Data Processing Addendum

This Data Processing Addendum (the “DPA”) is entered into between:

• DeData Privacy Labs (“DeData”, the “Processor”), a Delaware company; and
• [Customer Legal Name] (the “Customer” or “Controller”), the organization identified at signing.

This DPA forms part of, and is incorporated into, the master agreement between the parties (the DeData Terms of Service or any signed order form referencing it, the “Agreement”). Capitalized terms not defined here have the meaning given in the Agreement or in Article 4 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”). TODO: legal counsel review

DeData processes Personal Data on behalf of the Customer for the sole purpose of delivering the Service: identifying, requesting removal of, and monitoring the suppression of Customer-employee personal information held by third-party data brokers and people-search sites.

DeData will only process Personal Data on documented instructions from the Customer, including those reflected in the Agreement, this DPA, the Customer’s configuration of the Service, and any written instructions sent by an authorized Customer representative. TODO: legal counsel review

The data subjects whose Personal Data DeData processes under this DPA are:

• Employees, contractors, and other personnel of the Customer who opt into, or are enrolled by an authorized Customer administrator into, the Service.

The Personal Data processed under this DPA includes:

• Full name and any prior names or aliases
• Work email address and personal email address
• Phone number(s)
• Home address(es) and prior address history
• Employer name and job title
• Partial date of birth (month and year) where required by a broker to disambiguate a record

DeData does not request, and instructs Customer not to submit, special categories of personal data (Article 9 GDPR) such as health, biometric, religious, or political data. TODO: legal counsel review

Customer authorizes DeData to engage subprocessors to assist in providing the Service. The current list is published at /legal/subprocessors and is incorporated into this DPA by reference.

DeData will provide Customer at least thirty (30) days’prior written notice (via the email address on file for the Customer’s account owner, or via an in-app banner) before adding a new subprocessor that processes Personal Data. Customer may object to such addition for reasonable data-protection grounds within that 30-day window; if the parties cannot resolve the objection, Customer’s sole remedy is termination of the affected portion of the Service with a pro-rated refund.

DeData remains liable for the acts and omissions of its subprocessors as if they were DeData’s own. DeData will impose data-protection obligations on each subprocessor that are no less protective than those in this DPA. TODO: legal counsel review

DeData will implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access (Article 32 GDPR). At minimum:

• Encryption in transit: TLS 1.2 or higher for all traffic between Customer, DeData, and subprocessors.
• Encryption at rest: AES-256-GCM for stored Personal Data fields classified as PII.
• Access control: Role-based access control (RBAC) with least-privilege defaults; production access gated by multi-factor authentication.
• Audit logging: Append-only audit logs of access to Customer data, retained for the contract term plus the retention window in Section 9.
• Breach notification: DeData will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach (Article 33 GDPR), and will provide the information required by Article 33(3) as it becomes available.

See also the DeData Security overview for current implementation detail. TODO: legal counsel review

Taking into account the nature of the processing, DeData will assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer’s obligation to respond to data-subject requests under Articles 15–22 GDPR (access, rectification, erasure, restriction, portability, objection).

DeData will action Customer’s instruction to access, export, correct, or delete Personal Data of an identified data subject within seven (7) calendar days of receiving the instruction through the in-app DSAR tooling or via privacy@dedatalabs.org, subject to Customer providing sufficient information to identify the data subject. TODO: legal counsel review

Personal Data processed under this DPA is stored and processed in the United States. DeData’s primary hosting provider is US-based (currently Railway), and any AWS regions used for backups, queues, or supplementary storage are also located in the United States.

DeData will not transfer Personal Data of EU/EEA, UK, or Swiss data subjects to any country that lacks an adequacy decision under applicable law without first executing the relevant Standard Contractual Clauses (SCCs) or an equivalent valid transfer mechanism, and performing a transfer impact assessment where required. TODO: legal counsel review

Upon termination or expiration of the Agreement, DeData will:

1. Provide Customer with a 30-day grace period from the termination effective date during which Customer may export its data via the standard export tooling.
2. Following the grace period, fully purge all Customer Personal Data from active systems, backups, and subprocessor systems within ninety (90) days, save where retention is required by applicable law (in which case the data will remain encrypted, isolated, and access-restricted until lawful deletion is possible).
3. On written request from Customer, accelerate the purge by ending the grace period early and beginning the 90-day deletion clock immediately. Customer waives the grace period by making such a request.

DeData will, on written request, certify deletion in writing. TODO: legal counsel review

Customer may, at most once per calendar year and on at least thirty (30) days’ prior written notice, request:

• A copy of DeData’s most recent SOC 2 Type II report, when such report becomes available; or
• A written summary of DeData’s technical and organizational measures sufficient to demonstrate compliance with this DPA in the interim.

On-site audits will not be conducted absent a regulator’s order, a Personal Data Breach affecting Customer, or other documented reasonable cause, and in any case require not less than 30 days’ prior written notice and a mutually agreed scope, schedule, and confidentiality undertaking. The requesting party bears its own audit costs. TODO: legal counsel review

Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to and counts toward the limitations of liability set out in the Agreement (the master Terms of Service or order form). Nothing in this DPA is intended to exclude or limit liability that cannot be excluded or limited under applicable law. TODO: legal counsel review

This DPA is governed by the laws of the State of Delaware, USA, without regard to its conflict-of-laws rules, except that mandatory data-protection laws of the data-subject’s jurisdiction (including the GDPR for EU/EEA data subjects and the UK GDPR/DPA 2018 for UK data subjects) apply where required by law. TODO: legal counsel review

Acceptance of this DPA is performed by an authorized representative of the Customer organization through the in-app Settings flow, which records the accepting user, organization, IP address, timestamp, and the DPA version below. Acceptance is required before Teams accounts may activate. This public page is read-only; no acceptance is captured here.

For DPA-related questions, signed copies, or escalations: privacy@dedatalabs.org.