Legal

Data Processing Addendum

Last updated April 1, 2025

This document is provided for informational purposes. Please review with qualified legal counsel before relying on it for legal compliance.

1. Definitions

Data Controller: The natural or legal person which determines the purposes and means of processing personal data.

Data Processor: The natural or legal person which processes personal data on behalf of the controller.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, or deletion.

2. Scope and Purpose

The Controller appoints the Processor to process personal data as specified in the applicable Statement of Work, Data Processing Addendum, or service agreement. The Processor shall process personal data only on documented instructions from the Controller and for no other purpose.

3. Subject Matter and Duration

Subject Matter: The Processor shall process personal data relating to the Controller's customers, employees, and other data subjects as specified in the service documentation.

Duration: This DPA shall remain in effect for the duration of the underlying service agreement and shall continue until all personal data is deleted or returned.

4. Nature and Purpose of Processing

The Processor shall process personal data for the following purposes:

  • Providing the contracted services as specified in the agreement
  • Maintaining and improving the security and functionality of systems
  • Complying with legal and regulatory obligations
  • Preventing fraud and ensuring platform integrity
  • Aggregated analytics and service improvement (anonymized)

5. Categories of Data Subjects

Personal data may relate to the following categories of data subjects:

  • Customers and end-users of the Controller
  • Employees and contractors of the Controller
  • Partners and vendor representatives
  • Website visitors and inquiries

6. Categories of Personal Data

The Processor shall process only the following categories of personal data as specified by the Controller:

  • Identification data (name, email, phone)
  • Professional information (title, department, company)
  • Authentication credentials and access logs
  • Usage and activity data
  • Communication records
  • Uploaded documents and files

7. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure persons authorized to process personal data are bound by confidentiality
  • Implement technical and organizational security measures as detailed below
  • Ensure sub-processors are bound by equivalent data protection obligations
  • Assist the Controller with data subject rights requests
  • Make available information necessary to demonstrate compliance
  • Delete or return personal data upon termination of the agreement
  • Undergo regular audits and certifications for compliance

8. Security Measures

The Processor implements appropriate technical and organizational security measures:

  • Encryption: AES-256 encryption at rest, TLS 1.3 in transit
  • Access Controls: Role-based access control (RBAC) with multi-factor authentication
  • Audit Logging: Comprehensive logging of all access and modifications
  • Network Security: Firewalls, intrusion detection, DDoS protection
  • Employee Training: Regular data protection and security training
  • Physical Security: Secure data centers with access controls and monitoring
  • Incident Response: Documented procedures for data breach notification
  • Vulnerability Management: Regular testing and patching procedures

9. Sub-Processors

The Processor may engage sub-processors for hosting, analytics, and support services. A current list of approved sub-processors is maintained at macneilagents.ai/subprocessors. The Processor shall provide at least 30 days' notice of any changes to the sub-processor list and shall obtain equivalent data protection commitments.

10. Data Subject Rights

The Processor shall assist the Controller in fulfilling data subject rights requests including:

  • Right of access to personal data
  • Right to rectification of inaccurate data
  • Right to erasure (right to be forgotten)
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Rights related to automated decision-making and profiling

11. Data Transfers

Any transfers of personal data outside the European Economic Area shall be governed by appropriate legal mechanisms including Standard Contractual Clauses, Binding Corporate Rules, or adequacy decisions. The Processor shall ensure compliance with all transfer restriction rules.

12. Data Breach Notification

The Processor shall notify the Controller without undue delay and in no event later than 48 hours of becoming aware of a personal data breach. Notification shall include the nature of the breach, categories and approximate number of affected individuals, and recommended mitigation measures.

13. Audits and Inspections

The Processor shall make available all information necessary to demonstrate compliance with this DPA and allow for audits and inspections by the Controller or authorized auditors. The Processor maintains SOC 2 Type II certification and provides annual audit reports.

14. Deletion and Return of Data

Upon termination of the service agreement, the Processor shall, at the Controller's choice, delete or return all personal data and existing copies. Exceptions apply only where legal obligations require retention of the data.

15. Contact Information

Data Controller Representative: Controller designates a contact person as specified in the service agreement.

Data Processor Representative: Macneill Mart Private Limited, Legal Department
Email: [email protected]