Data Processing Agreement
Version 1.0 · Last updated April 12, 2026 · Phoenix Holdings LLC · Download PDF
Enterprise SaaS Data Processing Agreement. Multi-jurisdictional, multi-regulatory compliance covering GDPR, UK GDPR, FADP, CCPA/CPRA, and the full set of U.S. state privacy laws (VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA, ICDPA, INCDPA, TIPA, DPDPA, NHPA, NJDPA, NDPA, MODPA, MCDPA-MN, KCDPA, RIDTPPA), LGPD, PIPEDA, HIPAA (BAA reference), PCI DSS, COPPA, BIPA, GLBA, and FERPA.
Important — How this DPA Applies
This Data Processing Agreement (“Agreement” or “DPA”) is incorporated by reference into, and forms an integral part of, the Terms of Service, Master Subscription Agreement, Order Form, or other written or electronic agreement (the “Principal Agreement”) between the entity identified as the customer in the Principal Agreement (“Controller,” “Customer,” or “You”) and Phoenix Holdings LLC, an Illinois limited liability company (“Processor,” “Provider,” or “We”).
This DPA becomes legally binding upon the earliest of: (a) the Customer’s execution of a Principal Agreement that references this DPA; (b) the Customer’s electronic acceptance via click-through, check-box, or digital signature; or (c) the Customer’s continued use of the Services after this DPA has been published at the Processor’s designated URL (the “Effective Date”). Where the Customer enters this DPA on behalf of an entity, the individual accepting represents and warrants that they have authority to bind that entity.
This DPA applies only where the Processor Processes Personal Data on behalf of the Customer in connection with the Services. To the extent the Processor Processes Personal Data as an independent Controller (e.g., account registration data, billing data, usage telemetry for service improvement, or aggregated analytics), such Processing is governed by the Processor’s Privacy Policy, not this DPA.
Recitals
WHEREAS, the Controller has engaged the Processor to provide certain software-as-a-service (“SaaS”) services under the Principal Agreement;
WHEREAS, in providing the Services, the Processor will Process Personal Data on behalf of the Controller;
WHEREAS, the Parties wish to establish terms governing such Processing in compliance with all Applicable Data Protection Laws, including the GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, VCDPA, CPA-CO, CTDPA, UCPA, TDPSA, OCPA, MCDPA, ICDPA, INCDPA, TIPA, DPDPA, NHPA, NJDPA, NDPA, MODPA, MCDPA-MN, KCDPA, RIDTPPA, LGPD, PIPEDA, and all other applicable data protection or privacy legislation;
NOW, THEREFORE, the Parties agree as follows:
1. Definitions and Interpretation
Capitalized terms shall have the meanings defined below. Undefined terms carry the meanings set forth in the Principal Agreement or Applicable Data Protection Laws.
| Term | Definition |
|---|---|
| Applicable Data Protection Laws | All laws and regulations applicable to the Processing of Personal Data under this Agreement, as enumerated in the Recitals, and any implementing regulations, guidance, or successor legislation. |
| Authorized Persons | Employees, agents, consultants, and contractors of the Processor or a Sub-processor who are authorized to Process Personal Data and bound by confidentiality obligations per Section 3.3. |
| Controller | The Party that determines the purposes and means of Processing, as identified in the Principal Agreement. |
| Customer Data | All electronic data, text, messages, images, files, or other content submitted by or on behalf of the Controller or its authorized users to the Services, including Personal Data contained therein. Customer Data does not include Service-Generated Data. |
| Data Protection Officer (DPO) | The individual designated by either Party to oversee compliance with Applicable Data Protection Laws, as specified in Schedule 1. |
| Data Subject | An identified or identifiable natural person to whom Personal Data relates. |
| De-identified / Anonymized Data | Data processed so it can no longer be attributed to a specific Data Subject without additional information (pseudonymized) or from which all personal identifiers have been irreversibly removed (anonymized) such that it no longer constitutes Personal Data. |
| EEA | The European Economic Area (EU Member States plus Iceland, Liechtenstein, and Norway). |
| GDPR | Regulation (EU) 2016/679 of the European Parliament and of the Council. |
| Government Access Request | Any request, demand, order, subpoena, warrant, or directive from any law enforcement, judicial, governmental, regulatory, legislative, intelligence, or national security authority for access to or disclosure of Personal Data, whether compulsory or voluntary. |
| Incident Severity Classification | The risk-based categorization of Personal Data Breaches: Critical (mass exfiltration, ransomware with data loss, or breach of unencrypted special category data); High (unauthorized access to significant volumes of Personal Data); Medium (unauthorized access to limited Personal Data with low likelihood of harm); Low (security event with no confirmed data compromise). |
| Personal Data | Any information relating to an identified or identifiable natural person Processed by the Processor on behalf of the Controller in connection with the Services. “Personal Data” includes “personal information” as defined in the CCPA/CPRA, “personal data” as defined in the VCDPA, CPA-CO, CTDPA, and other U.S. State Privacy Laws, and equivalent concepts under all Applicable Data Protection Laws. |
| Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, including any “security incident,” “breach of security,” or equivalent concept under Applicable Data Protection Laws. |
| Processing / Process | Any operation on Personal Data, whether automated or not, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, and destruction. |
| Processor | The Party that Processes Personal Data on behalf of the Controller, as identified in the Principal Agreement. |
| Restricted Transfer | A transfer of Personal Data to a country outside the EEA, UK, or Switzerland not covered by an adequacy decision. |
| SCCs | The Standard Contractual Clauses adopted under Commission Implementing Decision (EU) 2021/914, as amended, supplemented, or replaced. |
| Service-Generated Data | Data generated by the Processor through the operation of the Services that is derived from, but does not directly reveal, Personal Data, including aggregated usage statistics, performance metrics, system logs, error reports, and telemetry data. Service-Generated Data does not include Customer Data. |
| Services | The SaaS services and related professional, support, and implementation services provided under the Principal Agreement. |
| Sub-processor | Any third party (excluding the Processor’s employees acting under its direct authority) engaged by the Processor or a Sub-processor to Process Personal Data on behalf of the Controller. |
| Supervisory Authority | An independent public authority established under Article 51 GDPR, the UK ICO, the Swiss FDPIC, the California Privacy Protection Agency (CPPA), State Attorneys General with enforcement authority under U.S. State Privacy Laws, the ANPD (Brazil), the OPC (Canada), or any equivalent regulatory authority. |
| Technical and Organizational Measures (TOMs) | The administrative, technical, physical, and organizational security measures described in Schedule 2, implemented to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage. |
| Transfer Impact Assessment (TIA) | A documented assessment of the data protection laws and practices of a destination country to determine whether they provide an essentially equivalent level of protection and to identify any required supplementary measures. |
| U.S. State Privacy Laws | Collectively, the CCPA/CPRA, VCDPA, CPA-CO, CTDPA, UCPA, TDPSA, OCPA, MCDPA, ICDPA, INCDPA, TIPA, DPDPA, NHPA, NJDPA, NDPA, MODPA, MCDPA-MN, KCDPA, RIDTPPA, and any future U.S. state comprehensive privacy legislation that becomes applicable to the Processing. |
1.2 Interpretation
(a) “Include” or “including” means “including without limitation.” (b) References to legislation include amendments, re-enactments, implementing regulations, and successors. (c) “Writing” includes electronic communications. (d) Headings are for convenience only. (e) References to GDPR articles include equivalent provisions under all Applicable Data Protection Laws, mutatis mutandis. (f) “Shall” denotes a mandatory obligation; “may” denotes a discretionary right. (g) “Business day” means a day other than a Saturday, Sunday, or public holiday in the jurisdiction of the Party required to act.
