Data Processing Agreement (DPA)
Purpose & Scope
This Data Processing Agreement ("DPA") forms part of the Master Services Agreement ("MSA") between System Binaries LLC ("Provider") and the customer identified in the applicable Order ("Client"). It governs Provider’s processing of personal data on behalf of Client in connection with the services. The DPA is designed to meet common legal frameworks including GDPR principles and U.S. state privacy laws. If Client operates in regulated sectors (e.g., healthcare or financial services), the parties may execute supplemental terms such as a Business Associate Agreement (BAA) where required by law.
Definitions
"Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data. "Controller" determines the purposes and means of Processing; "Processor" processes on behalf of the Controller. Capitalized terms not defined here have the meanings in the MSA.
Roles of the Parties
- For Client-owned systems and datasets, Client is the Controller and Provider acts as Processor.
- For services where Provider determines limited means of processing (e.g., managed security analytics platform), Provider may act as a Sub‑processor to Client’s primary vendors.
- Each party will comply with applicable data protection laws in its respective role.
Processing Instructions
- Provider shall process Personal Data only on documented instructions from Client, including with respect to international transfers, unless required by law.
- Provider will notify Client if an instruction appears to violate applicable law.
- Processing purposes, categories of data, and data subjects are described in Annex A.
Security Measures
Provider shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage, as described in Annex B. Measures include access controls, encryption in transit, regular patching, endpoint protection, secure backups, logging and monitoring, least‑privilege principles, and employee confidentiality obligations.
Incident Response
- Provider will notify Client of a confirmed Personal Data Breach without undue delay and, where feasible, within 72 hours after becoming aware.
- The notice will include the nature of the breach, likely consequences, and measures taken or proposed to address it.
- Provider will reasonably cooperate with Client’s investigation, remediation, and notification obligations.
Subprocessors
- Client authorizes Provider to engage Subprocessors listed in Annex C and others used generally for the Services, provided Provider imposes data protection obligations substantially similar to this DPA.
- Provider will maintain a public or client‑accessible list of Subprocessors and will notify Client of material changes. Client may object on reasonable grounds related to data protection.
Data Subject Rights
- Taking into account the nature of processing, Provider will assist Client by appropriate technical and organizational measures in fulfilling requests to exercise rights of data subjects (access, rectification, deletion, portability, restriction, objection).
- If Provider receives a request directly, Provider will promptly forward it to Client and will not respond unless authorized.
International Transfers
Personal Data may be transferred and processed in countries where Provider or its Subprocessors maintain operations. Provider will ensure such transfers comply with applicable laws (e.g., use of Standard Contractual Clauses where required).
Audit & Compliance
- Upon reasonable written request, Provider will make available information necessary to demonstrate compliance with this DPA (e.g., policies, summaries of controls, third‑party attestations where available).
- Client may conduct or mandate an audit, no more than annually, with 30 days’ notice, during normal business hours, and in a manner that does not unreasonably interfere with Provider’s operations. Remote audits are preferred. Audits are limited to systems processing Client data and exclude other customers’ data.
Return & Deletion
- Upon termination or upon Client request, Provider will, at Client’s choice, return or securely delete Personal Data, unless retention is required by law or for legitimate business purposes such as billing records.
- Backups containing Personal Data will be overwritten according to standard retention cycles.
Term & Termination
This DPA remains in effect for the duration of the MSA and any Order under which Provider processes Personal Data. Provisions that by their nature should survive termination shall survive (e.g., confidentiality, return/deletion).
Miscellaneous
- Confidentiality. Provider ensures personnel with access to Personal Data are bound by confidentiality obligations.
- Liability. The limitations and exclusions of liability in the MSA apply to this DPA.
- Conflicts. If there is a conflict between this DPA and the MSA, this DPA controls with respect to data protection.
- Not legal advice. This DPA is provided for operational compliance; Client should consult counsel regarding specific regulatory requirements (e.g., HIPAA/GLBA/PCI).
Processing Details
| Item | Description |
|---|---|
| Subject Matter | Managed IT and security services, including helpdesk, monitoring, backups, identity and email administration, and security operations. |
| Duration | For the term of the MSA and any active Orders, plus standard backup retention periods. |
| Nature & Purpose | Providing, maintaining, securing, and supporting Client’s IT systems. |
| Types of Personal Data | Business contact data (names, emails, phone numbers), device/user identifiers, authentication/telemetry logs, ticket contents, backup data from Client systems (which may contain documents, emails, images). Client should avoid providing special category data unless necessary and agreed. |
| Categories of Data Subjects | Client employees, contractors, and end‑users; in limited cases, Client customers whose data is stored in Client systems. |
| Processing Operations | Collection, storage, access, transmission, backup, monitoring, troubleshooting, and deletion according to Client instructions. |
Technical & Organizational Measures (TOMs)
- Access Control: Role‑based access, MFA for administrative access, least privilege, timely removal of access.
- Asset Security: Endpoint protection (EDR/AV), disk encryption where supported, secure configuration baselines, patch management cadence.
- Data Protection: Encryption in transit (TLS); encryption at rest where supported by platform; data minimization and retention controls; separate customer data logically.
- Backup & DR: Regular backups with integrity checks; offsite storage; tested restoration procedures.
- Monitoring & Logging: Centralized logging for security‑relevant events; alerting for suspicious activity; time synchronization.
- Secure Development & Change: Change management for production changes; maintenance windows; peer review of high‑risk changes.
- Personnel: Confidentiality agreements; acceptable use and security training; background checks where permitted.
- Vendor Management: Due diligence of Subprocessors; contracts with appropriate data protection terms.
- Incident Management: Runbooks for common incidents; escalation paths; tabletop exercises as capacity allows.
- Physical Security: Datacenter/colocation controlled by reputable vendors with industry‑standard controls; office access managed by keys/badges.
Approved Subprocessors
| Vendor | Service | Data Location | Notes |
|---|---|---|---|
| Microsoft (Azure / Microsoft 365) | Cloud platform, email, identity | As configured by Client tenant | Standard contractual protections and data residency options |
| Google (Workspace / Cloud) | Email, storage, productivity | As configured by Client tenant | Standard contractual protections and data residency options |
| (Add EDR vendor here) | Endpoint protection | USA / Global | Telemetry and event data |
| (Add Backup vendor here) | Cloud backup & recovery | USA / Global | Encrypted backups; retention controls |
Provider will update this list as services evolve. To object to a new Subprocessor on reasonable data protection grounds, notify Provider within 10 days of notice.