Legal · Teams Plan
Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of the DeData Terms of Service between DeData, Inc. (“Processor”) and the customer organization (“Controller”) on a Teams plan. It governs processing of Personal Data on behalf of the Controller and incorporates the Standard Contractual Clauses (SCCs, Commission Implementing Decision (EU) 2021/914, Module 2: Controller to Processor) and the obligations required by GDPR Article 28.
1. Subject Matter & Duration
Processor will Process Personal Data only to provide the DeData Services for the duration of the underlying agreement plus any statutory retention window described in our Privacy Policy.
2. Nature & Purpose of Processing
Processing is limited to: data-broker removal submissions, evidence storage, audit logging, and Controller-initiated data subject rights requests. No secondary use, no sale, no advertising.
3. Categories of Data & Data Subjects
Identification data (name, alias), contact data (email, postal address, phone), demographic data (DOB, prior addresses), account credentials, and evidence artifacts. Data subjects are the Controller's end users and any individuals whose removal the Controller submits.
4. Sub-processors
The current list of authorized sub-processors is published at /legal/subprocessors. Processor will give at least 14 days notice before adding or replacing a sub-processor.
5. International Transfers
Where Personal Data is transferred from the EEA, UK, or Switzerland to a third country without an adequacy decision, the EU Standard Contractual Clauses (Module 2: Controller to Processor, 2021/914) are incorporated by reference and form part of this DPA.
6. Security
Processor implements the technical and organizational measures described in our Trust Center: AES-256-GCM PII vault, isolated key management, append-only audit logs, least-privilege access, MFA on all administrative accounts, and incident response.
7. Data Subject Requests & Breach Notification
Processor will assist Controller in responding to data subject requests and will notify Controller of any Personal Data Breach without undue delay (target: 72 hours of confirmed incident).
8. Deletion & Return
On termination, Processor will delete or return all Personal Data within 30 days, except where retention is required by applicable law.
9. Controller & Processor Obligations
Controller is responsible for the lawfulness of Personal Data it submits, for obtaining required consents, and for issuing documented instructions to Processor. Processor will: (a) process Personal Data only on Controller's documented instructions; (b) ensure persons authorized to process Personal Data are bound by confidentiality; (c) implement the security measures in Section 6; (d) assist Controller with Articles 32–36 GDPR obligations; and (e) make available all information necessary to demonstrate compliance with Article 28 GDPR.
10. Audit Rights
Once per twelve-month period, Controller (or a mutually agreed independent auditor bound by confidentiality) may audit Processor's compliance with this DPA on at least 30 days written notice, during business hours, without disrupting Processor's operations. Processor may satisfy audit obligations by providing then-current SOC 2 Type II reports or equivalent third-party attestations once available.
11. Governing Law & Order Of Precedence
This DPA is governed by the law specified in the underlying DeData Terms of Service. In the event of conflict between this DPA and the Terms of Service, this DPA controls with respect to processing of Personal Data. In the event of conflict between this DPA and the SCCs incorporated under Section 5, the SCCs control.
Signature Block
Processor: DeData, Inc. — signed by an authorized officer on file.
Controller: signed by the authorized representative who clicks “Accept” below; the acceptance event (account ID, name, title, email, IP, user-agent, timestamp) is recorded in our audit log and is available on request as the signed counterpart.
Accept this DPA
An authorized representative of the Controller organization may accept this DPA on behalf of the org. Acceptance is timestamped and logged.
Loading organization context…
Boilerplate provided for review. This DPA references the EU Standard Contractual Clauses (Commission Decision 2021/914) and GDPR Article 28. For redlines or negotiated terms contact privacy@dedatalabs.org.