1.3 Customer Data Ownership
As between the Parties, the Controller retains all right, title, and interest in Customer Data. Nothing in this Agreement or the Principal Agreement grants the Processor any right, title, or interest in Customer Data except the limited rights necessary to perform the Services.
2. Scope, Purpose, and Relationship of the Parties
2.1 This Agreement applies to all Processing of Personal Data by the Processor on behalf of the Controller in connection with the Services.
2.2 The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects are described in Schedule 1 (Details of Processing).
2.3 The duration of Processing is coterminous with the Principal Agreement, unless otherwise specified in Schedule 1 or required by law.
2.4 Order of Precedence. Conflicts are resolved: (i) SCCs (where applicable) prevail over this DPA; (ii) this DPA prevails over the Principal Agreement regarding Processing of Personal Data; (iii) the Principal Agreement governs all other matters.
2.5 Roles. The Controller is the “controller” (or “business” under CCPA) and the Processor is the “processor” (or “service provider” under CCPA) with respect to Customer Data. Where the Processor Processes Service-Generated Data for its own legitimate purposes, the Processor acts as an independent controller for that limited Processing, subject to its Privacy Policy.
2.6 No Joint Controller Relationship. Nothing in this Agreement creates a joint controller relationship unless expressly documented in a separate joint controller agreement executed by both Parties.
2.7 Multi-Tenant Architecture. The Processor shall implement logical and/or physical isolation of each Customer’s data within its multi-tenant infrastructure sufficient to prevent unauthorized cross-tenant access. The Processor shall maintain access controls, authentication boundaries, and encryption practices that ensure Customer Data is not accessible to other tenants of the Services.
3. Processor Obligations
3.1 Documented Instructions. The Processor shall Process Personal Data only on documented instructions from the Controller (which include this Agreement and the Principal Agreement), including regarding international transfers, unless required by applicable law. If so required, the Processor shall inform the Controller before Processing, unless prohibited by law on important public interest grounds.
3.2 Article 28 Compliance. The Processor warrants that it satisfies each requirement of Article 28 GDPR and equivalent provisions of all other Applicable Data Protection Laws.
3.3 Confidentiality. The Processor shall ensure all Authorized Persons: (a) are bound by written confidentiality obligations no less protective than this Agreement; (b) Process Personal Data only as necessary for the Services; (c) receive onboarding and annual data protection and security training. These obligations survive termination of engagement.
3.4 Prohibited Processing. The Processor shall not:
- Sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate Personal Data for monetary or other valuable consideration;
- Share Personal Data for cross-context behavioral advertising (as defined in CCPA/CPRA §1798.140(ah));
- Retain, use, or disclose Personal Data for any purpose other than performing the Services, including any commercial purpose outside the direct business relationship;
- Combine Personal Data from the Controller with Personal Data received from or on behalf of third parties, or collected from the Processor’s own consumer interactions, except as expressly permitted by Applicable Data Protection Laws;
- Use Personal Data for profiling, targeted advertising, automated decision-making (except as an integral feature of the Services documented in the Principal Agreement), or cross-context behavioral advertising;
- Use Personal Data to train, develop, improve, or fine-tune any machine learning, artificial intelligence, or algorithmic model (whether general or specific) without the Controller’s prior, specific, written consent;
- Process Personal Data in a manner that would cause the Controller to be in violation of Applicable Data Protection Laws;
- Disclose Personal Data to any governmental authority except as compelled by valid legal process, subject to Section 11; or
- Degrade the Services or discriminate against Data Subjects who exercise privacy rights, directly or indirectly.
3.5 Instruction Review. If an instruction infringes Applicable Data Protection Laws in the Processor’s reasonable opinion, the Processor shall immediately notify the Controller and may suspend the relevant Processing until the Controller confirms or modifies the instruction.
3.6 Data Protection Officer. The Processor shall appoint and maintain a DPO (or equivalent privacy officer). Contact details shall be provided on request and updated promptly.
3.7 Records of Processing. The Processor shall maintain complete records of Processing activities per Article 30(2) GDPR, available to the Controller and Supervisory Authorities on request.
3.8 Certification. The Processor hereby certifies that it understands and will comply with the restrictions set forth in this Section 3.
4. Controller Obligations and Warranties
4.1 The Controller represents, warrants, and covenants that:
- It has complied and will comply with all Applicable Data Protection Laws regarding collection, use, and transfer of Personal Data;
- It has established a lawful basis for Processing (Article 6 GDPR or equivalent), provided adequate notice, and obtained all consents and authorizations required;
- Its instructions shall at all times comply with Applicable Data Protection Laws;
- It has conducted and will maintain required DPIAs;
- It has authority to transfer Personal Data to the Processor;
- It will not submit to the Services any Personal Data that the Processor is not equipped to protect (e.g., protected health information requiring HIPAA BAA compliance, unless a BAA is separately executed per Schedule 6); and
- It will cooperate with the Processor in addressing Data Subject requests, Supervisory Authority inquiries, and DPIAs.
4.2 The Controller is solely responsible for the accuracy, quality, and legality of Personal Data and the lawfulness of its instructions.
4.3 The Controller shall implement appropriate security within elements it configures or controls, including user access management, authentication settings, data classification, and API key management.
4.4 The Controller acknowledges that the Processor’s ability to comply with certain obligations may be contingent upon the Controller’s timely performance of its obligations under this Agreement.
5. Data Subject Rights
5.1 The Processor shall assist the Controller, by appropriate technical and organizational measures, in fulfilling Data Subject rights requests under Applicable Data Protection Laws, including:
- Access (Art. 15 GDPR; CCPA §1798.100; equivalent state law provisions);
- Rectification / Correction (Art. 16 GDPR; CPRA §1798.106);
- Erasure / Deletion (Art. 17 GDPR; CCPA §1798.105);
- Restriction of Processing (Art. 18 GDPR);
- Data Portability (Art. 20 GDPR);
- Objection (Art. 21 GDPR);
- Automated Decision-Making / Profiling Opt-Out (Art. 22 GDPR);
- Opt-Out of Sale/Sharing (CCPA/CPRA §1798.120), including recognition of Global Privacy Control (GPC) signals;
- Limit Use of Sensitive Personal Information (CPRA §1798.121);
- Non-Discrimination for exercising privacy rights (CCPA §1798.125); and
- Equivalent rights under all other U.S. State Privacy Laws and international data protection statutes.
5.2 The Processor shall notify the Controller of any Data Subject request within three (3) business days. The Processor shall not respond except to acknowledge receipt and direct the Data Subject to the Controller, unless authorized in writing.
5.3 The Processor shall maintain self-service technical capabilities enabling the Controller to search, export, rectify, restrict, and delete Personal Data within statutory timeframes, at no additional cost for standard-volume requests.
5.3.1 Excessive or Manifestly Unfounded Requests. Where Data Subject requests forwarded by the Controller are manifestly unfounded, excessive, or repetitive, the Processor may charge a reasonable fee based on administrative costs. The Processor shall notify the Controller of such fees in advance and shall not charge fees that would prevent the Controller from complying with Applicable Data Protection Laws.
