Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", "Data Controller") and DueVault.ai ("Processor", "we", "us") and governs the processing of personal data in accordance with GDPR, CCPA, and other applicable data protection laws.

• Personal Data: Any information relating to an identified or identifiable natural person
• Processing: Any operation performed on personal data
• Data Subject: The individual to whom personal data relates
• Sub-processor: Third parties engaged by DueVault.ai to process personal data
• Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data

Subject Matter: Security questionnaire automation and compliance management services

Duration: For the term of the service agreement

Nature and Purpose:

• Processing and indexing knowledge base documents
• AI-powered questionnaire answer generation
• Compliance management and evidence generation
• Vendor management and questionnaire tracking

Types of Personal Data:

• Account information (name, email, company)
• Knowledge base documents (uploaded by customer)
• Questionnaire data (questions, answers, metadata)
• Audit trail data (user actions, timestamps, signatures)

Categories of Data Subjects:

• Customer employees and contractors
• Customer's end users (metadata only)

DueVault.ai shall:

• Process personal data only on documented instructions from the Customer
• Ensure that persons authorized to process personal data are bound by confidentiality
• Implement appropriate technical and organizational measures to ensure security
• Engage sub-processors only with prior written authorization
• Assist the Customer in responding to data subject requests
• Assist the Customer in ensuring compliance with GDPR obligations
• Delete or return all personal data upon termination of services
• Make available all information necessary to demonstrate compliance

Technical Measures:

• Encryption in transit (TLS 1.3)
• Encryption at rest (AES-256)
• Encrypted backups with automatic rotation
• Secure API key storage with encryption
• Regular security updates and patches

Organizational Measures:

• Role-based access control (RBAC)
• Multi-factor authentication (MFA)
• Background checks for employees with data access
• Regular security training
• Incident response procedures
• Annual security audits

The Customer authorizes DueVault.ai to engage the following sub-processors:

DueVault.ai will notify the Customer of any intended changes concerning the addition or replacement of sub-processors, giving the Customer the opportunity to object to such changes within 30 days.

DueVault.ai will assist the Customer in fulfilling data subject requests, including:

• Right of Access: Provide copies of personal data
• Right to Rectification: Correct inaccurate data
• Right to Erasure: Delete personal data ("right to be forgotten")
• Right to Restriction: Limit processing of personal data
• Right to Data Portability: Export data in machine-readable format
• Right to Object: Object to certain processing activities

Requests should be sent to: bd@dtrasglobal.com

In the event of a data breach, DueVault.ai will:

• Notify the Customer without undue delay and within 72 hours of becoming aware
• Provide details of the nature of the breach
• Describe the likely consequences
• Describe measures taken or proposed to address the breach
• Provide contact information for further inquiries

Notification will be sent to the Customer's registered email address and dashboard notification.

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA). DueVault.ai ensures adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Binding Corporate Rules where appropriate

Retention Periods:

• Usage metadata: 90 days (default), up to 2 years (Enterprise)
• Audit logs: 7 years (compliance requirements)
• Account data: Until account deletion + 30 days for backups
• Billing records: 7 years (tax requirements)

Deletion:

Upon termination or expiration of services, DueVault.ai will delete or return all personal data within 30 days, unless longer retention is required by law.

The Customer has the right to audit DueVault.ai's compliance with this DPA, subject to:

• Reasonable advance notice (minimum 30 days)
• Execution of a confidentiality agreement
• Audits conducted no more than once per year (unless required by law or following a breach)
• Audits conducted during business hours
• Customer bears the cost of audits

DueVault.ai may provide SOC 2 Type II reports in lieu of on-site audits.

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.

DueVault.ai will indemnify the Customer against claims arising from DueVault.ai's breach of this DPA, subject to the Customer:

• Promptly notifying DueVault.ai of the claim
• Giving DueVault.ai sole control of the defense and settlement
• Providing reasonable assistance

This DPA remains in effect for the duration of the service agreement. Upon termination:

• DueVault.ai will cease all processing of personal data
• Personal data will be deleted or returned within 30 days
• Certification of deletion will be provided upon request
• Obligations regarding confidentiality and security survive termination

For DPA-related inquiries:

• Email: bd@dtrasglobal.com
• Data Protection Officer: bd@dtrasglobal.com
• Legal: bd@dtrasglobal.com