Data Processing Addendum (DPA)
This Data Processing Addendum ("DPA") forms part of the Agreement between Visionboards AI ("Processor") and the Customer ("Controller").
1. Definitions
- "Personal Data": Any information relating to an identified or identifiable person
- "Processing": Any operation performed on Personal Data
- "Data Subject": The individual to whom Personal Data relates
- "Data Protection Laws": Applicable privacy and data protection laws
2. Data Processing
2.1 Scope and Purpose
The Processor shall process Personal Data only:
- To provide the services defined in the Agreement
- According to the Controller's documented instructions
- In compliance with applicable Data Protection Laws
2.2 Types of Data
Personal Data processed may include:
- Basic personal information (name, email)
- Authentication data
- Usage data
- Other data provided by users
3. Security
The Processor shall implement appropriate technical and organizational measures to ensure security of Personal Data, including:
- Encryption in transit and at rest
- Access controls
- Regular security testing
- Employee training
- Incident response procedures
4. Sub-processors
The Processor may engage sub-processors provided that:
- Controller is informed
- Sub-processors are bound by equivalent data protection obligations
- Processor remains liable for sub-processors
5. Data Subject Rights
Processor shall assist Controller in fulfilling data subject rights requests, including:
- Access
- Rectification
- Erasure
- Data portability
6. Data Transfers
Personal Data transfers outside the EEA shall be subject to appropriate safeguards per applicable laws.
7. Breach Notification
Processor shall notify Controller without undue delay after becoming aware of a Personal Data breach.
8. Termination
Upon termination of services, Processor shall:
- Return or delete all Personal Data
- Cease processing activities
- Ensure sub-processors do the same
9. Audit Rights
Controller may audit Processor's compliance with this DPA upon reasonable notice.
10. Liability
Processor shall be liable for damages caused by its processing in breach of this DPA or Data Protection Laws.
Last updated: November 27, 2024