5.4 CCPA Verifiable Consumer Requests. If the Processor receives a verifiable consumer request directly from a California consumer, the Processor shall either act on behalf of the Controller per CCPA implementing regulations or promptly inform the Controller and await instructions.
5.5 Universal Opt-Out Signals. The Processor shall, within the Services, honor opt-out preference signals (including GPC) as required by the CCPA/CPRA, CPA-CO, CTDPA, MODPA, and any other jurisdiction mandating recognition of such signals.
6. Sub-processors
6.1 General Authorization. The Controller grants general written authorization to engage Sub-processors, subject to this Section 6. The current Sub-processor list is in Schedule 3 and published at /legal/sub-processors.
6.2 Notification. The Processor shall notify the Controller in writing of any intended addition, replacement, or material change to Sub-processors at least thirty (30) calendar days before engagement (the “Objection Period”). Notification shall include: Sub-processor name, legal entity, registered address, country of Processing, description of activities, applicable transfer mechanism, and security certifications held.
6.2.1 Emergency Sub-processor Engagement. The Processor may engage a replacement or new Sub-processor immediately, without prior notice, where such engagement is reasonably necessary to address an active security vulnerability, data breach, or imminent threat; respond to a material service outage; or comply with a binding legal or regulatory requirement. In such cases the Processor shall notify the Controller as soon as practicable and no later than five (5) business days after engagement, and grant a retroactive fifteen (15) calendar day objection period.
6.3 Objection. The Controller may object on reasonable data protection grounds within the Objection Period. Upon objection the Processor shall use commercially reasonable efforts to provide an alternative within thirty (30) days; if no alternative is available, either Party may terminate the affected Services with a pro-rata refund of prepaid fees.
6.4 Sub-processor Contracts. The Processor shall impose on each Sub-processor written obligations no less protective than this Agreement, including equivalent provisions regarding confidentiality, security, breach notification, data subject rights, international transfers, audit, and return/deletion.
6.5 Full Liability. The Processor remains fully liable for Sub-processor acts and omissions as if they were the Processor’s own.
6.6 Due Diligence. Before engaging any Sub-processor, the Processor shall conduct risk-based due diligence. Critical and high-risk Sub-processors shall be reassessed at least annually; all others at least biennially.
6.7 Upon request, the Processor shall provide the Controller with a summary of the data protection terms in its Sub-processor agreements (redacted for proprietary terms).
7. Technical and Organizational Security Measures
7.1 The Processor shall implement and maintain TOMs ensuring a level of security appropriate to the risk, per Article 32 GDPR, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of Processing.
7.2 Minimum security controls include encryption (AES-256 at rest, TLS 1.2+ in transit, HSM-backed key management), access controls (RBAC, MFA, SSO, SCIM, PAM), network security, application security (secure SDLC, SAST/DAST/SCA), monitoring and logging (24/7 SOC, SIEM), vulnerability management, physical security, business continuity/DR, personnel security, data management, incident response, and third-party/supply chain controls. Full details in Schedule 2.
7.3 The Processor shall test, assess, and evaluate TOMs effectiveness at least annually and update as needed. Updates shall not materially decrease the overall protection level.
7.4 The Processor shall respond to the Controller’s reasonable security questionnaires (SIG, CAIQ, VSAQ) within fifteen (15) business days.
7.5 Customer-Managed Keys. Where the Controller’s service tier supports CMEK/BYOK, the Controller may manage its own encryption keys. In such cases, the Processor shall not have the ability to decrypt Customer Data without the Controller’s key.
8. Personal Data Breach Notification and Response
8.1 Initial Notification. The Processor shall notify the Controller of any confirmed or reasonably suspected Personal Data Breach without undue delay and no later than:
- Critical or High severity: thirty-six (36) hours after becoming aware;
- Medium severity: forty-eight (48) hours after becoming aware;
- Low severity: seventy-two (72) hours after becoming aware.
Notification shall be by email to the Controller’s designated data protection contact. Critical and High severity breaches shall additionally be notified by telephone.
8.2 Content. The initial notification shall include (to the extent available): date/time of discovery and estimated date/time of occurrence; severity classification and basis; nature of the breach and approximate number of Data Subjects and records affected; types of Personal Data involved; DPO contact details; likely consequences; measures taken or proposed; preliminary root-cause analysis; risk assessment; and jurisdictions likely affected.
8.3 Supplemental Reporting. Reports at intervals of no greater than twenty-four (24) hours until investigation concludes. A final written incident report within ten (10) business days of containment.
8.4 Cooperation. The Processor shall cooperate fully; immediately contain the breach; preserve forensic evidence for a minimum of three (3) years; implement measures to prevent recurrence; conduct post-incident review; and, at the Controller’s request, engage an independent forensic investigator at the Processor’s expense if the breach resulted from the Processor’s act or omission.
8.5 Regulatory and Data Subject Notification. The Processor shall not notify third parties without the Controller’s prior written consent, unless legally compelled. The Processor shall bear the reasonable costs of notification (including credit monitoring services) where the breach resulted from the Processor’s act or omission.
8.6 State-Specific Breach Notification. The Processor shall assist the Controller in complying with the breach notification timelines of each applicable U.S. state (which range from thirty (30) to ninety (90) days depending on jurisdiction). See Schedule 7.
8.7 Breach Register. The Processor shall maintain a register per Article 33(5) GDPR.
8.8 Sub-processor Breaches. Obligations apply regardless of whether the breach occurs at the Processor or any Sub-processor. Sub-processors must notify the Processor within twenty-four (24) hours.
8.9 No Admission. The Processor’s notification shall not be construed as an acknowledgment or admission of fault, liability, or wrongdoing.
9. Data Protection Impact Assessments and Prior Consultation
9.1 The Processor shall provide reasonable assistance with DPIAs and prior consultation with Supervisory Authorities, taking into account the nature of Processing and available information.
9.2 Assistance includes: (a) detailed descriptions of Processing, data flows, and TOMs; (b) risk identification and assessment; (c) identification of mitigating measures; (d) technical architecture and security documentation; and (e) cooperation with Supervisory Authority inquiries.
9.3 The Processor shall notify the Controller if changes to the Services, Processing, or regulatory environment are likely to require a new or updated DPIA.
9.4 Where U.S. State Privacy Laws require data protection assessments (e.g., VCDPA §59.1-580; CPA-CO §6-1-1309; CTDPA §42-520; TDPSA; MODPA), the Processor shall cooperate and provide information equivalent to that required for a GDPR DPIA.
10. International Data Transfers
10.1 Transfer Restriction. The Processor shall not make any Restricted Transfer unless a valid transfer mechanism is in place: adequacy decision; SCCs (Implementing Decision 2021/914) supplemented by a TIA; Binding Corporate Rules; UK IDTA or UK Addendum; approved certification (EU-U.S. DPF, UK Extension, Swiss-U.S. DPF); or any other legally valid mechanism.
10.2 SCCs Configuration. Where SCCs apply: Module 2 (C2P) and/or Module 3 (P2P); Clause 7 (Docking) included; Clause 9 Option 2 (general authorization, 30-day objection); Clause 11 optional redress language included; Clause 13(a) competent SA of Controller’s establishment; Clause 17 Option 1 law of Controller’s EU establishment (Ireland if none); Clause 18(b) courts of that jurisdiction. SCCs prevail over this DPA in case of conflict.
