Data Processing Agreement

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Data Subject" means the individual to whom Personal Data relates.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Controller" means the entity that determines the purposes and means of Processing Personal Data.
• "Processor" means the entity that Processes Personal Data on behalf of the Controller.
• "Sub-Processor" means any third party engaged by the Processor to Process Personal Data.
• "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, UK GDPR, and CCPA.
• "Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for international data transfers.

This DPA applies to the Processing of Personal Data by Solinth on behalf of the Controller in connection with the provision of the Solinth Analytics Engine service.

Solinth, as Processor, agrees to:

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorized to Process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to Data Subject requests
• Assist the Controller in ensuring compliance with security, breach notification, and impact assessment obligations
• Delete or return all Personal Data upon termination of the Agreement
• Make available all information necessary to demonstrate compliance
• Immediately inform the Controller if an instruction infringes Data Protection Laws

Solinth implements and maintains the following technical and organizational security measures:

The Controller authorizes Solinth to engage the following Sub-Processors. Solinth will notify the Controller of any intended changes to Sub-Processors, giving the Controller the opportunity to object.

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use EU-approved SCCs for transfers to countries without adequacy decisions
• EU-US Data Privacy Framework: Where applicable, we rely on certified Sub-Processors under the DPF
• Supplementary Measures: We implement additional technical and organizational measures as needed
• Transfer Impact Assessments: We conduct assessments for transfers to high-risk jurisdictions

Solinth will assist the Controller in responding to Data Subject requests, including:

• Right of access to Personal Data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of Processing
• Right to data portability
• Right to object to Processing
• Rights related to automated decision-making

We will respond to Data Subject requests within 72 hours and provide necessary information to enable the Controller to respond within statutory timeframes.

In the event of a Personal Data breach, Solinth will:

• Notify the Controller without undue delay and within 48 hours of becoming aware
• Provide sufficient information to enable the Controller to meet regulatory notification obligations
• Cooperate with the Controller in investigating and mitigating the breach
• Document the breach, its effects, and remedial actions taken

Solinth will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits:

• Annual SOC 2 Type II reports available upon request under NDA
• Penetration test results and security assessments available upon request
• On-site audits permitted with 30 days' notice (Enterprise plans)
• Questionnaire responses for security assessments

Audit costs are borne by the Controller unless the audit reveals material non-compliance by Solinth.

Upon termination of the Agreement or upon Controller's request:

• Controller may export all Personal Data within 30 days of termination
• Solinth will delete all Personal Data within 30 days of the export period
• Backup copies will be deleted within 90 days
• Anonymized data may be retained for analytics purposes
• Data required for legal compliance may be retained as required by law

Upon request, Solinth will provide written certification of data deletion.

Each party's liability under this DPA is subject to the limitations set forth in the Agreement. However:

• Solinth will indemnify the Controller for fines imposed due to Solinth's breach of this DPA
• The Controller will indemnify Solinth for claims arising from the Controller's instructions that violate Data Protection Laws
• Neither party limits liability for gross negligence, willful misconduct, or death/personal injury

This DPA shall remain in effect for the duration of the Agreement. Upon termination:

• Provisions relating to data deletion, confidentiality, and liability survive termination
• Solinth will continue to protect any retained data in accordance with this DPA
• The Controller may request certification of compliance upon termination