This Data Processing Addendum (“DPA”) forms part of the agreement between Datafi Labs, Inc. (“Datafi,” “Processor,” “we,” “our,” or “us”) and the customer entity (“Customer,” “Controller,” or “you”) that has executed a service agreement, subscription agreement, or order form referencing this DPA (the “Agreement”) for the use of Datafi’s platform and services, including Studio, Control Tower, Sentinel, and Orchestrate (collectively, the “Services”).
This DPA sets forth the terms and conditions under which Datafi will process Personal Data on behalf of the Customer in connection with the provision of the Services. This DPA applies to the extent that Datafi processes Personal Data that is subject to applicable Data Protection Laws on behalf of the Customer. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.
By executing the Agreement or using the Services, the Customer agrees to be bound by the terms of this DPA. This DPA is incorporated by reference into the Agreement and supplements our Privacy Policy and Terms of Service.
1. Definitions
For the purposes of this DPA, the following terms shall have the meanings set forth below. Capitalized terms not defined herein shall have the meanings ascribed to them in the Agreement.
- “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, the Customer is the Controller.
- “Data Protection Laws” means all applicable laws and regulations relating to the Processing of Personal Data, including, without limitation, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), the Brazilian General Data Protection Law (“LGPD”), the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”), and any other applicable privacy or data protection legislation.
- “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
- “Personal Data” means any information relating to an identified or identifiable natural person that is processed by Datafi on behalf of the Customer in connection with the Services. Personal Data includes any equivalent term under applicable Data Protection Laws, such as “personal information” under the CCPA/CPRA.
- “Processing” (and its cognates “Process,” “Processed,” and “Processes”) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- “Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller. For the purposes of this DPA, Datafi is the Processor.
- “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise Processed by Datafi or its Sub-processors.
- “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission, as may be amended, superseded, or replaced from time to time.
- “Sub-processor” means any third-party entity engaged by Datafi to Process Personal Data on behalf of the Customer in connection with the Services.
2. Scope and Application
This DPA applies to all Processing of Personal Data by Datafi on behalf of the Customer in connection with the provision of the Services under the Agreement. The subject matter, duration, nature, and purpose of the Processing, the types of Personal Data Processed, and the categories of Data Subjects are described in Annex I of this DPA.
2.1 Subject Matter
Datafi provides a data integration, governance, and analytics platform that enables the Customer to connect, manage, transform, monitor, and orchestrate data across multiple sources and environments. In the course of providing these Services, Datafi may Process Personal Data that the Customer submits to, stores within, or transmits through the platform.
2.2 Duration of Processing
Datafi will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing or required by applicable Data Protection Laws. Upon termination or expiration of the Agreement, Datafi will handle Personal Data in accordance with Section 11 (Data Retention and Deletion) of this DPA.
2.3 Types of Personal Data
The types of Personal Data Processed under this DPA depend on the Customer’s use of the Services and may include, but are not limited to: names, email addresses, phone numbers, postal addresses, job titles, employment information, account credentials, IP addresses, device identifiers, usage data, location data, transaction data, and any other categories of Personal Data that the Customer submits to or processes through the Services.
2.4 Categories of Data Subjects
Data Subjects may include, but are not limited to: the Customer’s employees, contractors, agents, consultants, end users, clients, prospects, suppliers, business partners, and any other individuals whose Personal Data is submitted to or processed through the Services by the Customer or on the Customer’s behalf.
3. Roles and Responsibilities
3.1 Customer as Controller
The Customer acts as the Controller with respect to Personal Data and is responsible for: (a) determining the purposes and means of Processing; (b) ensuring that it has a lawful basis for Processing Personal Data and for instructing Datafi to Process Personal Data on its behalf; (c) ensuring compliance with applicable Data Protection Laws with respect to the collection and transfer of Personal Data to Datafi; and (d) providing all necessary notices to, and obtaining all necessary consents or authorizations from, Data Subjects as required by applicable Data Protection Laws.
