Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the service agreement between you (“Client,” “Controller,” or “you”) and Annuit Agency Inc. (“Annuit,” “Processor,” “we,” “us,” or “our”). This DPA governs the processing of personal data by Annuit on behalf of the Client in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

1. Definitions

2. Scope and Applicability

2.1 Application

This DPA applies to all Processing of Personal Data by Annuit on behalf of the Client in connection with the services provided under the service agreement.

2.2 Roles

The parties acknowledge that:

• The Client acts as the Controller of Personal Data
• Annuit acts as the Processor of Personal Data
• The Client has sole responsibility for ensuring compliance with Data Protection Laws in its role as Controller

2.3 Precedence

In the event of any conflict between this DPA and the service agreement, this DPA shall take precedence with respect to the Processing of Personal Data.

3. Processing of Personal Data

3.1 Instructions

Annuit shall Process Personal Data only on documented instructions from the Client, unless required to do so by applicable law. The Client’s instructions shall be set forth in the service agreement and may be supplemented by additional written instructions.

3.2 Nature and Purpose of Processing

The nature and purpose of Processing include:

• Website development and hosting services
• Digital marketing and analytics
• AI automation and customer service solutions
• Business consulting and optimization services
• Data analysis and reporting

3.3 Types of Personal Data

The types of Personal Data that may be Processed include:

• Contact information (names, email addresses, phone numbers)
• Demographic information
• Customer interaction data
• Website usage and analytics data
• Communication records
• Transaction and payment information
• Any other data provided by the Client or collected through the services

3.4 Categories of Data Subjects

Data Subjects may include:

• The Client’s customers and prospective customers
• Website visitors
• Newsletter subscribers
• Business contacts
• Employees or contractors of the Client

4. Processor Obligations

4.1 Compliance with Laws

Annuit shall comply with all applicable Data Protection Laws in its Processing of Personal Data.

4.2 Confidentiality

Annuit shall ensure that all personnel authorized to Process Personal Data:

• Are bound by appropriate confidentiality obligations
• Receive adequate training on data protection requirements
• Process Personal Data only as necessary to perform their duties

4.3 Security Measures

Annuit shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Secure backup and disaster recovery procedures
• Security incident monitoring and response protocols
• Regular security awareness training for personnel
• Physical security measures for data centers and offices

4.4 Assistance to Controller

Annuit shall, to the extent reasonably practicable, assist the Client in:

• Responding to Data Subject requests (access, correction, deletion, etc.)
• Conducting data protection impact assessments
• Fulfilling the Client’s obligations under Data Protection Laws
• Consulting with supervisory authorities when required

5. Sub-processing

5.1 Authorization

The Client provides general authorization for Annuit to engage Sub-processors to Process Personal Data, subject to the conditions set forth in this section.

5.2 Current Sub-processors

Annuit currently engages the following categories of Sub-processors:

• Cloud hosting and infrastructure providers
• Analytics and marketing platforms
• Payment processing services
• Communication and collaboration tools
• Customer relationship management systems

A current list of Sub-processors is available upon request.

5.3 Sub-processor Requirements

Annuit shall ensure that any Sub-processor:

• Enters into a written agreement imposing data protection obligations equivalent to this DPA
• Implements appropriate security measures
• Complies with applicable Data Protection Laws

5.4 Changes to Sub-processors

Annuit shall notify the Client of any intended changes to Sub-processors at least thirty (30) days in advance. The Client may object to such changes on reasonable grounds related to data protection. If the parties cannot resolve the objection, the Client may terminate the affected services.

5.5 Liability

Annuit remains fully liable to the Client for the performance of any Sub-processor’s obligations.

