Data Processing Agreement

1. Definitions: the following definitions clarify the terminology used in this DPA:

• "DPA" refers to this Data Processing Agreement.

• "Terms" refers to the Terms of Use Agreement.

• "Processor" refers to Bind Data Company LLC.

• "Controller" refers to the signature and agreeing party of the Terms.

• "Processing" refers to any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.

• "Data" refers to information provided by the Controller to the Processor relating to an identified or identifiable natural person.

• "Data Subject" refers to an identified or identifiable natural person to whom Data relates.

• "Data Breach" refers to a security incident resulting in unauthorized access, loss, alteration, or disclosure of Data.

2. Processing

• The Processor agrees to process all Data in compliance with the GDPR and other applicable laws, statutes, and regulations.

• The Processor shall process the Data only in accordance with the documented instructions provided by the Controller. These instructions may be included in the Terms, Statement of Work, or other written documents exchanged between the Controller and the Processor.

• The Data transferred to the Processor remains the property of the Controller throughout the term of this DPA. This DPA does not transfer ownership of the Data to the Processor or any third party.

• The Controller warrants that the Data obtained complies with applicable laws, statutes, and regulations, and that the requested Processing does not violate any such laws.

• Data may be processed during the duration of this DPA.

3. Personnel

• The Processor ensures that all employees, contractors, and authorized individuals are bound by strict confidentiality agreements before being granted access to the Data.

• The Processor takes measures to ensure that individuals authorized to access the Data do not process it except as instructed by the Controller.

4. Security

• The Processor implements appropriate technical and organizational measures to ensure the security of the Data, considering the nature of the processing and associated risks. These measures include:

  • Pseudonymization and encryption of the Data.

  • Confidentiality, integrity, availability, and resilience of processing systems and services.

  • Timely restoration of Data availability in the event of an incident.

  • Regular testing, assessment, and evaluation of security measures.

• The security measures are designed to protect the Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

5. Sub-Processor

• The Processor shall not engage another processor without the Controller's prior written authorization. In the case of general written authorization, the Processor shall notify the Controller of any intended changes to other processors, allowing the Controller to object within fifteen (15) days.

• If the Processor engages another processor for specific processing activities, the same data protection obligations as set out in this DPA shall be imposed on that processor. The Processor remains fully liable to the Controller for the performance of the other processor's obligations.

6. Data Subject Rights‍

• Processor assists the Controller in fulfilling its obligations to respond to Data Subject requests under the GDPR. The Processor shall:

  • Promptly notify the Controller of any requests received from Data Subjects.

  • Refrain from responding to requests except as instructed by the Controller or required by applicable laws. In the latter case, the Processor shall inform the Controller before responding.

7. Data Breach‍

• • Promptly notify the Controller of any requests received from Data Subjects.

  • Refrain from responding to requests except as instructed by the Controller or required by applicable laws. In the latter case, the Processor shall inform the Controller before responding.

8. Data Protection Impact Assessment and Prior Consultation‍

• • The processor provides reasonable assistance to the Controller regarding data protection impact assessments and prior consultations with relevant data privacy authorities, as required by the GDPR or other applicable laws. The assistance is limited to the Processor's processing activities and available information.

9. Deletion or Return of Data‍

• • Upon cessation of services involving the processing of Data, the Processor and any Sub-Processor shall promptly delete all copies of the Data within thirty (30) days ("Cessation Date").

  • The Controller may request the return of a complete copy of all Data within seven (7) days of the Cessation Date. The Processor shall comply with this request using secure file transfer methods specified by the Controller.

  • The Processor may retain Data only as required by applicable laws, ensuring confidentiality and limiting processing to the purposes specified by those laws.

  • The Processor shall provide written certification of compliance with this section within sixty (60) days of the Cessation Date.

10. Audit rights

• • The Processor provides the Controller with necessary information to demonstrate compliance with this DPA and allows for audits and inspections by the Controller or an auditor mandated by the Controller.

  • The Controller's information and audit rights arise to the extent that the Terms do not already grant such rights meeting the GDPR requirements.

11. Final Provisions

• • Matters not regulated by this DPA shall be governed by the Terms, Statement of Work, or Order between the parties.

  • If any part of this DPA is found invalid, illegal, or unenforceable, it does not affect the validity or enforceability of the remaining provisions.

  • Failure to exercise or enforce any right or provision of this DPA does not constitute a waiver of such right or provision.

  • Section titles in this DPA are for convenience and have no legal or contractual effect.