3.2 Datafi as Processor
Datafi acts as the Processor with respect to Personal Data Processed on behalf of the Customer. In this capacity, Datafi shall: (a) Process Personal Data only in accordance with the Customer’s documented instructions as set forth in this DPA and the Agreement, unless required to do so by applicable law, in which case Datafi shall inform the Customer of that legal requirement before Processing (unless prohibited from doing so by law); (b) immediately inform the Customer if, in Datafi’s opinion, an instruction from the Customer infringes applicable Data Protection Laws; (c) ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and (d) implement and maintain appropriate technical and organizational measures to protect Personal Data as described in Section 8 of this DPA.
4. Processing Instructions and Purposes
4.1 Customer Instructions
Datafi shall Process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an international organization. The Agreement, this DPA, and the Customer’s configuration and use of the Services constitute the Customer’s complete and final instructions to Datafi for the Processing of Personal Data. Any additional or alternative instructions must be agreed upon separately in writing.
4.2 Purposes of Processing
Datafi shall Process Personal Data solely for the following purposes: (a) providing, operating, maintaining, and improving the Services as described in the Agreement; (b) fulfilling the Customer’s documented instructions as described in this DPA; (c) complying with applicable laws, regulations, and government orders; and (d) detecting, preventing, and investigating security incidents, fraud, and abuse. Datafi shall not Process Personal Data for any purpose other than those specified in this DPA or the Agreement without prior written consent from the Customer.
4.3 Prohibited Processing
Datafi shall not: (a) sell Personal Data to any third party; (b) retain, use, or disclose Personal Data for any commercial purpose other than providing the Services; (c) retain, use, or disclose Personal Data outside of the direct business relationship between Datafi and the Customer; or (d) combine Personal Data received from the Customer with Personal Data received from other sources, except as necessary to provide the Services.
5. Data Subject Rights
5.1 Assistance with Data Subject Requests
Datafi shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, insofar as is reasonably possible, in fulfilling the Customer’s obligations to respond to requests from Data Subjects exercising their rights under applicable Data Protection Laws. Such rights may include, but are not limited to, the right of access, rectification, erasure, restriction of Processing, data portability, and the right to object to Processing.
5.2 Notification of Requests
If Datafi receives a request from a Data Subject directly in relation to Personal Data Processed on behalf of the Customer, Datafi shall promptly notify the Customer and shall not respond to the request without the Customer’s prior written authorization, unless required by applicable law. Datafi shall provide the Customer with commercially reasonable cooperation and assistance in relation to the handling of such requests.
Datafi provides the Customer with self-service functionality within the platform to access, export, correct, and delete Personal Data. The Customer is responsible for using these tools to respond to Data Subject requests. Where the Customer is unable to address a Data Subject request using the available self-service tools, Datafi shall provide additional reasonable assistance upon the Customer’s written request.
6. Personnel and Confidentiality
6.1 Confidentiality Obligations
Datafi shall ensure that all personnel who have access to or Process Personal Data on behalf of the Customer are bound by written confidentiality agreements or are subject to statutory confidentiality obligations. Datafi shall ensure that such confidentiality obligations survive the termination of the individual’s engagement with Datafi.
6.2 Access Restrictions
Datafi shall limit access to Personal Data to those personnel who require such access to perform obligations under the Agreement and this DPA. Datafi shall ensure that all such personnel are informed of the confidential nature of the Personal Data and are trained on applicable data protection procedures and requirements.
6.3 Personnel Training
Datafi shall provide regular data protection and security awareness training to all personnel who Process Personal Data on behalf of the Customer. Training shall cover, at a minimum, applicable Data Protection Laws, data handling procedures, incident response protocols, and the terms of this DPA.
7. Sub-processors
7.1 Authorization to Engage Sub-processors
The Customer provides general written authorization for Datafi to engage Sub-processors to Process Personal Data on behalf of the Customer, subject to the requirements set forth in this Section 7. Datafi shall maintain a current list of Sub-processors, which shall be made available to the Customer upon request or through Datafi’s trust and compliance portal.
7.2 Sub-processor Obligations
Before engaging any Sub-processor, Datafi shall: (a) conduct appropriate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Personal Data required by this DPA and applicable Data Protection Laws; (b) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set forth in this DPA; and (c) remain fully liable for the acts and omissions of its Sub-processors with respect to the Processing of Personal Data.