10.3 Transfer Impact Assessments. The Processor shall conduct, document, and maintain a TIA for each Restricted Transfer, evaluating destination country laws, specific transfer circumstances, supplementary measures, and overall risk conclusion. TIAs updated at least annually or upon material change.
10.4 Supplementary Measures. Where a TIA identifies deficiencies: additional encryption, pseudonymization, key management outside the destination country, access restrictions, data localization, split processing, or contractual commitments to challenge government access.
10.5 The Processor shall promptly notify the Controller of any change materially affecting the validity of a transfer mechanism or TIA.
10.6 See Schedule 4 for detailed transfer mechanism configurations.
11. Government Access Requests and Transparency
11.1 Upon receipt of a Government Access Request, the Processor shall: (a) promptly notify the Controller before any disclosure, unless legally prohibited; (b) redirect the authority to the Controller where permissible; (c) scrutinize the legal basis and challenge any unlawful, overbroad, or disproportionate request using all available legal mechanisms including appeals; (d) disclose only the minimum data legally compelled; (e) provide data in encrypted form if possible; and (f) document and retain records of all requests and responses.
11.2 If legally prohibited from notifying the Controller, the Processor shall seek a waiver; disclose maximum permissible information as soon as legally allowed; and provide an annual summary of prohibited requests.
11.3 Warranties. The Processor warrants that it has not received any request requiring bulk or indiscriminate access to Personal Data; has no knowledge of any law preventing it from fulfilling this Agreement; has not voluntarily provided Personal Data to any government authority outside lawful process; and has not created any “back door” mechanism for government access.
11.4 Transparency Report. The Processor shall publish or make available an annual transparency report summarizing request volumes and types (to the extent permitted by law).
11.5 Mutual Legal Assistance. Where a Government Access Request is made under a mutual legal assistance treaty (MLAT), the Processor shall cooperate with the Controller in assessing compliance with applicable procedures.
12. Audit Rights and Compliance Verification
12.1 The Processor shall make available all information necessary to demonstrate compliance with this Agreement and shall allow and contribute to audits by the Controller or its mandated qualified independent auditor.
12.2 Audit Schedule. One (1) comprehensive audit per twelve-month period upon thirty (30) calendar days’ notice. Additional audits permitted if required by a Supervisory Authority, following a Personal Data Breach, upon reasonable suspicion of non-compliance, or as required under the SCCs.
12.3 Audit Costs. The Controller bears costs of routine annual audits. The Processor bears costs of audits triggered by Processor breach or non-compliance.
12.4 Certifications and Reports. The Processor shall maintain and provide upon request: SOC 2 Type II report (annual); ISO/IEC 27001 certification; ISO/IEC 27701 (if applicable); ISO/IEC 27018 (if applicable); annual penetration test executive summary; PCI DSS AOC (if payment data is Processed); HITRUST CSF (if applicable). These reports may satisfy audit requirements where they reasonably cover the audit scope.
12.5 Remediation. Non-compliance discovered by audit: written remediation plan within ten (10) business days; remediation evidence within thirty (30) calendar days; the Processor bears all remediation costs.
12.6 Annual Compliance Attestation. The Processor shall provide an annual written attestation, signed by its CISO or equivalent officer, confirming material compliance.
12.7 Penetration Testing. The Controller may conduct application-layer penetration testing upon fifteen (15) business days’ prior written notice, coordinated with the Processor.
12.8 Security Questionnaires. The Processor shall respond to reasonable security questionnaires (SIG Lite, SIG Full, CAIQ, VSAQ) within fifteen (15) business days.
12.9 Regulatory Cooperation. Full cooperation with Supervisory Authority investigations; prompt notification of any investigation, inquiry, or complaint.
12.10 Audit Limitations. Audits shall minimize disruption, comply with the Processor’s security policies, not access data of any other customer, be subject to confidentiality obligations, and not include penetration testing without prior coordination.
12.11 Processor’s Right to Suspend. If the Controller is in material breach, the Processor may, after thirty (30) calendar days’ written notice and opportunity to cure, suspend Processing and, if the breach remains uncured, terminate this Agreement. The Processor shall not suspend Processing where doing so would cause the Controller to violate Applicable Data Protection Laws regarding Data Subject rights.
13. Data Retention, Return, and Deletion
13.1 Upon termination/expiration or the Controller’s earlier written request, the Processor shall, at the Controller’s election: (a) return all Customer Data in a commonly used, machine-readable, interoperable, and portable format; or (b) securely delete all Customer Data (including copies, replicas, backups, logs, caches, indexes, and derivative data) using methods conforming to NIST SP 800-88, and provide a signed certification of destruction.
13.2 Timeline. Return or deletion completed within thirty (30) calendar days.
13.3 Legal Retention Exception. Retention permitted only to the extent required by law, with continued confidentiality and security, Processing limited to the legally required purpose, and deletion upon expiration of the retention period.
13.4 Transition Assistance. Ninety (90) calendar day post-termination transition period for data export via self-service tools, at no additional charge. All remaining Customer Data securely deleted within thirty (30) days after transition period expiration.
13.5 Backup Handling. Where individual deletion from backup/archival systems is not technically feasible, the Processor shall isolate and protect data, continue applying this Agreement’s protections, delete data per standard backup rotation not exceeding one hundred eighty (180) calendar days, and confirm deletion in writing upon request.
13.6 Service-Generated Data. Upon termination, the Processor shall delete or anonymize all Service-Generated Data that contains or is derived from identifiable Personal Data within ninety (90) calendar days.
14. U.S. State Privacy Law Provisions
14.1 California (CCPA/CPRA)
- The Processor is a “Service Provider” under Cal. Civ. Code §1798.140(ag).
- The Processor shall not sell or share (per §1798.140(ad), (ah)) Personal Data.
- The Processor shall not retain, use, or disclose Personal Data for any commercial purpose other than providing the Services or outside the direct business relationship.
- The Processor shall not combine Personal Data from the Controller with data from other sources, except as permitted by CCPA/CPRA implementing regulations (§7051).
- The Controller may take reasonable steps to ensure the Processor uses Personal Data consistently with the Controller’s CCPA/CPRA obligations, including monitoring, auditing, and inspection.
- The Processor shall notify the Controller if it determines it can no longer meet its CCPA/CPRA obligations.
- The Processor shall honor GPC signals and other opt-out preference signals per CPRA regulations and CPPA enforcement guidance.
- The Processor hereby certifies that it understands and will comply with these restrictions.
14.2 Comprehensive U.S. State Privacy Laws
For each U.S. State Privacy Law that applies to the Processing, the Processor shall act as a “processor” (or equivalent role); assist the Controller in responding to consumer rights requests within statutory timeframes; cooperate with required data protection assessments; provide appropriate confidentiality, security, and breach notification guarantees; allow reasonable assessments by the Controller; comply with state-specific requirements regarding sensitive data, biometric data, or children’s data; and not engage in Processing that would cause the Controller to violate any such law.
14.3 Maryland Online Data Privacy Act (MODPA)
The Processor specifically acknowledges MODPA’s prohibition on the sale of sensitive data and restrictions on targeted advertising using sensitive data, and shall comply with these provisions.
