Data Processing Agreement

Effective Date: December 17, 2024
Last Updated: December 17, 2024

This DPA is entered into between PASV LLC ("Processor," "we," "us") and the entity agreeing to the Terms of Service ("Controller," "you," "Customer").

1. Definitions

• "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, UK GDPR, and Swiss DPA.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Processor on behalf of Controller.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Sub-processor" means any third party engaged by Processor to process Personal Data on behalf of Controller.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for international data transfers.

2. Scope and Roles

2.1 Roles

For the purposes of this DPA:

• Controller: You determine the purposes and means of processing Personal Data that you submit to the Service.
• Processor: We process Personal Data on your behalf according to your documented instructions.

2.2 Scope of Processing

This DPA applies to Personal Data that you submit to the Service, including:

• Contact information (names, emails, phone numbers, addresses)
• Communication content (SMS messages, notes, interaction history)
• Business information (company names, job titles)
• Any other Personal Data you choose to store in the Service

3. Processing Details

Annex I: Details of Processing

4. Processor Obligations

4.1 Processing Instructions

We will:

• Process Personal Data only on your documented instructions
• Inform you if we believe an instruction violates Data Protection Laws
• Not process Personal Data for our own purposes except as required by law

4.2 Confidentiality

We will:

• Ensure personnel processing Personal Data are bound by confidentiality obligations
• Limit access to Personal Data to personnel who need it to provide the Service

4.3 Security Measures

We implement appropriate technical and organizational measures, including:

• Encryption: TLS 1.2+ for data in transit, AES-256 for data at rest
• Access Control: Role-based access, multi-factor authentication for our systems
• Monitoring: Security monitoring, logging, and alerting
• Availability: Regular backups, disaster recovery procedures
• Testing: Regular security assessments and vulnerability testing
• Personnel: Security training for employees

4.4 Sub-processors

You authorize us to engage Sub-processors to assist in providing the Service. We will:

• Maintain a list of current Sub-processors (see Annex II below)
• Notify you of any intended additions or replacements with at least 14 days' notice
• Ensure Sub-processors are bound by data protection obligations at least as protective as this DPA
• Remain liable for Sub-processor compliance

You may object to a new Sub-processor by notifying us within 14 days. If we cannot reasonably accommodate your objection, you may terminate the affected services.

4.5 Data Subject Rights

We will assist you in responding to Data Subject requests by:

• Providing tools in the Service to access, correct, and delete data
• Notifying you of requests we receive directly (unless prohibited by law)
• Providing reasonable assistance for requests we cannot fulfill through the Service

4.6 Data Breach Notification

In the event of a Personal Data breach, we will:

• Notify you without undue delay (within 72 hours where feasible)
• Provide information about the nature of the breach, affected data, and remedial actions
• Cooperate with your investigation and notification obligations
• Document the breach and actions taken

4.7 Audit Rights

We will:

• Make available information necessary to demonstrate compliance with this DPA
• Allow for audits by you or an auditor you appoint (at your expense, with reasonable notice)
• Provide relevant certifications and audit reports upon request

5. Controller Obligations

You represent and warrant that:

• You have a lawful basis for processing Personal Data submitted to the Service
• You have provided appropriate notices to Data Subjects
• You have obtained necessary consents where required
• Your processing instructions comply with Data Protection Laws
• You will not submit special category data without appropriate safeguards

6. International Data Transfers

6.1 Transfer Mechanisms

Personal Data may be transferred to and processed in the United States and other countries. We rely on the following mechanisms for lawful transfers:

• Standard Contractual Clauses: The EU SCCs (Commission Decision 2021/914) are incorporated into this DPA for transfers from EEA
• UK Addendum: The UK International Data Transfer Addendum applies for UK transfers
• Swiss DPA: Appropriate safeguards for Swiss data transfers

6.2 Standard Contractual Clauses

For transfers subject to SCCs, the following applies:

• Module: Module Two (Controller to Processor)
• Clause 7: Docking clause applies
• Clause 9: Option 2 (general authorization) with 14-day notice period
• Clause 11: Optional clause does not apply
• Clause 17: Governing law is Ireland
• Clause 18: Disputes resolved by courts of Ireland

6.3 Supplementary Measures

We implement supplementary measures including:

• Encryption of data in transit and at rest
• Access controls and monitoring
• Policies to handle government access requests
• Transparency reporting where permitted

7. Data Retention and Deletion

7.1 During the Agreement

We will retain Personal Data for the duration of the Agreement and process it according to your instructions.

7.2 Upon Termination

Upon termination of the Agreement:

• You may export your data using the Service's export features within 30 days
• We will delete Personal Data within 90 days after termination
• We may retain data as required by law, with appropriate safeguards
• Upon request, we will certify deletion in writing

8. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service. Nothing in this DPA limits either party's liability for:

• Death or personal injury caused by negligence
• Fraud or fraudulent misrepresentation
• Any liability that cannot be limited by law

9. Term and Termination

This DPA takes effect when you agree to the Terms of Service and remains in effect until the Agreement terminates. Provisions that should survive termination will remain in effect.

10. Modifications

We may update this DPA to reflect changes in Data Protection Laws or our practices. Material changes will be notified via email or through the Service with at least 30 days' notice.

Annex II: Sub-processors

Current Sub-processors as of the effective date:

To receive notifications of Sub-processor changes, ensure your account has a current contact email address.

Annex III: Technical and Organizational Measures

1. Access Control

• Role-based access control for all systems
• Multi-factor authentication for administrative access
• Regular access reviews and revocation procedures
• Unique user credentials (no shared accounts)

2. Encryption

• TLS 1.2 or higher for all data in transit
• AES-256 encryption for data at rest
• Encrypted backups
• Secure key management

3. Network Security

• Firewalls and network segmentation
• DDoS protection
• Intrusion detection and prevention
• Regular vulnerability scanning

4. Application Security

• Secure development practices
• Input validation and sanitization
• Protection against common vulnerabilities (OWASP Top 10)
• Regular security testing

5. Physical Security

• Data hosted in SOC 2 certified data centers
• Physical access controls at data center facilities
• Environmental controls (fire suppression, climate control)

6. Incident Response

• Documented incident response procedures
• 24/7 monitoring and alerting
• Regular incident response testing
• Post-incident review and improvement

7. Business Continuity

• Regular automated backups
• Geographically distributed backup storage
• Documented disaster recovery procedures
• Regular recovery testing

8. Personnel Security

• Background checks for employees with data access
• Confidentiality agreements
• Security awareness training
• Access revocation upon termination

Contact Information

For questions about this DPA or to exercise your rights, contact:

By using Kompot, you acknowledge that you have read and agree to this Data Processing Agreement.