Data Processing Addendum

This Data Processing Addendum ("DPA") applies when DirectiveOps ("Processor") processes personal data on behalf of the Customer ("Controller") in connection with the DirectiveOps hosted service, and where applicable data protection law (e.g., GDPR, UK GDPR, CCPA) requires a contract governing such processing. It is incorporated by reference where the Customer has accepted the Terms of Service and the Service involves processing of personal data.

The Customer is the Controller (or Processor acting on behalf of a Controller); DirectiveOps is the Processor. We process personal data only on documented instructions from the Customer (including as set out in the Terms and this DPA), unless required by law. We will inform the Customer if we believe an instruction infringes applicable data protection law.

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as described in our Security Policy. We ensure that persons authorized to process personal data are bound by confidentiality obligations.

We may engage subprocessors to process personal data. We maintain a Subprocessor List and will provide notice of changes where required by law or our commitments. We impose data protection terms on subprocessors that are substantially equivalent to this DPA. The Customer may object to the appointment or replacement of a subprocessor on reasonable grounds relating to data protection by notifying us in writing within thirty (30) days of our notice. If we cannot reasonably address the objection (e.g., by using a different subprocessor or implementing additional safeguards), the Customer may terminate the affected part of the Service or the entire subscription without penalty by giving written notice; we will refund any prepaid fees for the remainder of the term for the terminated portion.

Where personal data is transferred to a country outside the EEA, UK, or other jurisdiction that has been deemed to provide an adequate level of protection, we implement appropriate transfer mechanisms. For transfers from the EEA, we use the European Commission's Standard Contractual Clauses (SCCs) (Module Two: Controller to Processor, or Module Three: Processor to Processor, as applicable). For transfers from the UK, we use the UK International Data Transfer Agreement and UK Addendum to the SCCs where applicable. We will make the executed transfer mechanism available to the Customer upon request and will comply with any supplementary measures required by the relevant supervisory authority. If transfer mechanisms are invalidated or modified by law, we will implement alternative safeguards in good faith.

We assist the Customer in responding to data subject requests and in ensuring compliance with obligations regarding security, breach notification, and data protection impact assessments, to the extent necessary and taking into account the nature of processing and information available to us. We will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data and will provide information reasonably required for the Customer to meet its breach notification obligations. We will not notify data subjects or regulators on the Customer's behalf unless agreed in writing or required by law.

Upon termination of the Service or upon the Customer's request, we will return or delete personal data in our possession, unless we are required to retain it by law. Deletion will be completed within thirty (30) days of the end of the retention period or termination, unless a longer period is required by law or the Customer requests an earlier timeline and we can reasonably comply. At the Customer's request we will provide written confirmation of deletion. We may retain anonymized or aggregated data that no longer identifies the Customer or data subjects.

We will make available to the Customer information necessary to demonstrate compliance with this DPA, including summaries of our security measures and, where applicable, third-party audit reports (e.g., SOC 2) under confidentiality. The Customer may request an audit no more than once per year, upon at least thirty (30) days' written notice, during business hours, and in a manner that does not unreasonably interfere with our operations. Audits may be conducted by the Customer or a qualified third party bound by confidentiality. If the Customer's audit reveals material non-compliance, we will take reasonable steps to remediate. The Customer will bear the cost of the audit unless the audit reveals material non-compliance by us, in which case we will reimburse reasonable audit costs. Alternatively, we may satisfy the audit obligation by providing a then-current SOC 2 Type II or equivalent report if it covers the scope of the Service and processing.

For data protection inquiries: privacy@directiveops.dev. See the Contact and Legal Notice document for our address.