Data Processing Agreement

1. Definitions

For the purposes of this DPA:

• "Controller" means the Enterprise customer who determines the purposes and means of processing personal data
• "Processor" means Impact Radar, which processes personal data on behalf of the Controller
• "Personal Data" means any information relating to an identified or identifiable natural person
• "Data Subject" means the individual to whom Personal Data relates
• "Processing" means any operation performed on Personal Data, including collection, storage, use, or disclosure
• "Sub-processor" means any third-party processor engaged by the Processor
• "Data Protection Laws" means GDPR, CCPA, and other applicable data protection regulations

2. Scope and Roles

2.1 Application

This DPA applies to Personal Data processed by Impact Radar on behalf of the Controller through the Service, including but not limited to:

• End user account information
• Watchlist and portfolio data
• Alert configuration data
• API usage logs
• Team member information

2.2 Roles and Responsibilities

The parties acknowledge and agree that:

• The Controller determines the purposes and means of processing Personal Data
• Impact Radar acts as a Processor and processes Personal Data only on documented instructions from the Controller
• The Controller is responsible for ensuring it has legal grounds for processing under applicable Data Protection Laws

3. Processor Obligations

3.1 Processing Instructions

Impact Radar shall:

• Process Personal Data only on documented instructions from the Controller, including regarding transfers of Personal Data to third countries
• Immediately inform the Controller if it believes an instruction violates Data Protection Laws
• Not process Personal Data for any purpose other than providing the Service

3.2 Confidentiality

Impact Radar shall ensure that persons authorized to process Personal Data:

• Are subject to confidentiality obligations
• Receive appropriate training on data protection
• Access Personal Data only as necessary for their duties

3.3 Security Measures

Impact Radar implements appropriate technical and organizational measures including:

• Encryption: TLS/SSL encryption for data in transit, encryption at rest for sensitive data
• Access Controls: Role-based access control, multi-factor authentication
• Network Security: Firewalls, intrusion detection, regular security audits
• Data Integrity: Regular backups, disaster recovery procedures
• Incident Response: Security incident monitoring and response procedures

4. Sub-processors

4.1 Authorization

The Controller authorizes Impact Radar to engage Sub-processors to assist in providing the Service, subject to the terms of this DPA.

4.2 Current Sub-processors

Impact Radar currently engages the following Sub-processors:

4.3 Sub-processor Changes

Impact Radar will:

• Provide at least 30 days' notice before adding or replacing Sub-processors
• Maintain an updated list of Sub-processors at impactradar.co/sub-processors
• Allow the Controller to object to new Sub-processors on reasonable data protection grounds
• If the Controller objects, work with the Controller to find a solution or allow the Controller to terminate the agreement

4.4 Sub-processor Requirements

Impact Radar ensures that Sub-processors:

• Are bound by data protection obligations equivalent to those in this DPA
• Implement appropriate security measures
• Only process Personal Data as instructed
• Remain fully liable to the Controller for Sub-processor obligations

5. Data Subject Rights

To the extent legally permitted, Impact Radar will:

• Promptly notify the Controller if it receives a request from a Data Subject
• Not respond to Data Subject requests directly (unless required by law)
• Provide reasonable assistance to the Controller in responding to Data Subject requests
• Make available mechanisms for Data Subjects to exercise their rights (access, rectification, erasure, etc.)

6. Data Breach Notification

6.1 Notification Obligation

Impact Radar shall notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach affecting the Controller's data.

6.2 Breach Information

The notification shall include:

• Description of the breach, including categories and approximate number of Data Subjects affected
• Name and contact details of the data protection officer or other contact point
• Description of likely consequences of the breach
• Description of measures taken or proposed to address the breach

6.3 Assistance

Impact Radar shall provide reasonable assistance to the Controller in meeting its obligations regarding breach notification to supervisory authorities and Data Subjects.

7. Data Protection Impact Assessment

Impact Radar shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments and prior consultations with supervisory authorities, including:

• Providing information about processing activities
• Describing security measures in place
• Documenting data flows and Sub-processors

8. International Transfers

8.1 Transfer Mechanisms

For transfers of Personal Data from the EEA to third countries, Impact Radar relies on:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions where applicable
• Other appropriate safeguards as required by Data Protection Laws

8.2 Data Storage Locations

Personal Data is primarily stored in data centers located in the United States. Upon request, Impact Radar can provide information about specific data center locations.

9. Audit Rights

Impact Radar shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits and inspections:

• The Controller may conduct audits once per year upon reasonable notice (at least 30 days)
• Audits shall be conducted during business hours and shall not unreasonably interfere with operations
• The Controller shall bear all costs of audits unless material non-compliance is found
• Impact Radar may provide standard audit reports (SOC 2, ISO 27001) in lieu of on-site audits

10. Data Return and Deletion

10.1 Upon Termination

Upon termination of the Service, Impact Radar shall, at the Controller's choice:

• Return all Personal Data to the Controller in a structured, commonly used format
• Delete all Personal Data, unless required to retain by law

10.2 Deletion Timeline

Personal Data deletion shall occur within 90 days of termination, except for:

• Backups retained for disaster recovery (deleted within 180 days)
• Data required to be retained by law
• Anonymized data used for analytics

10.3 Certification

Upon request, Impact Radar shall provide written certification of data deletion.

11. Liability and Indemnification

Each party's liability arising out of or related to this DPA shall be subject to the limitation of liability provisions in the Terms of Service. The parties agree that any regulatory fines levied as a result of Personal Data processing shall be allocated based on responsibility for the violation.

12. Duration and Termination

This DPA shall remain in effect for the duration of the Service agreement and shall automatically terminate upon termination of the Service agreement. Sections relating to data return, deletion, and confidentiality shall survive termination.

13. Amendments

Impact Radar may amend this DPA from time to time to reflect changes in Data Protection Laws or processing activities. Material amendments will be communicated to the Controller with at least 30 days' notice.

14. Governing Law

This DPA shall be governed by the same law as the Terms of Service. In the event of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to Personal Data processing.

15. Contact for Data Protection Matters

For questions or concerns regarding data processing under this DPA, please contact: