Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the agreement between CPAM Inc. ("Processor") and the customer entity ("Controller") who has agreed to the CPAM Terms of Service. It governs the processing of personal data by CPAM on behalf of the Controller in connection with the CPAM service.

This DPA applies where the Controller is subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, or other applicable data protection laws that require a data processing agreement.

2. Definitions

• "Controller" means the customer who determines the purposes and means of processing personal data.
• "Processor" means CPAM Inc., which processes personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" has the meaning given in the GDPR.
• "Data Subject" means the natural person to whom Personal Data relates.
• "Sub-processor" means any third party engaged by CPAM to process Personal Data.
• "Standard Contractual Clauses" means the clauses adopted by the European Commission under Decision 2021/914/EU.

3. Subject Matter, Duration, and Nature of Processing

Subject Matter

CPAM processes Personal Data to provide the contract price adjustment management service as described in the Terms of Service.

Duration

CPAM processes Personal Data for the duration of the customer's subscription and for 90 days following termination (to allow data export), after which it is deleted or anonymised.

Nature

Storage, retrieval, transmission, display, and deletion of data as directed by the Controller.

4. Types of Personal Data Processed

Categories of Personal Data

Name, work email address, job title, IP addresses, authentication logs, and any personal data the Controller chooses to include in contract, formula, or index series records.

Categories of Data Subjects

The Controller's employees, team members, and any individuals whose data the Controller uploads to the service.

5. Obligations of CPAM as Processor

CPAM shall:

• Process Personal Data only on documented instructions from the Controller (the Terms of Service and this DPA constitute such instructions)
• Ensure that persons authorised to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures (see Section 8)
• Assist the Controller in fulfilling its obligations to respond to Data Subject requests
• Notify the Controller without undue delay (and within 72 hours) of becoming aware of a Personal Data breach
• Delete or return all Personal Data at the Controller's request following termination
• Make available all information necessary to demonstrate compliance with this DPA
• Not engage Sub-processors without prior written authorisation from the Controller (general authorisation is deemed given by acceptance of this DPA for the sub-processors listed in Section 6)
• Not transfer Personal Data to third countries except as permitted under Section 9

6. Sub-processors

The Controller provides general authorisation for CPAM to engage the following Sub-processors:

CPAM will provide 30 days' written notice before adding new Sub-processors. If the Controller objects to a new Sub-processor, either party may terminate the affected services without penalty.

7. Data Subject Rights

CPAM will assist the Controller in responding to Data Subject requests to the extent technically feasible. Specifically:

• Data export: the Controller may export all data via the application or API at any time
• Account deletion: CPAM provides a self-service account deletion flow
• Correction: data within the service may be edited directly by the Controller

Requests that require CPAM engineering effort beyond the standard tooling will be handled within 30 days and may be subject to reasonable fees if the effort is material.

8. Security Measures

CPAM maintains the following technical and organisational measures:

• Encryption at rest: AES-256 for all database storage
• Encryption in transit: TLS 1.3 minimum for all data transmission
• Access controls: Role-based access control (RBAC), principle of least privilege, multi-factor authentication for all CPAM staff
• Key management: API credentials stored using envelope encryption with per-tenant keys
• Audit logging: Comprehensive logs of all data access, modification, and deletion events
• Vulnerability management: Regular dependency audits, automated security scanning in CI/CD
• Incident response: Documented incident response plan; breach notification within 72 hours
• Penetration testing: Annual third-party security review

9. International Data Transfers

Where Personal Data is transferred from the EEA or UK to a third country, CPAM relies on:

• Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by the European Commission in Decision 2021/914/EU for EEA transfers
• UK International Data Transfer Agreements (IDTA) for UK transfers

Customers who require data residency within the EEA or UK may contact legal@cpam.app to discuss Enterprise plan options.

10. Audit Rights

The Controller may audit CPAM's compliance with this DPA by: (a) requesting written documentation of security measures and certifications; (b) submitting a written audit request with 30 days' notice. Audits must be conducted during business hours, must not disrupt CPAM operations, and are limited to once per calendar year unless a breach has occurred.

CPAM may satisfy audit obligations by providing a current third-party security report (SOC 2 Type II or equivalent) in lieu of an on-site audit.

11. Return and Deletion of Data

Upon termination of the subscription, the Controller may export all data via the application or API within 90 days. After 90 days, CPAM will delete all Controller Personal Data from production systems.

Backups containing Personal Data will be purged within 180 days of termination. CPAM will provide written confirmation of deletion upon request.

12. Governing Law

This DPA is governed by the law of the State of Delaware, United States, except that provisions implementing the GDPR Standard Contractual Clauses are governed by the law of the applicable EU Member State.