Data Processing Agreement

1. Definitions

In this DPA, the following terms have the meanings set forth below. Terms not defined herein shall have the meanings assigned in the GDPR, CCPA, or applicable data protection law.

1.1 "Controller"

The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In this DPA, Controller refers to the Customer.

1.2 "Processor"

The natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller. In this DPA, Processor refers to S2T Consulting LLC.

1.3 "Personal Data"

Any information relating to an identified or identifiable natural person ("Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity.

1.4 "Processing"

Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

1.5 "Data Subject"

An identified or identifiable natural person whose personal data is processed.

1.6 "Subprocessor"

Any processor engaged by S2T Consulting to process personal data on behalf of the Controller.

1.7 "Personal Data Breach"

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

1.8 "Standard Contractual Clauses" or "SCCs"

The standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Decision 2021/914.

2. Scope of Processing

2.1 Subject Matter and Duration

This DPA applies when S2T Consulting processes personal data on behalf of Controller in the course of providing services under the applicable service agreement. The duration of processing corresponds to the term of the underlying service agreement.

2.2 Nature and Purpose of Processing

The nature and purpose of processing are determined by the services engaged, which may include:

• Business intelligence and assessment services
• AI-powered consulting automation
• Platform access and user authentication
• Customer support and communications
• Analytics and service improvement

2.3 Categories of Data Subjects

Data subjects may include:

• Controller's employees and contractors
• Controller's customers and end users
• Controller's business contacts
• Other individuals whose data is processed through the services

2.4 Types of Personal Data

Personal data processed may include:

• Contact information (name, email, phone, address)
• Professional information (title, employer, department)
• Account credentials and authentication data
• Usage data and interaction logs
• Communications content
• Any other data provided by Controller through the services

2.5 Data Locality Architecture

3. Controller Responsibilities

As the Controller, Customer is responsible for:

• Ensuring a lawful basis exists for processing personal data under applicable law
• Providing required notices and obtaining necessary consents from data subjects
• Responding to data subject requests (with S2T's assistance as needed)
• Ensuring accuracy and completeness of personal data provided
• Implementing appropriate security measures in their environment
• Documenting processing activities as required by law
• Conducting data protection impact assessments where required
• Notifying supervisory authorities of breaches where required

4. Processor Obligations

As the Processor, S2T Consulting agrees to:

4.1 Lawful Processing

• Process personal data only on documented instructions from the Controller, unless required by applicable law
• Inform the Controller if any instruction infringes applicable data protection law
• Not process personal data for purposes other than those specified in this DPA

4.2 Confidentiality

• Ensure that personnel authorized to process personal data are subject to confidentiality obligations
• Limit access to personal data to personnel who require access to perform their duties
• Maintain written records of authorized personnel

4.3 Security

• Implement appropriate technical and organizational security measures as detailed in Section 6
• Regularly test, assess, and evaluate the effectiveness of security measures

4.4 Assistance

• Assist the Controller in responding to data subject requests
• Assist the Controller with data protection impact assessments when required
• Assist the Controller in ensuring compliance with security, breach notification, and DPIA obligations

4.5 Data Retention

• Delete or return personal data upon termination of services, as instructed by Controller
• Delete existing copies unless retention is required by applicable law
• Certify deletion upon Controller's request

4.6 Demonstration of Compliance

• Make available information necessary to demonstrate compliance with this DPA
• Allow for and contribute to audits and inspections as described in Section 11

5. Data Subject Rights

S2T will assist Controller in responding to requests from data subjects to exercise their rights under applicable data protection laws. These rights may include:

5.1 GDPR Rights (EU/EEA Data Subjects)

• Right of Access (Article 15): Right to obtain confirmation and copies of personal data
• Right to Rectification (Article 16): Right to correct inaccurate personal data
• Right to Erasure (Article 17): Right to deletion ("right to be forgotten")
• Right to Restriction (Article 18): Right to limit processing
• Right to Data Portability (Article 20): Right to receive data in portable format
• Right to Object (Article 21): Right to object to processing
• Automated Decision-Making (Article 22): Rights related to automated processing

5.2 CCPA Rights (California Residents)

• Right to Know: Right to know what personal information is collected, used, shared, or sold
• Right to Delete: Right to request deletion of personal information
• Right to Opt-Out: Right to opt-out of the sale of personal information
• Right to Non-Discrimination: Right not to be discriminated against for exercising rights
• Right to Correct: Right to correct inaccurate personal information
• Right to Limit: Right to limit use of sensitive personal information

5.3 Response Timeframes

S2T will respond to Controller's requests for assistance with data subject requests within:

• 5 business days for straightforward requests
• 15 business days for complex requests requiring technical effort

6. Security Measures

S2T implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

6.1 Encryption

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256 or equivalent
• Key management following industry best practices

6.2 Access Controls

• Role-based access control (RBAC)
• Multi-factor authentication for system access
• Principle of least privilege
• Regular access reviews and recertification

6.3 Infrastructure Security

• AWS cloud infrastructure with SOC 2 Type II certification
• Network segmentation and firewalls
• Intrusion detection and prevention systems
• DDoS protection

6.4 Monitoring and Logging

• Continuous security monitoring
• Audit logging of access and changes
• Log retention for security analysis
• Alerting for anomalous activities

6.5 Personnel Security

• Background checks for personnel with data access
• Security awareness training
• Confidentiality agreements
• Documented onboarding and offboarding procedures

6.6 Business Continuity

• Regular data backups
• Disaster recovery procedures
• Incident response plan
• Regular testing of recovery procedures

7. Subprocessor Requirements

7.1 Authorization

Controller authorizes S2T to engage subprocessors for the processing of personal data. The current list of subprocessors is maintained at /legal/subprocessors.html.

