Data Processing Agreement

Agreement Overview

This Data Processing Agreement ("DPA") supplements our Terms of Service and governs the processing of personal data by Secure Privacy on behalf of our customers. This DPA is aligned with GDPR, CCPA, and other applicable privacy regulations. By using our services, you accept this DPA as part of your overall agreement with Secure Privacy.

Definitions

• Data Controller — The customer who determines the purposes and means of processing personal data
• Data Processor — Secure Privacy, which processes personal data on behalf of the Data Controller
• Personal Data — Any information relating to an identified or identifiable natural person
• Processing — Any operation performed on personal data, including collection, storage, use, and deletion

Processing Details

Security — Technical Measures

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls with multi-factor authentication
• Continuous security monitoring and vulnerability assessments
• Secure, SOC 2 certified data centers with physical access controls
• Regular automated backups with tested disaster recovery procedures

Security — Organizational Measures

• Mandatory security awareness training for all employees
• Confidentiality agreements signed by all personnel with data access
• Regular internal and third-party security audits
• Documented incident response and breach notification procedures
• Data retention policies with secure deletion upon termination

International Data Transfers

When personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where the destination country provides adequate protection
• Additional technical and organizational safeguards for data in transit
• Regular assessment of transfer mechanisms and recipient country laws

Controller Rights

As a Data Controller, you have the right to:

• Request information about processing activities and security measures at any time
• Conduct audits or inspections (subject to reasonable notice and confidentiality)
• Request deletion or return of all personal data upon termination of services
• Receive assistance with Data Subject Access Requests and regulatory inquiries
• Receive prompt notification of any personal data breaches without undue delay

Controller Responsibilities

As a Data Controller using our services, you are responsible for:

• Ensuring a lawful basis exists for all personal data processing
• Providing accurate and lawful processing instructions to Secure Privacy
• Maintaining appropriate privacy notices and obtaining necessary consents
• Responding to Data Subject requests in accordance with applicable law

Sub-Processors

Secure Privacy may engage sub-processors to assist in providing services. We maintain a current list of sub-processors and will notify you of any changes with at least 30 days advance notice, giving you the opportunity to object to new sub-processors.

Breach Notification

In the event of a personal data breach, Secure Privacy will notify the Data Controller without undue delay (and in any case within 72 hours) upon becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, estimated number of individuals impacted, and measures taken to address and mitigate the breach.

Term & Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, Secure Privacy will, at your choice, delete or return all personal data within 30 days, unless retention is required by applicable law. Certification of deletion will be provided upon request.