Data Processing Addendum (DPA)

Document type

DPA · GDPR + CCPA + CPRA

Effective date

[Effective Date]

Underlying agreement

Master Services Agreement dated [MSA Date]

Customer role

Controller (GDPR) / Business (CCPA/CPRA)

Provider role

Processor (GDPR) / Service Provider (CCPA/CPRA)

This Data Processing Addendum ("DPA") is entered into between CyberGrid ("Provider" / "Processor") and [Customer Legal Name] ("Customer" / "Controller"), and supplements the Master Services Agreement between the Parties dated [MSA Date] (the "Agreement"). Capitalized terms not defined herein have the meanings set forth in the Agreement or in applicable Data Protection Laws.

1. Definitions

"Data Protection Laws" means all data protection and privacy laws applicable to the processing of personal data under the Agreement, including: (a) the EU General Data Protection Regulation 2016/679 ("GDPR"); (b) the UK Data Protection Act 2018 and UK GDPR; (c) the California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA"); and (d) any other applicable national or state privacy law.

"Personal Data" has the meaning given in the applicable Data Protection Laws and refers to personal data of Customer's end users that is processed by Provider in the course of providing Services.

2. Roles and scope

The Parties agree that, with respect to Personal Data processed under the Agreement, Customer is the Controller / Business and Provider is the Processor / Service Provider. Provider processes Personal Data only on documented instructions from Customer, including for transfers to a third country, unless required to do so by applicable law.

3. Subject matter, duration, nature, and purpose of processing

4. Provider obligations

Provider shall:

1. process Personal Data only on documented instructions from Customer;
2. ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations;
3. implement appropriate technical and organizational measures as set forth in Annex A (Technical and Organizational Measures) to ensure a level of security appropriate to the risk;
4. not engage any Sub-processor without Customer's prior consent (see Section 5);
5. assist Customer, taking into account the nature of processing, with responding to data-subject requests, data protection impact assessments, and consultations with supervisory authorities;
6. at Customer's choice, delete or return all Personal Data after the end of the provision of Services and delete existing copies (subject to the retention permitted in Section 9);
7. make available to Customer all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer (subject to reasonable confidentiality, security, and frequency limits — see Section 7).

5. Sub-processors

Customer authorizes Provider to engage the Sub-processors listed in Annex B (Sub-processor List) as of the Effective Date. Provider may engage additional or replacement Sub-processors, provided Provider:

1. maintains an up-to-date list of Sub-processors on its trust page (thecybergrid.com/trust);
2. gives Customer at least fourteen (14) days' prior notice of any new or replacement Sub-processor (by email to Customer's designated contact);
3. permits Customer to object on reasonable grounds related to data protection within that notice period; if Customer objects and the Parties cannot agree on a resolution, Customer may terminate the Agreement for the affected Services without penalty;
4. imposes data protection obligations on Sub-processors no less protective than those in this DPA.

6. International data transfers

Where Personal Data of EU / EEA / UK data subjects is transferred to a third country that has not received an adequacy decision, the Parties agree that the EU Standard Contractual Clauses (Module 2: Controller-to-Processor; or Module 3: Processor-to-Processor, as applicable) and the UK International Data Transfer Addendum apply and are incorporated into this DPA by reference, with the Annexes populated by Annexes A and B of this DPA.

7. Audits

Customer may, no more than once per year (or more frequently if required by a supervisory authority or in connection with a material security incident), audit Provider's compliance with this DPA. Provider may satisfy the audit obligation by providing Customer with current third-party audit reports (e.g., SOC 2, ISO 27001) when available. Audits must be conducted during regular business hours, with reasonable advance notice, in a manner that does not unreasonably disrupt Provider's operations, and subject to Provider's confidentiality and security policies.

8. Personal Data breach notification

Provider shall notify Customer without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a Personal Data Breach affecting Customer's Personal Data. The notification shall include, to the extent then known: the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to mitigate.

9. Return or deletion

Upon termination of the Agreement, Provider shall, at Customer's choice, delete or return all Personal Data and delete existing copies within thirty (30) days, except to the extent applicable law requires retention. Provider may retain Personal Data necessary to demonstrate compliance with its legal obligations or in archived backups for a maximum of ninety (90) days post-termination, during which such data remains subject to the obligations of this DPA.

10. CCPA / CPRA provisions

To the extent Provider processes Personal Data subject to the CCPA / CPRA, Provider acts as a Service Provider as defined under those laws. Provider shall:

1. not retain, use, or disclose Personal Information for any purpose other than the specific purpose of performing the Services or as otherwise permitted by the CCPA / CPRA;
2. not sell or share Personal Information;
3. not retain, use, or disclose Personal Information outside the direct business relationship between the Parties;
4. not combine Personal Information received from or on behalf of Customer with Personal Information received from any other source, except as permitted under the CCPA / CPRA;
5. certify that it understands and shall comply with these restrictions.

Annex A — Technical and Organizational Measures

Provider implements the following measures:

• Encryption. All Personal Data encrypted at rest (AES-256) and in transit (TLS 1.2+).
• Access control. Role-based access control; principle of least privilege; mandatory MFA on all administrative accounts; quarterly access reviews.
• Authentication. Strong passwords; MFA required; magic-link tokens hashed (SHA-256) in storage.
• Logging. Audit logs of access to Personal Data; logs retained per applicable legal requirements.
• Network security. Production environment isolated; firewalled; ingress restricted to authorized origins.
• Personnel. All personnel with access to Personal Data bound by written confidentiality obligations; background checks where permitted by law.
• Sub-processor diligence. Sub-processors selected based on security posture and bound by contractual obligations no less protective than this DPA.
• Incident response. Documented incident response plan; 72-hour breach notification commitment.
• Backup & recovery. Encrypted backups; documented disaster recovery procedure.
• Secure development. Code review on production branch; secret management via environment stores (never in source).

Annex B — Sub-processor List

Up-to-date sub-processor list maintained at thecybergrid.com/trust. Customer notified at least fourteen (14) days before any change.