14.4 Future Laws
If any new U.S. state comprehensive privacy legislation becomes applicable during the term, the Processor shall use commercially reasonable efforts to comply and cooperate with the Controller.
15. Automated Decision-Making, AI, and Machine Learning
15.1 No Training Without Consent. The Processor shall not use Customer Data (including Personal Data) to train, develop, improve, or fine-tune any AI/ML model without the Controller’s prior, specific, written consent specifying scope, purpose, safeguards, and duration.
15.2 Automated Features. If the Services incorporate automated decision-making or profiling, the Processor shall provide meaningful information about the logic, significance, and envisaged consequences; implement safeguards including human intervention; ensure no legal or similarly significant effects without a lawful basis; and maintain sufficient documentation.
15.3 AI Transparency. The Processor shall disclose which features of the Services use AI/ML, whether such features are enabled by default, and how the Controller may disable them.
15.4 Bias and Fairness. Where the Services use AI/ML to make or assist decisions about Data Subjects, the Processor shall regularly test for discriminatory outcomes, take appropriate corrective action, and document its fairness and bias assessment processes.
16. De-identified, Anonymized, and Aggregated Data
16.1 The Processor may create De-identified or Anonymized Data only for: (a) providing, maintaining, securing, and improving the Services; (b) internal benchmarking and analytics; or (c) purposes expressly permitted in the Principal Agreement.
16.2 Safeguards. The Processor shall ensure such data cannot reasonably be re-identified; not attempt re-identification; contractually prohibit downstream recipients from re-identification; implement technical safeguards (k-anonymity, differential privacy, or equivalent where feasible); treat any accidental re-identification as a Personal Data Breach; and maintain documentation of de-identification methods.
16.3 Properly de-identified or anonymized data is excluded from this Agreement. Burden of proof rests with the Processor.
17. Children’s Data, Sensitive Data, and Sector-Specific Requirements
17.1 Children’s Data. If the Services involve Processing data of children (under 13 per COPPA; under 16 per GDPR Art. 8), compliance with COPPA and equivalent laws; heightened security; no profiling, targeted advertising, or secondary use; support for verifiable parental consent; enhanced deletion capability; and compliance with the Children’s Online Privacy Protection Rule (16 CFR Part 312).
17.2 Sensitive / Special Category Data. Where applicable: enhanced encryption, access controls, and audit logging; Processing limited to Schedule 1 purposes; strict need-to-know access; sector-specific compliance:
- HIPAA: If protected health information (PHI) is Processed, a separate Business Associate Agreement (BAA) per Schedule 6 must be executed prior to Processing. This DPA does not constitute a BAA.
- PCI DSS: If payment card data is Processed, the Processor shall maintain PCI DSS compliance and provide its Attestation of Compliance (AOC) annually.
- FERPA: If education records are Processed, the Processor shall comply with the Family Educational Rights and Privacy Act.
- GLBA: If financial data subject to the Gramm-Leach-Bliley Act is Processed, the Processor shall maintain an information security program per the FTC Safeguards Rule.
17.3 Biometric Data. Where the Services Process biometric identifiers (as defined under Illinois BIPA, Texas CUBI, Washington, or equivalent state law), the Processor shall: not sell, lease, or profit from such data; store, transmit, and protect using reasonable security; retain only as long as necessary; and permanently destroy upon achieving the purpose or within three (3) years of last interaction, whichever is sooner.
18. Data Localization and Storage
18.1 The Processor shall store and Process Personal Data in the geographic regions specified in Schedule 1 or the Principal Agreement and shall not change locations without prior written notice and compliance with Section 10.
18.2 Where the Controller designates a region for data residency, primary storage, all active Processing, and backups shall remain within that region. Transient processing outside the region (CDN delivery, failover) is permitted only if disclosed, covered by appropriate transfer mechanisms, and encrypted in transit and at rest.
18.3 Data Sovereignty. The Processor shall not Process or store Personal Data in any jurisdiction subject to comprehensive sanctions by the U.S. (OFAC SDN List), EU, or UK without the Controller’s prior written consent.
19. Liability, Indemnification, and Insurance
19.1 GDPR Liability. Each Party is liable per Articles 82\u201383 GDPR, Article 43 UK GDPR, and equivalent provisions.
19.2 Limitation of Liability
19.2.1 General Cap. Except for the carve-outs in Section 19.2.3, each party’s aggregate liability arising out of or related to this agreement, whether in contract, tort (including negligence), strict liability, or any other legal theory, shall not exceed the greater of: (a) the total fees paid and payable by the Controller to the Processor under the Principal Agreement during the twelve (12) months immediately preceding the event giving rise to the claim; or (b) $100,000 (one hundred thousand U.S. dollars).
19.2.2 Exclusion of Consequential Damages. Except for the carve-outs in Section 19.2.3, in no event shall either party be liable to the other party for any indirect, incidental, consequential, special, punitive, or exemplary damages, including but not limited to damages for loss of profits, revenue, goodwill, business opportunity, data (other than Personal Data), or anticipated savings, regardless of whether such party has been advised of the possibility of such damages and regardless of the legal theory upon which the claim is based.
19.2.3 Super Cap / Carve-Outs. The following are subject to a separate aggregate cap equal to two times (2x) the amount in Section 19.2.1(A) (the “Super Cap”): (a) the Processor’s indemnification obligations under Section 19.3; (b) either Party’s breach of confidentiality (Section 21); (c) the Processor’s unauthorized Processing in violation of Section 3.4; and (d) the Processor’s regulatory fine reimbursement obligations under Section 19.4. The following are not subject to any cap: (i) liability for fraud, willful misconduct, or gross negligence; (ii) liability that cannot be limited by applicable law (including mandatory GDPR liability under Article 82); and (iii) obligations to pay fees owed under the Principal Agreement.
19.3 Indemnification
19.3.1 Processor Indemnification. The Processor shall indemnify, defend, and hold harmless the Controller from all third-party claims arising from: (a) Processor’s material breach of this Agreement; (b) Processor’s violation of Applicable Data Protection Laws attributable to the Processor’s acts or omissions; (c) Processor’s gross negligence or willful misconduct in Processing Personal Data; (d) Sub-processor acts or omissions per Section 6.5; or (e) breach of the prohibited Processing provisions (Section 3.4).
19.3.2 Controller Indemnification. The Controller shall indemnify, defend, and hold harmless the Processor from all third-party claims arising from: (a) Controller’s breach of this Agreement; (b) Controller’s violation of Applicable Data Protection Laws; (c) unlawful or unauthorized Processing instructions; (d) failure to obtain required consents or establish a lawful basis for Processing; (e) any Data Subject claim arising from the Controller’s Processing prior to or independent of the Services; or (f) Personal Data submitted in violation of Section 4.1 (e.g., PHI without a BAA).
19.3.3 Indemnification Procedures. The indemnified Party shall promptly notify the indemnifying Party of any claim, grant sole control of the defense and settlement (subject to the indemnified Party’s consent where obligations are imposed on it), and provide reasonable cooperation at the indemnifying Party’s expense.
19.4 Regulatory Fines
19.4.1 Where a regulatory fine or penalty is imposed on the Controller resulting directly and solely from the Processor’s breach, the Processor shall reimburse such fine to the extent it is finally determined to be attributable to the Processor’s breach, subject to the Super Cap in Section 19.2.3.
