Data Processing Addendum

This page is a template provided for transparency. For a binding agreement, it is executed as part of, and subject to, the parties' engagement agreement. Clients with their own DPA are welcome to share it for review.

1. Scope & roles

This Data Processing Addendum ("DPA") applies where CIA Development, LLC ("Processor") processes Personal Data on behalf of a client ("Controller") in connection with services under the parties' agreement (the "Agreement"). The Controller determines the purposes and means of processing; the Processor processes Personal Data only on the Controller's behalf.

2. Definitions

"Personal Data," "processing," "controller," "processor," "data subject," and "subprocessor" have the meanings given under applicable data-protection law, including the GDPR and U.S. state privacy laws (e.g., CCPA/CPRA), as relevant.

3. Details of processing

• Subject matter & duration: as described in the Agreement, for its duration.
• Nature & purpose: providing the development, hosting, and support services described in the Agreement.
• Types of Personal Data & categories of data subjects: as specified for the engagement (e.g., the Controller's end users, employees, or contacts). The parties will record specifics in the Agreement or an exhibit.

4. Processor obligations

• Process Personal Data only on the Controller's documented instructions, including for international transfers, unless required by law (in which case we will inform the Controller where permitted).
• Ensure persons authorized to process Personal Data are bound by confidentiality.
• Implement appropriate technical and organizational security measures (see our Security Practices).
• Assist the Controller, taking into account the nature of processing, in responding to data-subject requests and in meeting its security, breach-notification, and data-protection-impact-assessment obligations.
• At the Controller's choice, delete or return Personal Data at the end of the engagement, and delete existing copies unless retention is required by law.
• Make available information reasonably necessary to demonstrate compliance and allow for, and contribute to, reasonable audits.

5. Subprocessors

The Controller provides general authorization for the Processor to engage subprocessors. Our current subprocessors are listed at cia.dev/subprocessors. We impose data-protection obligations on subprocessors no less protective than those in this DPA, and remain responsible for their performance. We will give the Controller notice of intended changes and an opportunity to object.

6. Security & breach notification

We maintain the safeguards described in our Security Practices. We will notify the Controller without undue delay and within 72 hours after becoming aware of a personal-data breach affecting the Controller's data, with the information reasonably available to assist the Controller's own obligations.

7. International transfers

Personal Data is processed in the United States. Where required for transfers from the EEA, UK, or Switzerland, the parties will rely on an appropriate transfer mechanism (such as the EU Standard Contractual Clauses), which are incorporated by reference where applicable.

8. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

9. Conflict

If there is a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA controls.

Request a signed copy

Email security@cia.dev to execute this DPA or to review yours.