chooses to use the feature.
No separate model-provider sub-processor receives Customer Data; all AI processing occurs within the AWS infrastructure described in Annex B.
8. Sub-processors
Customer provides general written authorization for SuiteMigration to engage Sub-processors to process Personal Data. SuiteMigration engages each Sub-processor under written terms requiring data-protection obligations materially consistent with this DPA or as required by applicable law.
A current list of Sub-processors is maintained at suitemigration.com/subprocessors and is reproduced for reference in Annex B. Customer’s continued use of the Software after a change is posted constitutes acceptance of the updated list.
9. Data Subject Rights
Taking into account the nature of the processing, SuiteMigration will provide reasonable assistance to Customer, through appropriate technical and organizational measures, to respond to requests from Data Subjects to exercise their rights under Data Protection Laws. If SuiteMigration receives such a request directly, it will, where legally permitted, direct the Data Subject to Customer.
10. Personal Data Breach
SuiteMigration will notify Customer of a Personal Data breach affecting Customer’s Personal Data in accordance with applicable law, and will provide information reasonably available to it to assist Customer with Customer’s own obligations.
11. Return and Deletion of Personal Data
Upon termination or expiration of the applicable Order Form, SuiteMigration will delete or return Personal Data in accordance with the Agreement, except where retention is required by applicable law. SuiteMigration stores Customer Data only as long as necessary to complete and support the applicable migration, plus a limited period for backups, troubleshooting, and legal compliance, after which it is deleted.
12. Audits
SuiteMigration will make available information reasonably necessary to demonstrate compliance with its obligations under this DPA, subject to reasonable confidentiality, security, scheduling, and non-disruption requirements.
13. International Transfers
SuiteMigration processes Personal Data in the United States. Customer is responsible for determining whether its use of the Software involves a transfer of Personal Data subject to applicable data protection law and for ensuring an appropriate legal basis exists for any such transfer. Where Customer determines that a transfer mechanism is required, SuiteMigration will cooperate with Customer to put in place an appropriate mechanism. SuiteMigration’s total liability arising from any such transfer remains subject to the limitations of liability in the Agreement.
14. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
15. Term
This DPA takes effect when Customer accepts the Agreement and remains in force for as long as SuiteMigration processes Personal Data on Customer’s behalf.
Annex A — Details of Processing
| Subject matter | Provision of the SuiteMigration software for migrating and transforming business data between systems. |
| Nature of processing | Reading data from Customer’s source systems, transforming it according to Customer-configured mappings, and writing it to Customer’s destination systems; related storage, logging, and support activities. |
| Purpose | Enabling Customer to complete a one-time or per-use data migration between systems it selects and controls. |
| Categories of Data Subjects | Customer’s Authorized Users; and individuals referenced within Customer Data (e.g., customer/vendor contacts, employees named on transactions). |
| Categories of Personal Data | Names, business contact details, and any personal data contained in records migrated (e.g., names on invoices, bills, or payments). Depending on Customer’s systems, Customer Data may contain sensitive information such as financial account details. |
| Special-category data | The Software is not designed to process GDPR special-category data, and Customer must not intentionally use it for that purpose. |
Annex B — Sub-processors
This Annex reproduces the list maintained at suitemigration.com/subprocessors for reference. The published page is the source of truth.
| Sub-processor | Purpose | Personal Data processed | Primary location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, compute, and storage; optional AI-assisted field-mapping suggestions via AWS-managed Amazon Bedrock (no model training; see §7) | Customer Data hosted in SuiteMigration’s AWS environment; data used to generate mapping suggestions when a user opts to use that feature | United States |
| Stripe, Inc. | Billing and payment processing | Billing contact and account data; full payment card numbers and security codes are handled by Stripe and not stored by SuiteMigration | United States |
| Resend | Transactional email delivery (e.g., password resets, account notifications) | Email address and the content of transactional messages | United States |
| Sentry (Functional Software, Inc.) | Application error and performance monitoring | Diagnostic and error data, which may include limited personal data present at the time of an error | United States |
| PostHog, Inc. | Product analytics and session recording for Authorized Users of the Software | Product usage data, identifiers, and session-recording data (sensitive text inputs designed to be masked), which may include personal data | United States |
Primary location reflects where Customer Data is principally processed; Sub-processors may process data in other locations under their own transfer terms.
Customer-directed integrations. Systems Customer connects at its own direction — such as its source and destination systems (e.g., NetSuite, QuickBooks, Xero) — are not SuiteMigration Sub-processors; Customer’s use of those services is governed by Customer’s own agreements with their providers.
Annex C — Technical and Organizational Measures
- Segregation. Customer Data is logically separated within SuiteMigration’s environment using application-level access controls and other safeguards.
- Encryption. Personal Data is encrypted in transit and at rest where practicable within SuiteMigration-controlled infrastructure.
- Access control. Access controls designed to limit personnel access to those with a business need.
- Audit logging. The Software may log access and activity for security and audit purposes.
- Session recording. SuiteMigration may record and analyze Authorized User session activity within the Software for security, support, and product-improvement purposes. The system is designed to mask sensitive text inputs in these recordings. See our Terms of Service for further detail.
- AI processing. Optional AI-assisted mapping suggestions run through AWS-managed Amazon Bedrock, within SuiteMigration’s own AWS account; data is not used for model training (see §7).
Questions about this DPA: support@suitemigration.com. Related: Privacy Policy · Sub-processors · Terms of Service.