19.4.2 Where a regulatory fine is imposed on the Processor resulting from the Controller’s instructions or breach, the Controller shall reimburse such fine under the same terms.
19.5 Insurance
The Processor shall maintain insurance coverage commercially appropriate to the nature, scope, and scale of its business, which may include commercial general liability; professional liability / errors and omissions; cyber liability and privacy insurance; and workers’ compensation as required by law. Upon request, the Processor shall provide a summary of its current coverage. The Processor shall notify the Controller within thirty (30) calendar days of any material reduction in, or cancellation of, its cyber liability coverage.
19.6 Injunctive Relief
Each Party acknowledges that a breach of Sections 3.4, 21, or any unauthorized Processing may cause irreparable harm for which monetary damages alone are insufficient. Each Party is entitled to seek injunctive or other equitable relief, without the necessity of posting a bond.
19.7 Limitation Period
Claims under this Agreement must be brought within two (2) years of the date the claiming Party became aware (or should reasonably have become aware) of the claim, except that claims for indemnification may be brought within three (3) years, and claims related to regulatory fines may be brought within the applicable statute of limitations.
19.8 Disclaimer of Warranties
Except for the express warranties set forth in this Agreement, the Processor provides the Services and its data processing capabilities on an “as is” and “as available” basis with respect to data protection features. The Processor disclaims all implied warranties, including implied warranties of merchantability, fitness for a particular purpose, non-infringement, and any warranties arising from course of dealing or usage of trade. The Processor does not warrant that the security measures will be unbreachable or that the Services will be error-free, uninterrupted, or free of vulnerabilities. This disclaimer does not limit the Processor’s express obligations under this Agreement.
20. Term and Termination
20.1 Term. This Agreement is effective from the Effective Date and continues for the duration of the Principal Agreement and any period during which the Processor continues to Process Personal Data.
20.2 Termination for Breach. Either Party may terminate upon material breach uncured within thirty (30) calendar days of written notice.
20.3 Immediate Termination/Suspension. The Controller may suspend or terminate immediately if: (a) a Supervisory Authority orders suspension; (b) material breach of SCCs or transfer mechanisms; (c) failure to comply with binding court or regulatory decisions; (d) ongoing material risk from a Personal Data Breach; (e) Processor notifies inability to meet CCPA/CPRA obligations; (f) insolvency, liquidation, receivership, or administration; (g) Processor materially breaches Section 3.4; or (h) Processor’s government access warranty ceases to be true.
20.4 Effects. Upon termination: immediate cessation of Processing (except orderly wind-down); compliance with Section 13; and transition assistance per Section 13.4.
20.5 Survival. Sections 1.3, 3.3, 3.4, 8, 11, 12, 13, 16, 17.2, 19, 21, 22, and all applicable Schedules survive termination.
21. Confidentiality
21.1 Each Party shall treat this Agreement’s terms and all Personal Data as Confidential Information. The receiving Party shall: (a) not disclose to third parties without prior written consent, except to Authorized Persons and professional advisors bound by equivalent obligations, or as required by law; (b) use only for this Agreement’s purposes; and (c) apply at least the same care as for its own confidential information of like nature, but no less than reasonable care.
21.2 Survival. Confidentiality obligations survive for five (5) years after termination, or for as long as trade secret protection applies, whichever is longer.
21.3 Exclusions. Standard confidentiality exclusions apply (public knowledge, independent development, rightful receipt from third parties, prior possession without obligation).
22. General Provisions
22.1 Governing Law. This Agreement is governed by the laws of the State of Illinois, without regard to conflict-of-law principles. This choice shall not limit Data Subject rights under mandatory provisions of Applicable Data Protection Laws.
22.2 Dispute Resolution. Disputes shall be resolved as follows: (a) good-faith negotiation for thirty (30) days; (b) if unresolved, binding arbitration administered by the American Arbitration Association (AAA) under its Commercial Arbitration Rules, before a single arbitrator, in Chicago, Illinois; (c) the arbitrator may award injunctive relief; (d) judgment on the award may be entered in any court of competent jurisdiction. Data Subject claims are not subject to mandatory arbitration.
22.3 Entire Agreement. This Agreement (including Schedules and Annexes) and the Principal Agreement constitute the entire agreement regarding Processing of Personal Data, superseding all prior communications.
22.4 Amendments. Amendments require written agreement signed by both Parties, except: the Processor may update this DPA to reflect changes in Applicable Data Protection Laws or regulatory guidance, provided that updates do not materially reduce Controller rights or data protections, with thirty (30) calendar days’ prior notice and the right to object and terminate the affected Services with a pro-rata refund.
22.5 Severability. Invalid provisions shall be reformed to the minimum extent necessary to preserve original intent. Remaining provisions continue in full force.
22.6 No Waiver. Written waiver required. Failure to enforce is not a waiver.
22.7 Assignment. No assignment without prior written consent, except to an affiliate assuming all obligations or in connection with a merger, acquisition, or asset sale.
22.8 Notices. Written notices by hand delivery, overnight courier, registered mail, or email (with confirmed receipt).
22.9 Force Majeure. Obligations excused for circumstances beyond reasonable control, except: data security (Section 7), breach notification (Section 8), confidentiality (Section 21), data deletion (Section 13), and government access (Section 11) obligations are NOT excused.
22.10 Third-Party Beneficiaries. Data Subjects are intended third-party beneficiaries to the extent required by Applicable Data Protection Laws and the SCCs.
22.11 Counterparts and Electronic Execution. Counterparts permitted. Electronic signatures (DocuSign, Adobe Sign, or equivalent) are valid originals.
22.12 SCCs Integration. Where applicable, the SCCs are integral and prevail over this DPA in conflict. The Schedules serve as SCC Annexes where applicable.
22.13 Version Control. This DPA is published at /legal/dpa with version control. The Processor maintains an archive of prior versions, available on request.
22.14 Export Controls and Sanctions. The Processor shall comply with all applicable export control laws and economic sanctions regulations (U.S. EAR, ITAR, OFAC; EU sanctions; UK sanctions).
22.15 Anti-Corruption. Each Party shall comply with all applicable anti-corruption and anti-bribery laws, including the U.S. Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act 2010.
22.16 Publicity. Neither Party shall use the other Party’s name, trademarks, or logos in any publicity, advertising, or marketing materials without prior written consent.
Schedule 1: Details of Processing (SCC Annex I)
| Item | Description |
|---|---|
| A. Data Exporter (Controller) | As specified in the applicable Order Form or Principal Agreement. |
| B. Data Importer (Processor) | Phoenix Holdings LLC, privacy@dealmatrixcrm.com |
| C. Subject Matter | Processing of Personal Data to provide Deal Matrix CRM, a customer relationship management platform as set forth in the Principal Agreement. |
| D. Nature of Processing | Collection, storage, organization, structuring, retrieval, use, hosting, display, transmission, backup, indexing, search, analytics, and erasure of Personal Data as necessary to deliver the Services, including account management, authentication, authorization, customer support, billing, notifications, reporting, and integration. |
| E. Purpose of Processing | To provide, maintain, support, secure, and improve the Services; fulfill Controller instructions; comply with applicable legal obligations. Specific purposes: account and user management; CRM data storage and retrieval; deal and pipeline management; contact and company management; calendar synchronization; document and file storage; transactional email notifications; AI-assisted data import and field mapping; analytics and reporting; billing and subscription management (when activated); customer support. |
| F. Duration | Term of Principal Agreement plus applicable transition and retention periods (Section 13). |
| G. Data Subject Categories | Customer’s employees, contractors, authorized end users, business contacts, prospective clients, deal counterparties, website visitors, and support requestors. |
| H. Personal Data Types | Contact names, email addresses, telephone numbers, postal addresses, job titles, company/organization names and details, deal/opportunity data (values, stages, pipeline status, notes, activity history), calendar events and meeting data, file uploads (documents, logos, valuation reports), user account data (name, email, profile photo, role, organization membership), IP addresses, device identifiers, browser type and version, usage and behavioral data, account credentials (hashed and salted), payment and billing data (tokenized, when Stripe is activated), communication records, geolocation data (IP-derived), cookie identifiers, timezone, language preferences, OAuth tokens (encrypted, for Google Calendar sync). |
| I. Sensitive / Special Category Data | None anticipated. The Services are not designed to process special category data. If sensitive data is uploaded by the Controller in the course of using the Services, the Controller is solely responsible for ensuring a lawful basis and must notify the Processor in advance. |
| J. Transfer Frequency | Continuous real-time during active use of the Services; periodic batch processing for analytics, reporting, and backup purposes; on-demand via API integrations (e.g., Google Calendar sync, AI field mapping). |
| K. Retention Period | Per Section 13. For the duration of the Principal Agreement, plus the ninety (90) day transition period, plus thirty (30) days for secure deletion. Backup rotation: up to one hundred eighty (180) calendar days. |
| L. Competent Supervisory Authority | Illinois Attorney General; California Privacy Protection Agency (CPPA); and/or the applicable Supervisory Authority based on Data Subject location. |
| M. Data Storage Locations | United States (Vercel/AWS us-east-1, Supabase us-east-1). Cloudflare Edge Network (global CDN with points of presence worldwide). Additional regions available upon request. |
| N. Data Exporter DPO Contact | As designated by the Customer in its account settings or Order Form. |
| O. Data Importer DPO Contact | As designated by the Customer in its account settings or Order Form. |
Schedule 2: Technical and Organizational Measures (SCC Annex II)
Subject to continuous improvement; updates shall not materially decrease protection.
| Domain | Measures |
|---|---|
| Access Control | RBAC; least-privilege; MFA (all admin/privileged); SSO (SAML 2.0/OIDC); SCIM provisioning/de-provisioning; PAM; quarterly access certifications; session management (timeout, concurrent limits); IP allowlisting; just-in-time access for production. |
| Encryption | AES-256 at rest; TLS 1.2+ in transit (1.3 preferred); HSTS; HSM-backed key management with automated rotation; encrypted DB connections; FDE on endpoints; encrypted backups (segregated keys); CMEK/BYOK option (tier-dependent). |
| Network Security | Defense-in-depth; segmentation/micro-segmentation; NGFW with DPI; IDS/IPS; DDoS mitigation; WAF; DNSSEC; zero-trust admin access; egress filtering; data exfiltration detection; network anomaly detection. |
| Application Security | Secure SDLC; OWASP Top 10 / SANS 25; SAST, DAST, SCA in CI/CD; peer code review; dependency scanning; input validation/output encoding; CSP/security headers; API rate limiting/auth; container/image scanning; SBOM generation. |
| Monitoring & Logging | 24/7 SOC; SIEM with correlation/anomaly detection; centralized logging (12mo min, 24mo security); DAM; FIM; UEBA; CSPM; real-time alerting with escalation; tamper-evident log storage. |
| Vulnerability Management | Continuous scanning; annual pen test (black/gray box + app layer); bug bounty; patch SLAs (critical: 24h, high: 7d, med: 30d, low: 90d); CIS Benchmarks; configuration drift detection. |
| Physical Security | Tier III+ data centers; SOC 2 Type II / ISO 27001 certified; multi-factor physical access; 24/7 security + CCTV (90d); mantrap; environmental controls; visitor management with escort; media destruction. |
| BCP / DR | Board-approved BCP/DR; annual testing; geo-distributed redundancy; defined RTO/RPO per tier; automated failover; backup integrity testing; pandemic/supply-chain contingency; cross-region replication. |
| Personnel | Background checks; onboarding and annual security training with phishing simulations; privileged-user training; AUP, clean desk, screen lock; NDAs; disciplinary procedures; immediate revocation on exit; exit interviews. |
| Data Management | Classification (public/internal/confidential/restricted); pseudonymization/tokenization; minimization by design/default; DLP (endpoint/network/cloud); NIST 800-88 deletion; data inventory/mapping; privacy-by-design; non-prod masking. |
| Incident Response | NIST 800-61 aligned; 24/7 on-call IR team; semi-annual tabletop exercises; external forensics retainer; automated containment; post-incident review/RCA; pre-drafted comms templates; IR metrics/KPIs. |
| Third-Party / Supply Chain | Risk-tiered vendor assessment (SIG/CAIQ); contractual security/privacy; annual critical vendor reassessment; right-to-audit; supply chain integrity; fourth-party monitoring; SBOM for critical deps. |
Schedule 3: Approved Sub-processors (SCC Annex III)
Current list at /legal/sub-processors. Updates per Section 6. Entries marked with an asterisk (*) are pending activation.
| Sub-processor | Legal Entity | Location | Transfer Mechanism | Processing Activities |
|---|---|---|---|---|
| Vercel | Vercel, Inc. | USA | N/A (domestic) | Application hosting, deployment, serverless compute, Edge CDN |
| Supabase | Supabase, Inc. | USA | N/A (domestic) | PostgreSQL database hosting, file/object storage (vault documents, logos, valuations) |
| Clerk | Clerk, Inc. | USA | N/A (domestic) | User authentication, session management, organization/tenant management |
| Resend | Resend, Inc. | USA | N/A (domestic) | Transactional email delivery (notifications, invitations, alerts) |
| Google Calendar | Google LLC | USA | N/A (domestic) | Two-way calendar synchronization via OAuth (Google Calendar API) |
| Sentry | Functional Software, Inc. | USA | N/A (domestic) | Application error monitoring, performance tracking, crash reporting |
| Anthropic | Anthropic, PBC | USA | N/A (domestic) | AI-powered features (import field mapping, data classification) |
| Cloudflare | Cloudflare, Inc. | USA (global edge) | N/A (domestic); SCCs for EU edge nodes | DNS management, CDN, DDoS protection, SSL/TLS termination |
| Stripe * | Stripe, Inc. | USA / Ireland | N/A (domestic); DPF / SCCs for EU | Payment processing, billing, subscription management (pending activation) |
| Upstash * | Upstash, Inc. | USA | N/A (domestic) | Redis-backed rate limiting and request throttling (pending activation) |
| Mailchimp * | The Rocket Science Group LLC (Intuit) | USA | N/A (domestic) | Email marketing campaigns and subscriber management (pending activation) |
Schedule 4: Cross-Border Transfer Mechanisms
Supplements SCC Annex I, Section C. Updated as mechanisms change.
