Data Processing Agreement
Last Updated: [DATE]This Data Processing Agreement ("DPA") supplements the DEXtra Terms of Service ("Agreement") for customers requiring compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or other applicable data protection legislation.
1. Definitions
For the purposes of this DPA, the following terms shall have the meanings set forth below:
- "Controller" means the Customer, who determines the purposes and means of the processing of Personal Data through its use of the Service.
- "Processor" means DEXtra, which processes Personal Data on behalf of and under the instructions of the Controller.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed through the Service.
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4 of the GDPR, that is processed by DEXtra in the course of providing the Service.
- "Processing" means any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, as defined in Article 4 of the GDPR, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
- "Sub-processor" means any third party engaged by DEXtra to process Personal Data on behalf of the Controller in connection with the provision of the Service.
2. Scope and Roles
The Customer acts as the Controller and DEXtra acts as the Processor with respect to Personal Data processed through the Service. DEXtra shall process Personal Data only as instructed by the Customer through the configuration and use of the Service, and solely for the purpose of providing the Service as described in the Agreement.
Categories of Data Processed
- Endpoint Telemetry: Hardware inventory, software inventory, operating system information, network configuration, event logs, patch status, security scan results, and performance metrics collected from managed endpoints via the DEXtra Agent.
- User Account Data: Names, email addresses, roles, authentication credentials, and activity logs of Customer personnel who access the DEXtra dashboard.
- AI Conversation Data: Chat messages, support tickets, AI-generated diagnoses, and resolution plans created through the DEXtra AI helpdesk.
Data Subjects
- Employees and contractors of the Customer who use or administer the Service.
- End users of endpoints managed by the Customer through the Service.
3. Processing Instructions
DEXtra shall process Personal Data only in accordance with the Customer's documented instructions as communicated through the Service configuration, dashboard settings, and this DPA. The Agreement and this DPA together constitute the Customer's complete instructions to DEXtra for the processing of Personal Data at the time of execution.
Any processing beyond the scope of these instructions shall require a prior written agreement between the parties. If DEXtra believes that an instruction from the Customer infringes applicable data protection law, DEXtra shall promptly inform the Customer and shall be entitled to suspend the relevant processing until the matter is resolved.
4. Security Measures
DEXtra implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, but are not limited to:
Technical Measures
- Encryption in Transit: All data transmitted between the Agent, orchestrator, and dashboard is encrypted using TLS 1.2 or higher.
- Encryption at Rest: Sensitive database fields (such as remote desktop passwords) are encrypted with authenticated field-level encryption (Fernet: AES-128-CBC with HMAC-SHA256).
- Access Controls: Role-based access control (RBAC) with four permission levels (L1, L2, Supervisor, Admin). Multi-factor authentication (MFA) is supported for all user accounts.
- Network Security: Rate limiting, Content Security Policy (CSP) headers, HMAC-authenticated WebSocket connections, and command filtering on Agent endpoints.
- Vulnerability Management: Regular security assessments, dependency auditing, and prompt patching of identified vulnerabilities.
Organizational Measures
- Employee Training: All personnel with access to Personal Data receive data protection and security awareness training.
- Need-to-Know Access: Access to Personal Data is restricted to personnel who require it to perform their duties in connection with the Service.
- Confidentiality Agreements: All personnel with access to Personal Data are bound by contractual confidentiality obligations.
- Incident Response: Documented incident response procedures are maintained and tested to ensure prompt detection, containment, and resolution of security incidents.
5. Sub-processors
The Customer authorizes DEXtra to engage the following Sub-processors for the processing of Personal Data in connection with the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic | AI language model processing for helpdesk and diagnostic functions | United States |
| [Hosting Provider] | Infrastructure hosting and data storage | United States |
| [Payment Processor] | Billing and payment processing | United States |
DEXtra shall notify the Customer at least 30 days in advance of engaging any new Sub-processor or replacing an existing Sub-processor. The Customer may object to the engagement of a new Sub-processor within 14 days of receiving such notification by providing written notice to DEXtra with reasonable grounds for the objection.
If the Customer's objection cannot be reasonably resolved within 30 days, the Customer may terminate the affected portion of the Service without penalty. DEXtra shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set forth in this DPA.
6. Data Subject Rights
DEXtra shall assist the Customer in fulfilling its obligations to respond to Data Subject requests exercising their rights under applicable data protection law, including the rights of:
- Access: The right to obtain confirmation of whether Personal Data is being processed and to receive a copy of such data.
- Rectification: The right to have inaccurate Personal Data corrected without undue delay.