7.3 Notification of New Sub-processors
Datafi shall notify the Customer in writing at least thirty (30) days prior to engaging any new Sub-processor or replacing an existing Sub-processor. Such notification shall include the name of the Sub-processor, the nature and scope of the Processing to be performed, and the location of Processing. Datafi may provide such notification via email to the Customer’s designated contact or through Datafi’s trust and compliance portal.
7.4 Objection Rights
The Customer may object to the appointment of a new Sub-processor by notifying Datafi in writing within fifteen (15) days of receiving Datafi’s notification. The objection must state reasonable grounds related to data protection. Upon receipt of an objection, Datafi shall use commercially reasonable efforts to: (a) make available a change to the Services that avoids the use of the objected-to Sub-processor; or (b) recommend a commercially reasonable alternative Sub-processor. If Datafi is unable to make such changes or recommendations within thirty (30) days of receiving the Customer’s objection, either party may terminate the affected portion of the Agreement with respect to the Services that cannot be provided without the use of the objected-to Sub-processor, and Datafi shall refund any prepaid fees covering the remainder of the term following the effective date of termination.
8. Security Measures
Datafi shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, theft, or disclosure. These measures shall include, at a minimum, the following:
8.1 Encryption
- Data in Transit: All Personal Data transmitted between the Customer and the Services, and between Datafi’s internal systems, is encrypted using TLS 1.2 or higher.
- Data at Rest: All Personal Data stored within the Services is encrypted using AES-256 encryption or equivalent industry-standard encryption algorithms.
- Key Management: Encryption keys are managed using a dedicated key management system with automated key rotation, separation of duties, and access controls.
8.2 Access Controls
- Authentication: Multi-factor authentication (MFA) is required for all administrative access to systems that Process Personal Data.
- Role-Based Access Control: Access to Personal Data is granted on a need-to-know basis using role-based access control (RBAC) with the principle of least privilege.
- Session Management: Automatic session timeout, concurrent session limits, and secure session token handling are enforced across all Services.
- Access Reviews: Datafi conducts periodic access reviews at least quarterly to ensure that access privileges remain appropriate and that former personnel have been promptly deprovisioned.
8.3 Monitoring and Logging
- Audit Logging: Datafi maintains comprehensive audit logs of all access to and modifications of Personal Data, including user identity, timestamp, action performed, and affected records.
- Intrusion Detection: Datafi employs intrusion detection and intrusion prevention systems (IDS/IPS) to monitor for unauthorized access or malicious activity.
- Continuous Monitoring: Datafi utilizes security information and event management (SIEM) systems for real-time monitoring, alerting, and correlation of security events across all infrastructure and application layers.
- Vulnerability Management: Datafi performs regular vulnerability scanning and penetration testing, with critical vulnerabilities remediated within established SLA timeframes.
8.4 Incident Response
- Incident Response Plan: Datafi maintains a documented incident response plan that defines roles, responsibilities, communication protocols, escalation procedures, and post-incident review processes.
- Incident Response Team: A dedicated security team is available around the clock to respond to and investigate security incidents.
- Testing: The incident response plan is tested at least annually through tabletop exercises and simulated incident scenarios.
8.5 Physical Security
- Data Center Security: Personal Data is hosted in SOC 2 Type II and ISO 27001 certified data centers with physical access controls, surveillance systems, environmental controls, and redundant power and network connectivity.
- Workstation Security: Datafi enforces endpoint security controls on all corporate devices, including full-disk encryption, endpoint detection and response (EDR), and automated patch management.
8.6 Business Continuity
- Backup and Recovery: Datafi maintains regular encrypted backups of Personal Data with geographically distributed storage and tested recovery procedures.
- Disaster Recovery: Datafi maintains and regularly tests a disaster recovery plan to ensure continuity of the Services and protection of Personal Data in the event of a significant disruption.
9. Data Breach Notification
9.1 Notification Obligation
In the event of a Security Incident, Datafi shall notify the Customer without undue delay and in any event within seventy-two (72) hours after becoming aware of the Security Incident. Notification shall be made to the Customer’s designated security contact via email and, where appropriate, by telephone.
9.2 Content of Notification
The notification shall include, to the extent reasonably available at the time of notification:
- A description of the nature of the Security Incident, including, where possible, the categories and approximate number of Data Subjects and Personal Data records affected.
- The name and contact details of Datafi’s designated point of contact for further information.
- A description of the likely consequences of the Security Incident.
- A description of the measures taken or proposed to be taken by Datafi to address the Security Incident, including measures to mitigate its possible adverse effects.
- A timeline of the Security Incident, including the date and time of discovery.
9.3 Ongoing Updates
If Datafi is unable to provide all required information at the time of the initial notification, Datafi shall provide the information in phases without further undue delay as additional details become available. Datafi shall provide regular updates to the Customer regarding the status of the investigation and remediation efforts.
9.4 Cooperation
Datafi shall cooperate with the Customer and take commercially reasonable steps to assist the Customer in investigating, mitigating, and remediating the Security Incident, including preserving relevant evidence and records. Datafi shall also assist the Customer in fulfilling the Customer’s obligations to notify supervisory authorities and Data Subjects under applicable Data Protection Laws.
9.5 No Public Disclosure
Datafi shall not make any public statements or notifications regarding a Security Incident without the Customer’s prior written consent, unless required by applicable law or regulation.
10. Data Transfers
10.1 General Principle
Datafi shall not transfer Personal Data to a country or territory outside the jurisdiction in which the Customer is located unless appropriate safeguards are in place as required by applicable Data Protection Laws. Where transfers are necessary for the provision of the Services, Datafi shall ensure compliance with the requirements set forth in this Section 10.
10.2 Standard Contractual Clauses
Where the transfer of Personal Data from the European Economic Area (“EEA”), the United Kingdom, or Switzerland to a jurisdiction that has not been recognized as providing an adequate level of data protection is required for the provision of the Services, the parties agree to enter into and comply with the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), which are hereby incorporated by reference into this DPA. For transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office shall apply.
10.3 Adequacy Decisions
Where the European Commission, the UK Secretary of State, or another competent authority has issued an adequacy decision recognizing that a third country provides an adequate level of data protection, Datafi may rely on such adequacy decision for transfers of Personal Data to that country, provided that the adequacy decision remains valid and has not been invalidated by a court of competent jurisdiction.
10.4 Supplementary Measures
Where required by applicable Data Protection Laws or guidance from supervisory authorities, Datafi shall implement supplementary technical, contractual, and organizational measures to ensure that the transferred Personal Data receives an essentially equivalent level of protection as that guaranteed within the originating jurisdiction. Such measures may include enhanced encryption, pseudonymization, access restrictions, and data residency commitments.
10.5 Transfer Impact Assessments
Datafi shall, upon the Customer’s reasonable request, provide information necessary for the Customer to conduct transfer impact assessments and shall cooperate with the Customer in implementing any additional safeguards identified as necessary through such assessments.
11. Data Retention and Deletion
11.1 Retention During the Term
Datafi shall retain Personal Data only for as long as necessary to fulfill the purposes described in this DPA and the Agreement, or as required by applicable law. Datafi shall not retain Personal Data beyond what is strictly necessary and shall apply data minimization principles throughout the term of the Agreement.
11.2 Deletion Upon Termination
Upon termination or expiration of the Agreement, and at the Customer’s election, Datafi shall either: (a) return all Personal Data to the Customer in a structured, commonly used, and machine-readable format; or (b) securely delete or destroy all Personal Data in its possession or control, including all copies, backups, and archives, within ninety (90) days following termination or expiration. Datafi shall provide written certification of deletion upon the Customer’s request.
11.3 Exceptions to Deletion
Datafi may retain Personal Data to the extent required by applicable law, regulation, or court order, provided that Datafi: (a) notifies the Customer of any such requirement (unless legally prohibited from doing so); (b) limits the retention to the specific data required; (c) continues to protect the retained data in accordance with this DPA; and (d) deletes the retained data promptly once the legal requirement no longer applies.
11.4 Data Export
Datafi provides self-service data export functionality within the platform. The Customer is responsible for exporting its data prior to the expiration of the post-termination data retrieval period. Datafi shall provide reasonable assistance with data export upon the Customer’s request.
12. Audits and Compliance
12.1 Certifications and Reports
Datafi maintains the following certifications and compliance reports, which demonstrate its adherence to industry-recognized security and data protection standards:
- SOC 2 Type II: Datafi undergoes annual SOC 2 Type II audits conducted by independent third-party auditors, covering the Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy.