| Mechanism | Configuration |
|---|---|
| EU SCCs (2021/914) | Module 2 (C2P) and/or Module 3 (P2P). Clause 7 (Docking): included. Clause 9: Option 2 (general auth, 30-day objection). Clause 11: optional redress included. Clause 13(a): SA of Controller’s EU establishment. Clause 17 Option 1: law of Controller’s EU establishment (Ireland if none). Clause 18(b): courts of same. Supplemented by TIAs. |
| UK IDTA / Addendum | UK Addendum to EU SCCs or standalone IDTA under DPA 2018 §119A, with Part 2 mandatory clauses. SA: UK ICO. |
| Swiss FADP | EU SCCs as recognized by Swiss FDPIC, with required amendments (GDPR refs include FADP; EU/EEA refs include Switzerland; legal entities covered per revised FADP). |
| EU-U.S. DPF | Where data importer is DPF self-certified (EU-U.S., UK Extension, Swiss-U.S.). Processor monitors certification; 5 business day notice if certification lapses or is revoked. |
| Adequacy Decisions | Where European Commission, UK SoS, or Swiss FDPIC has issued adequacy. Processor monitors validity; 5 business day notice if revoked/suspended/challenged. |
| Supplementary Measures | Per TIA: (a) technical: additional encryption, in-use encryption, pseudonymization, key management outside destination, split processing; (b) organizational: strict access policies, transparency reporting, compliance audits; (c) contractual: commitment to challenge government requests using all legal remedies, notify Controller, minimize disclosure. |
Schedule 5: Jurisdiction-Specific Addenda
The following apply where Personal Data is subject to the identified jurisdiction’s laws.
| Jurisdiction | Supplementary Terms |
|---|---|
| EU/EEA (GDPR) | Processor per Art. 4(8). Arts. 28–36 apply in full. Chapter III Data Subject rights. SA per Schedule 1. |
| UK (UK GDPR) | GDPR refs read as UK GDPR (DPA 2018). SA: UK ICO. UK IDTA/Addendum for Restricted Transfers. |
| Switzerland (FADP) | GDPR includes FADP. SA: Swiss FDPIC. EU/EEA includes Switzerland. Legal entities covered per revised FADP. |
| California (CCPA/CPRA) | Service Provider per §1798.140(ag). See Section 14.1. SA: CPPA and California AG. |
| Virginia (VCDPA) | Processor per Va. Code §59.1-575. Consumer rights: access, correction, deletion, portability, opt-out. DPA per §59.1-580. |
| Colorado (CPA) | Processor per C.R.S. §6-1-1303(17). DPA per §6-1-1309. SA: Colorado AG. |
| Connecticut (CTDPA) | Processor per Conn. Gen. Stat. §42-515(24). DPA per §42-520. |
| Utah (UCPA) | Processor per Utah Code §13-61-101. Consumer rights: access, deletion, portability, opt-out. SA: Utah AG. |
| Texas (TDPSA) | Processor per Tex. Bus. & Com. Code §541.001(24). DPA per §541.107. SA: Texas AG. |
| Oregon (OCPA) | Processor per ORS §646A.570. DPA per §646A.578. |
| Montana (MCDPA) | Processor per Mont. Code §30-15-301. SA: Montana AG. |
| Iowa (ICDPA) | Processor per Iowa Code §715D.1. SA: Iowa AG. |
| Indiana (INCDPA) | Processor per Ind. Code §24-15-1. SA: Indiana AG. |
| Tennessee (TIPA) | Processor per Tenn. Code §47-18-3601. SA: Tennessee AG. |
| Delaware (DPDPA) | Processor per Del. Code title 6 §12D-101. SA: Delaware DOJ. |
| New Hampshire (NHPA) | Processor per N.H. Rev. Stat. §507-H:1. SA: New Hampshire AG. |
| New Jersey (NJDPA) | Processor per N.J. Stat. §56:8-166. SA: New Jersey AG. |
| Nebraska (NDPA) | Processor per Neb. Rev. Stat. §87-1101. SA: Nebraska AG. |
| Maryland (MODPA) | Processor under MODPA. Sensitive data sale prohibited. Targeted advertising restrictions. SA: Maryland AG. |
| Minnesota (MCDPA-MN) | Processor under Minn. Stat. §325O. SA: Minnesota AG. |
| Kentucky (KCDPA) | Processor per Ky. Rev. Stat. §367.401. SA: Kentucky AG. |
| Rhode Island (RIDTPPA) | Processor per R.I. Gen. Laws §6-48.1-1. SA: Rhode Island AG. |
| Brazil (LGPD) | Operator per Art. 5(VII). SA: ANPD. Chapter III Data Subject rights. |
| Canada (PIPEDA) | Processor per PIPEDA Principles. SA: OPC. Provincial laws (Alberta PIPA, BC PIPA, Quebec Law 25) apply where applicable. |
Schedule 6: HIPAA Business Associate Agreement (BAA) Reference
This DPA does not constitute a HIPAA Business Associate Agreement. If the Controller is a Covered Entity or Business Associate under HIPAA (45 CFR Parts 160 and 164) and will transmit Protected Health Information (PHI) to the Processor, a separate BAA must be executed prior to any Processing of PHI.
The Processor offers a standard BAA for eligible service tiers. To request a BAA, contact support@dealmatrixcrm.com.
Until a BAA is duly executed by both Parties: (a) the Controller shall not submit PHI to the Services; (b) the Processor has no obligations under HIPAA with respect to data received via the Services; and (c) the Processor may delete any PHI inadvertently received and notify the Controller. Where a BAA is executed, it shall supplement (and not replace) this DPA. In the event of conflict between the BAA and this DPA regarding PHI, the BAA shall prevail.
Schedule 7: U.S. State Breach Notification Reference
This Schedule summarizes applicable U.S. state breach notification requirements. The Processor shall assist the Controller in meeting these timelines per Section 8.6. This is a reference guide; the Controller should consult legal counsel for jurisdiction-specific compliance.
| State | Notification Timeline | AG Notification | Key Notes |
|---|---|---|---|
| California | Expedient, without unreasonable delay | AG if >500 residents | Health data: 15 business days. Consumer report required. |
| New York | Expedient, without unreasonable delay | AG, DFS, DOS | SHIELD Act: broadened definitions. |
| Texas | 60 days | AG if >250 residents | Written or electronic notice. |
| Florida | 30 days | AG within 30 days if >500 | FIPA: individual notice within 30 days. |
| Illinois | As expedient as possible, without unreasonable delay | AG if >500 residents | BIPA applies for biometric data. |
| Massachusetts | As soon as practicable | AG and OCABR immediately | 201 CMR 17.00 security requirements. |
| Virginia | 60 days | AG within 60 days | VCDPA also applies to consumer data. |
| Colorado | 30 days | AG within 30 days | CPA also applies to consumer data. |
| Connecticut | 60 days | AG within 60 days | CTDPA also applies. |
| Washington | 30 days | AG within 30 days if >500 | Health data: specific requirements. |
| Oregon | 45 days | AG within 45 days if >250 | OCPA also applies. |
| Maryland | 45 days | AG within 45 days | MODPA also applies. |
| All Other States | Varies (30–90 days) | Varies by state | Processor maintains a current 50-state matrix. |
The Processor maintains a current 50-state (plus DC, territories, and federal) breach notification compliance matrix, available to the Controller upon request.
Contact
Questions about this DPA, BAA requests, or security documentation: support@dealmatrixcrm.com.
This document contains confidential and proprietary information. Unauthorized distribution is prohibited.