- Erasure: The right to have Personal Data deleted where there is no compelling reason for its continued processing.
- Data Portability: The right to receive Personal Data in a structured, commonly used, and machine-readable format.
- Restriction of Processing: The right to request the restriction of processing under certain circumstances.
- Objection: The right to object to the processing of Personal Data in certain circumstances.
DEXtra shall respond to requests from the Customer for assistance with Data Subject rights within 10 business days. The Customer is responsible for verifying the identity of Data Subjects prior to submitting requests to DEXtra.
7. Breach Notification
In the event of a confirmed Personal Data breach, DEXtra shall notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include, to the extent available at the time of notification:
- A description of the nature of the breach, including the categories of data and processing records concerned.
- The categories and approximate number of Data Subjects affected by the breach.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.
DEXtra shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of each breach. DEXtra shall document all Personal Data breaches, including the facts relating to the breach, its effects, and the remedial action taken.
8. International Transfers
Personal Data processed under this DPA is stored and processed in the United States. For transfers of Personal Data from the European Union, European Economic Area (EEA), or the United Kingdom to the United States, the parties agree to the following safeguards:
- Standard Contractual Clauses (SCCs): The parties incorporate by reference the Standard Contractual Clauses adopted by the European Commission pursuant to Decision 2021/914 of 4 June 2021. The Customer acts as the "data exporter" and DEXtra acts as the "data importer" for purposes of the SCCs.
- Supplementary Measures: In accordance with the Court of Justice of the European Union's Schrems II decision (Case C-311/18), DEXtra implements supplementary technical and organizational measures as described in Section 4 of this DPA to ensure an essentially equivalent level of protection for transferred Personal Data.
DEXtra shall promptly inform the Customer if it becomes aware of any legal requirement that would prevent it from complying with its obligations under this DPA or the SCCs, and shall take reasonable steps to minimize the impact of any such requirement on the processing of Personal Data.
9. Audit Rights
The Customer may audit DEXtra's compliance with the obligations set forth in this DPA, subject to the following conditions:
- Notice: The Customer shall provide DEXtra with at least 30 days' written notice prior to conducting an audit.
- Timing: Audits shall be conducted during normal business hours and shall not unreasonably interfere with DEXtra's operations.
- Frequency: The Customer may conduct no more than one audit per twelve-month period, unless a Personal Data breach has occurred or a supervisory authority requests or mandates an additional audit.
- Documentation: DEXtra shall make available to the Customer all information and documentation reasonably necessary to demonstrate compliance with this DPA.
- Confidentiality: Any third-party auditor engaged by the Customer shall be bound by confidentiality obligations no less protective than those contained in the Agreement.
DEXtra may satisfy audit obligations by providing the Customer with relevant third-party audit reports, certifications, or compliance attestations, provided such documentation reasonably addresses the Customer's audit objectives.
10. Data Return and Deletion
Upon termination or expiration of the Agreement, the following provisions apply to Personal Data in DEXtra's possession:
- Data Export: The Customer may export its data through the Service's built-in export functionality within 30 days of termination. DEXtra shall provide reasonable assistance with data export upon request.
- Deletion: After the 30-day export period, DEXtra shall delete all Personal Data processed on behalf of the Customer, including all copies in active systems and backup systems, except to the extent that retention is required by applicable law.
- Certification: Upon request, DEXtra shall provide the Customer with written certification confirming the deletion of all Personal Data, including the date of deletion and the scope of data deleted.
Where applicable law requires DEXtra to retain certain Personal Data beyond the 30-day deletion period, DEXtra shall inform the Customer of such requirement and shall continue to protect the retained data in accordance with this DPA until deletion is completed.
11. Duration and Termination
This DPA shall become effective on the date the Customer accepts the Terms of Service and shall remain in effect for the duration of the Agreement. The obligations of DEXtra under this DPA shall survive the termination or expiration of the Agreement until all Personal Data has been deleted or returned to the Customer in accordance with Section 10.
12. Liability
Each party's liability arising out of or in connection with this DPA, whether in contract, tort, or under any other theory of liability, shall be subject to the Limitation of Liability provisions set forth in the Terms of Service. Nothing in this DPA shall be construed to limit either party's liability for breaches of data protection law to the extent that such limitation is prohibited by applicable law.
13. Contact
For inquiries regarding data protection and this DPA, please contact:
- Data Protection Inquiries: [DPO_EMAIL]
- Legal Entity: [LEGAL ENTITY NAME]
- Address: [ADDRESS]