6. Data Subject Rights

6.1 Requests

If Annuit receives a request from a Data Subject to exercise their rights under Data Protection Laws, Annuit shall:

• Promptly notify the Client of the request
• Not respond to the request without the Client’s prior written authorization
• Provide reasonable assistance to the Client in responding to the request

6.2 Data Subject Rights Include

• Right of access to Personal Data
• Right to rectification of inaccurate data
• Right to erasure (“right to be forgotten”)
• Right to restriction of Processing
• Right to data portability
• Right to object to Processing
• Rights related to automated decision-making

7. Data Breach Notification

7.1 Notification to Client

Annuit shall notify the Client without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Personal Data breach affecting the Client’s Personal Data.

7.2 Breach Information

The notification shall include, to the extent known:

• The nature of the breach
• The categories and approximate number of Data Subjects affected
• The categories and approximate number of Personal Data records affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach
• Contact information for further inquiries

7.3 Cooperation

Annuit shall cooperate with the Client and provide reasonable assistance in investigating and remediating the breach, including compliance with any notification obligations to Data Subjects or supervisory authorities.

8. Data Transfers

8.1 International Transfers

Personal Data may be transferred to and Processed in countries outside the European Economic Area (EEA) or the Data Subject’s country of residence. Annuit shall ensure that such transfers comply with applicable Data Protection Laws.

8.2 Transfer Mechanisms

For transfers outside the EEA, Annuit shall implement appropriate safeguards, which may include:

• Standard Contractual Clauses approved by the European Commission
• Binding Corporate Rules
• Adequacy decisions
• Other legally recognized transfer mechanisms

8.3 Data Localization

Upon request, Annuit shall provide information about the locations where Personal Data is Processed and stored.

9. Data Retention and Deletion

9.1 Retention Period

Annuit shall retain Personal Data only for as long as necessary to provide the services or as required by applicable law.

9.2 Deletion or Return

Upon termination or expiration of the service agreement, Annuit shall, at the Client’s choice:

• Delete all Personal Data in its possession or control, or
• Return all Personal Data to the Client in a commonly used format

9.3 Exceptions

Annuit may retain Personal Data to the extent required by applicable law, provided that such Personal Data remains subject to confidentiality obligations and is Processed only as necessary to comply with the legal requirement.

10. Audit Rights

10.1 Audit and Inspection

The Client may, upon reasonable notice and during normal business hours, conduct audits or inspections to verify Annuit’s compliance with this DPA, provided that:

• Such audits are conducted no more than once per year unless required by a supervisory authority
• The Client provides at least thirty (30) days’ advance written notice
• The audit does not unreasonably interfere with Annuit’s operations
• The Client or its auditors execute appropriate confidentiality agreements

10.2 Audit Reports

Annuit may provide audit reports, certifications (such as SOC 2, ISO 27001), or other evidence of compliance in lieu of a Client-conducted audit.

10.3 Costs

The Client shall bear all costs associated with any audit, unless the audit reveals material non-compliance by Annuit.

11. Liability and Indemnification

11.1 Liability

Each party’s liability under this DPA shall be subject to the limitations of liability set forth in the service agreement.

11.2 Indemnification

Annuit shall indemnify and hold harmless the Client from any claims, damages, or losses arising from Annuit’s breach of this DPA or violation of Data Protection Laws in its Processing of Personal Data, except to the extent caused by the Client’s instructions or breach.

12. Term and Termination

12.1 Term

This DPA shall remain in effect for the duration of the service agreement and any period during which Annuit Processes Personal Data on behalf of the Client.

12.2 Survival

Sections relating to confidentiality, data deletion, liability, and any other provisions that by their nature should survive shall remain in effect after termination.

13. Amendments

Annuit may amend this DPA from time to time to reflect changes in Data Protection Laws or industry standards. Material changes will be communicated to the Client with reasonable advance notice. Continued use of the services after such changes constitutes acceptance of the amended DPA.

14. Governing Law and Jurisdiction

This DPA shall be governed by the laws specified in the service agreement. For GDPR-related matters, the supervisory authority in the Client’s jurisdiction shall have jurisdiction.