7.2 Subprocessor Obligations

S2T will:

• Impose data protection obligations on subprocessors substantially similar to those in this DPA
• Ensure subprocessors provide sufficient guarantees of appropriate security measures
• Enter into written agreements with all subprocessors
• Remain fully liable for subprocessor compliance

7.3 New Subprocessors

S2T will:

• Maintain an up-to-date list of subprocessors on the subprocessors page
• Provide notice of new subprocessors through updates to the subprocessors page
• Allow Controller to object to new subprocessors within 30 days of notice
• Work with Controller to address reasonable objections

8. Data Breach Notification

8.1 Notification Content

Breach notifications will include, to the extent known:

• Description of the nature of the breach
• Categories and approximate number of data subjects affected
• Categories and approximate number of records affected
• Name and contact details of the data protection officer or relevant contact
• Description of likely consequences of the breach
• Description of measures taken or proposed to address the breach

8.2 Cooperation

S2T will:

• Cooperate with Controller in investigating and remediating the breach
• Take reasonable steps to mitigate the effects of the breach
• Preserve evidence related to the breach
• Assist Controller in meeting its breach notification obligations to supervisory authorities and data subjects

9. International Data Transfers

9.1 Primary Processing Location

S2T primarily processes data within the United States, specifically in the AWS us-east-1 (Virginia) region.

9.2 Transfer Mechanisms

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States or other third countries, S2T relies on:

• Standard Contractual Clauses (SCCs) as approved by the European Commission
• UK International Data Transfer Agreement (IDTA) or Addendum where applicable
• Swiss-specific safeguards as required
• Additional safeguards as required by applicable law

9.3 Transfer Impact Assessment

S2T has conducted a transfer impact assessment and determined that U.S. law does not prevent S2T from fulfilling its obligations under the SCCs. S2T will:

• Re-assess transfers when there are material changes in law or practice
• Notify Controller if it can no longer comply with the SCCs
• Implement supplementary measures as necessary

10. Standard Contractual Clauses Reference

10.1 Incorporation

The Standard Contractual Clauses for the transfer of personal data to third countries (Module Two: Controller to Processor) as adopted by European Commission Decision 2021/914 are hereby incorporated by reference.

10.2 Clause Specifications

• Clause 7 (Docking Clause): Included
• Clause 9(a) (Prior Authorization): Option 2 selected - General written authorization with notification of changes
• Clause 11 (Redress): Optional clause not included
• Clause 17 (Governing Law): Laws of Ireland
• Clause 18 (Choice of Forum): Courts of Ireland

10.3 UK and Swiss Transfers

For transfers from the UK or Switzerland:

• UK: The UK Addendum to the EU SCCs applies
• Switzerland: SCCs as approved by the Swiss Federal Data Protection Authority apply

10.4 Execution

Upon request, S2T will execute the Standard Contractual Clauses with Controller as a standalone document.

11. Audit Rights

11.1 Information Access

S2T will make available to Controller information necessary to demonstrate compliance with this DPA, including:

• Documentation of security measures
• Results of security assessments or certifications
• Subprocessor agreements (with confidential terms redacted)

11.2 Audit Procedures

Upon reasonable request and subject to confidentiality obligations:

• S2T will permit Controller to conduct audits or inspections
• Audits will be conducted during normal business hours
• Controller will provide at least 30 days advance notice
• Audits will not unreasonably interfere with S2T's operations
• Controller may designate a qualified third party to conduct the audit

11.3 Audit Costs

• Controller is responsible for audit costs
• S2T is responsible for costs if the audit reveals material non-compliance
• S2T may charge reasonable fees for time spent assisting with audits beyond documentation review

11.4 Third-Party Certifications

S2T may satisfy audit requests by providing:

• SOC 2 Type II reports
• ISO 27001 certification (if applicable)
• Third-party penetration test summaries
• Other industry-standard security certifications

12. Duration and Termination

12.1 Term

This DPA remains in effect for the duration of S2T's processing of personal data on behalf of Controller.

12.2 Effect of Termination

Upon termination of the service agreement:

• S2T will delete or return all personal data as instructed by Controller
• Deletion will be completed within 90 days of termination
• S2T will certify deletion upon Controller's request

12.3 Retention Exceptions

S2T may retain personal data after termination:

• As required by applicable law
• For establishment, exercise, or defense of legal claims
• In anonymized or aggregated form that does not identify individuals

Any retained data will continue to be protected in accordance with this DPA.

13. Liability

13.1 Allocation

Each party's liability under this DPA is subject to the limitations of liability in the underlying service agreement.

13.2 Indemnification

Each party will indemnify the other for losses arising from the indemnifying party's breach of this DPA or applicable data protection law.

13.3 Regulatory Fines

To the extent permitted by law, each party will be responsible for fines or penalties imposed on it by regulatory authorities for its own violations of data protection law.

14. Contact Information

For questions about this DPA, data protection matters, or to exercise data subject rights:

Related Documents:

• Subprocessors List
• Privacy Policy
• Terms of Service
• Legal Document Index