- ISO 27001: Datafi maintains ISO 27001 certification for its information security management system (ISMS), with regular surveillance audits and recertification assessments.
Datafi shall make the most recent audit reports and certifications available to the Customer upon written request, subject to reasonable confidentiality obligations.
12.2 Customer Audit Rights
The Customer, or a qualified independent third-party auditor appointed by the Customer (subject to reasonable confidentiality obligations), shall have the right to audit Datafi’s compliance with this DPA no more than once per twelve-month period, unless a Security Incident has occurred or the Customer is required by a supervisory authority to conduct additional audits. The Customer shall provide Datafi with at least thirty (30) days’ prior written notice of any audit and shall conduct the audit during normal business hours in a manner that minimizes disruption to Datafi’s operations.
12.3 Audit Cooperation
Datafi shall cooperate with the Customer’s audit requests by providing access to relevant documentation, records, systems, and personnel. Datafi shall make available all information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Laws. The Customer shall bear its own costs associated with any audit, unless the audit reveals material non-compliance by Datafi.
12.4 Data Protection Impact Assessments
Datafi shall provide reasonable assistance to the Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, to the extent required under applicable Data Protection Laws, taking into account the nature of the Processing and the information available to Datafi.
13. Liability
13.1 Liability Cap
Each party’s total aggregate liability arising out of or in connection with this DPA, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall be subject to the limitations of liability set forth in the Agreement. This DPA does not modify or supersede any limitations of liability or exclusions of damages contained in the Agreement.
13.2 Indemnification
Each party shall indemnify and hold the other party harmless from and against all claims, damages, losses, costs, and expenses (including reasonable attorneys’ fees) arising from or related to any breach of this DPA by the indemnifying party, its employees, agents, or Sub-processors. The Customer shall indemnify Datafi against any claims arising from Processing carried out in accordance with the Customer’s instructions that are later determined to violate applicable Data Protection Laws.
13.3 Apportionment
Where both parties are responsible for damage caused by Processing that violates applicable Data Protection Laws, each party shall be liable for the portion of damage attributable to its respective actions or omissions, in accordance with the applicable Data Protection Laws.
14. Term and Termination
14.1 Term
This DPA shall become effective on the date the Customer executes the Agreement or begins using the Services, whichever is earlier, and shall remain in effect for the duration of the Agreement. The provisions of this DPA that by their nature should survive termination shall continue in full force and effect after termination, including, without limitation, Sections 6 (Personnel and Confidentiality), 9 (Data Breach Notification), 11 (Data Retention and Deletion), 12 (Audits and Compliance), and 13 (Liability).
14.2 Termination for Breach
Either party may terminate this DPA and the affected portions of the Agreement if the other party materially breaches any provision of this DPA and fails to cure such breach within thirty (30) days of receiving written notice thereof. A material breach of this DPA shall be deemed a material breach of the Agreement.
14.3 Effect of Termination
Upon termination of this DPA, Datafi shall: (a) cease all Processing of Personal Data on behalf of the Customer, except as necessary to comply with applicable law; (b) comply with the data return and deletion obligations set forth in Section 11; and (c) provide reasonable cooperation to the Customer in transitioning the Processing to another service provider or bringing the Processing in-house.
14.4 Amendments
Datafi may update this DPA from time to time to reflect changes in applicable Data Protection Laws, regulatory guidance, or Datafi’s data processing practices. Datafi shall provide the Customer with at least thirty (30) days’ prior written notice of any material changes to this DPA. The Customer’s continued use of the Services after the effective date of any such changes constitutes acceptance of the updated DPA.
If you have any questions, concerns, or requests regarding this Data Processing Addendum or Datafi’s data processing practices, please contact us using the following channels:
- Privacy Inquiries: [email protected]
- Legal and DPA Requests: [email protected]
- Mailing Address: Datafi Labs, Inc., Attn: Legal / Privacy, 314 Williams Ave South #1245, Renton, WA 98057, United States
For more information about how Datafi handles personal information, please review our Privacy Policy. For the complete terms governing your use of the Services, please review our Terms of Service.
