Data Processing Agreement
Last updated: June 19, 2025
This Data Processing Agreement ("DPA") is entered into on the date you have affirmatively accepted the terms ("Effective Date"), by and between you, the entity providing data, ("Controller"), and CADI Technology, Inc, ("Processor" ) a Delaware corporation.
This DPA is incorporated into and part of the Master SAAS and Service Agreement ("MSA") between the Controller and Processor. This DPA reflects the parties' rights and obligations with respect to Personal Data Processed as part of the Services (all as defined below). In the event of a conflict between the terms of this DPA and the MSA with respect to the subject matter herein, the terms of this DPA govern. Any prior data protection agreements between the Parties are superseded and replaced by this DPA in their entirety. All capitalized terms not defined in this DPA will have the meaning given to them in the MSA.
1. Definitions. For the purposes of this DPA, the following terms shall have the meanings specified below:
a. "Breach Event" means any incident where security is compromised, resulting in unintentional or illegal destruction, misplacement, modification, or unauthorized sharing or access to Personal Data that has been transmitted, stored, or otherwise processed.
b. "Data Privacy Laws" means all applicable laws and regulations relating to the processing, privacy, and/or use of Personal Data, as applicable to either party or the Services, including jurisdictional, industry-specific, or data-specific laws and regulations.
c. "Data Subject" refers to the identified or identifiable natural person whose Personal Data is processed.
d. "Personal Data" refers to any information that is tied to an identified or identifiable natural person (Data Subject) that is protected as personal data, personal information, or personally identifiable information under applicable Data Privacy Laws.
e. "Personnel" refers to the employees or other individuals who are in a contractual relationship with the Processor, including employees or other individuals who are in a contractual relationship with the Sub-Processor.
f. "Processing" means actions performed by the Processor on the Personal Data whether by automated means or not, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
g. "Services" means any products or services provided by the Processor pursuant to the MSA.
h. "Subprocessor" or "Subcontractor" refers to any third party appointed by the Processor to assist in fulfilling its obligations in providing Services to the Controller.
2. Purpose. The purpose of this DPA is to define the conditions under which the Processor shall process Personal Data on behalf of the Controller.
3. Compliance with Laws. The Processor warrants that any Processing activities performed on behalf of the Controller will be conducted in accordance with all applicable Data Privacy Laws. The Processor must notify the Controller in writing if it is no longer able to meet its obligations under applicable Data Privacy Laws.
The Controller has sole responsibility for the quality and accuracy of the Personal Data and how it acquired such data. The Controller is also responsible for complying with transparency and consent requirements for the collection, use, and transfer of the Personal Data under applicable Data Privacy Laws.
4. Ownership of Data. All Personal Data processed by the Processor in performing the Services shall remain the property of the Controller unless explicitly set forth in the MSA.
5. Duration of Processing. Processing obligations under this DPA will begin on the date the MSA is executed and run until the end of the Processor's provision of Services to the Controller.
6. Types of Data. The Processor will process the categories of Personal Data provided by the Controller as set forth in Schedule 1.
7. Instructions for Processing. The Processor shall only process Personal Data in accordance with this DPA, including specific instructions set forth in Schedule 2 (if any), except where otherwise required by applicable law (and in such a case, shall inform the Controller of that legal requirement before processing, unless applicable law prevents it from doing so on important grounds of public interest). The Processor shall immediately inform the Controller if any instruction relating to the Personal Data infringes or may infringe any Data Privacy Laws.
8. Data Subject's Rights. The Processor shall promptly notify the Controller of any requests from a Data Subject to exercise their rights under applicable Data Privacy Laws and shall assist the Controller in responding to a Data Subject's request as provided in the processing instructions, Schedule 2.
9. International Transfers. The Processor shall not process and/or transfer, or otherwise directly or indirectly disclose, any Personal Data in or to any country or territory outside the United States or to any International Organization (as defined in GDPR regulations) without the prior written authorization of the Controller, except where required by applicable law.
10. Data Protection Impact Assessments. The Processor shall assist the Controller in performing data protection impact assessments. At the Controller's request, the Processor shall provide all available information necessary for the Controller to meet their data protection assessment obligations, including but not limited to information about data transmittal, data storage, methods of processing, encryption, and data destruction.
11. Confidentiality.Both Parties agree to maintain the confidentiality of Personal Data and not to disclose such data except as expressly permitted under the terms of this Agreement. The Processor shall ensure that all personnel authorized to process Personal Data are subject to binding confidentiality obligations.
12. Liability.The Parties agree to indemnify one another against any claims, including but not limited to damages and fines, arising out of their respective breaches of this Agreement. Each Party's liability is limited to the amount of damages directly caused by its breach of this DPA and may be further limited as set forth in the MSA.
13. Data Security. The Processor shall, at all times, implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to the risk to protect the Personal Data against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access.
14. Breach Notification. The Processor shall promptly notify the Controller of a Breach Event involving the Controller's data.
15. Limitations on Use. The Processor shall not use or authorize the use of the Personal Data for any purpose other than performing its obligations under the MSA.
16. Subcontractor Requirements. The Processor may engage a Subcontractor (alternatively referred to herein as Subprocessor) to process Personal Data only with the Controller's prior written consent (which shall not be unreasonably delayed or withheld) and under a written contract. The Subcontractor must agree in writing to uphold all the Processor's obligations under the DPA.
The Processor shall ensure that any Subcontractors it engages comply with all Data Privacy Laws in connection with the processing of Personal Data and the provision of the Services.
17. Destruction or Return of Data. The Processor agrees to, at the Controller's choice, securely delete or return the Personal Data within 30 days upon the Controller's request at any time during the MSA term or upon termination or expiration of the MSA except to the extent that storage of any such data is required by applicable law.
18. Audits and Compliance. The Processor shall permit the Controller, or an independent auditor appointed by the Controller, to conduct audits or inspections with reasonable notice during regular business hours to ensure compliance with the terms of this DPA, and applicable Data Privacy Laws. The scope of the audit shall be limited by the Parties to the systems, procedures, and documentation relevant to the processing of Personal Data. The Processor agrees to provide the Controller with all necessary cooperation, access, and support to conduct such audits. The Parties shall consider the findings of any such audit confidential information subject to the terms of this agreement.
19. Recordkeeping Obligations. The Processor shall maintain complete, accurate, and up to date written records of all categories of processing activities carried out on behalf of the Controller and ensure such records shall include all information:
• Necessary to demonstrate its compliance with this DPA; and,
• That each party is required to record and/or maintain under the applicable Data Privacy Laws.
The Processor shall make copies of such records available to the Controller promptly (and in any event within thirty days) on request from time to time.