Data Processing Agreement

"Personal Data" means any information relating to an identified or identifiable individual provided or uploaded by the Controller to the Processor's services.

"Data Subject" means the individual to whom the Personal Data relates.

"Applicable Data Protection Laws" means all privacy laws including but not limited to the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA/CPRA), and any similar laws in relevant jurisdictions.

The Processor will process Personal Data on behalf of the Controller solely for the purpose of providing services under the Master Agreement.

This Agreement remains in effect while Processor processes Personal Data on behalf of Controller.

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by law.
• Ensure its personnel are subject to confidentiality obligations.
• Implement appropriate technical and organizational security measures (including encryption in transit and at rest, access controls, and regular audits).
• Assist the Controller in responding to Data Subject requests (access, deletion, objection, etc.).
• Notify the Controller without undue delay in the event of a personal data breach.
• Not subcontract processing without prior written consent (except for authorized subprocessors – see Section 7).
• Not sell or share Personal Data for commercial purposes.

The Controller shall:

• Ensure it has a valid legal basis for collecting and providing Personal Data to Processor.
• Not provide sensitive data (e.g. health or financial info) unless explicitly permitted.
• Maintain records of processing and fulfill Data Subject rights under applicable laws.
• Immediately inform Processor of any request or claim related to the processing.

Processor will provide reasonable assistance to enable the Controller to respond to Data Subject rights under GDPR, CPRA, or other applicable laws.

This includes requests for access, rectification, erasure, objection, or portability.

Controller authorizes Processor to use subprocessors for data hosting, email infrastructure, analytics, and support services. Current subprocessors include:

• Amazon Web Services (AWS) – Hosting
• Google Cloud Platform (GCP) – Backup infrastructure
• OpenAI / Anthropic – AI-based suggestion tools (no Personal Data is used for training)

Processor will notify Controller of any intended changes to subprocessors and allow the Controller to object within 10 business days.

Where Personal Data is transferred outside the EEA, UK, or Switzerland to a third country not subject to an adequacy decision, the parties will use Standard Contractual Clauses (SCCs) or a lawful alternative.

Processor participates in the EU-U.S. Data Privacy Framework for transfers to the United States.

Processor maintains industry-standard security measures, including:

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for data at rest
• SOC 2 Type II audited infrastructure
• Employee access controls and security training

Processor shall notify Controller without undue delay (and in no case longer than 72 hours) after becoming aware of a Personal Data Breach, including relevant details and mitigation actions.

Upon reasonable request and with at least 15 days' notice, the Controller may conduct an audit (or appoint an independent third-party auditor) to verify compliance with this Agreement.

Audits must be limited in scope and frequency (e.g. once per year unless required by law).

Upon termination or expiration of the Master Agreement, Processor shall:

• Delete or return all Personal Data upon written request by Controller, unless retention is required by law.
• Delete all backup data within 30 days of final termination.

Each party's liability under this Agreement is subject to the limitations set forth in the Master Agreement.

• This Agreement shall be governed by the same law and dispute resolution process as the Master Agreement.
• If any provision of this Agreement is held invalid or unenforceable, the remainder shall remain in effect.
• This Agreement may be signed electronically and in counterparts.