Data Processing Agreement (DPA)

Last Updated: December 30, 2025

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer," "Controller") and [COMPANY_NAME] ("Policy Change Radar," "Processor," "we," "us") and governs the processing of Personal Data in accordance with applicable Data Protection Laws.

This DPA reflects the parties' agreement with respect to the processing of Personal Data and is effective as of the date you accept our Terms of Service.

Definitions

  • "Data Protection Laws" means all applicable laws relating to privacy, data protection, and data security, including the GDPR, CCPA, and similar regulations.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Policy Change Radar on behalf of Customer.
  • "Processing" has the meaning given in Data Protection Laws (including collecting, storing, analyzing, and deleting Personal Data).
  • "Controller" means the entity that determines the purposes and means of Processing Personal Data (Customer).
  • "Processor" means the entity that Processes Personal Data on behalf of the Controller (Policy Change Radar).
  • "Sub-processor" means any third party engaged by Processor to Process Personal Data.
  • "Data Subject" means the individual to whom Personal Data relates.

Scope and Purpose of Processing

Subject Matter

Processor will Process Personal Data for the purpose of providing document monitoring and change detection services as described in the Terms of Service.

Duration

Processing will continue for the duration of the Service subscription, plus the retention periods specified in our Privacy Policy or as required by law.

Nature of Processing

Processing activities include:

  • Storage of user account information
  • Analysis of documents submitted for monitoring
  • Change detection and comparison algorithms
  • Generation of alerts and summaries
  • Provision of access to monitored documents and change history

Types of Personal Data

Categories of Personal Data processed may include:

  • Account Data: names, email addresses, company names
  • Usage Data: IP addresses, browser information, access logs
  • Billing Data: payment information (processed by Stripe)
  • Document Data: Any personal data contained in documents submitted by Customer

Categories of Data Subjects

Data Subjects may include:

  • Customer's employees and authorized users
  • Individuals mentioned in monitored documents (if applicable)

Processor Obligations

Processing Instructions

Processor will Process Personal Data only on documented instructions from Controller, including as set forth in this DPA and the Terms of Service, unless required to do so by applicable law.

Confidentiality

Processor will ensure that persons authorized to Process Personal Data:

  • Are subject to confidentiality obligations
  • Receive appropriate training on data protection
  • Process Personal Data only as instructed

Data Protection Officer

Where required by Data Protection Laws, Processor will appoint a Data Protection Officer and provide their contact details to Controller upon request.

Security Measures

Processor will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical Measures

  • Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
  • Pseudonymization where appropriate
  • Regular security testing and assessment
  • Secure authentication and access controls

Organizational Measures

  • Access limited to authorized personnel on a need-to-know basis
  • Regular security training for staff
  • Incident response procedures
  • Vendor management and oversight

See our Security page for detailed information about our security practices.

Sub-processors

Authorization

Controller provides general authorization for Processor to engage Sub-processors to Process Personal Data, subject to the conditions in this section.

Current Sub-processors

A current list of Sub-processors is available at policychangeradar.com/subprocessors.

Sub-processor Requirements

Processor will:

  • Impose data protection obligations on Sub-processors equivalent to those in this DPA
  • Remain fully liable to Controller for Sub-processor performance
  • Ensure Sub-processors comply with Data Protection Laws

Changes to Sub-processors

Processor will provide at least 30 days' notice of any new Sub-processor via email and by updating the Subprocessors page. Controller may object to a new Sub-processor on reasonable data protection grounds within 30 days of notice. If Controller objects, the parties will work together to find a resolution, or Controller may terminate the affected Service.

Data Subject Rights

Assistance with Requests

Processor will, to the extent legally permitted and taking into account the nature of Processing, assist Controller in responding to Data Subject requests to exercise their rights under Data Protection Laws, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object

Data Subject Requests to Processor

If Processor receives a Data Subject request directly, Processor will forward the request to Controller without undue delay and will not respond to the request without Controller's prior authorization.

Audits and Compliance

Information and Cooperation

Processor will make available to Controller information necessary to demonstrate compliance with obligations under Data Protection Laws and this DPA.

Audit Rights

Controller may audit Processor's compliance with this DPA:

  • No more than once per year, unless required by Data Protection Laws or a supervisory authority
  • Upon at least 30 days' written notice
  • During normal business hours and without disrupting Processor's operations
  • Subject to confidentiality obligations

Audit Reports

Processor may provide third-party audit reports (such as SOC 2 Type II) to satisfy Controller's audit requirements where applicable.

Data Breach Notification

Notification Obligation

Processor will notify Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data breach affecting Controller's Personal Data.

Breach Information

The notification will include, to the extent available:

  • Description of the nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of Personal Data records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact point for further information

Cooperation

Processor will cooperate with Controller in investigating and remediating the breach and will provide reasonable assistance with any required notifications to supervisory authorities or Data Subjects.

International Transfers

Data Location

Personal Data is primarily stored and processed in the United States. Processor may transfer Personal Data to other jurisdictions where Sub-processors operate.

Transfer Mechanisms

For transfers of Personal Data from the European Economic Area (EEA), UK, or Switzerland to countries that do not provide adequate protection under Data Protection Laws, Processor relies on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Appropriate supplementary measures to ensure adequate protection

Standard Contractual Clauses

The Standard Contractual Clauses for the transfer of personal data to processors established in third countries (as approved by the European Commission) are incorporated into this DPA by reference.

Termination and Data Return

Return or Deletion

Upon termination of the Service, Processor will, at Controller's choice:

  • Return all Personal Data to Controller in a commonly used format, or
  • Securely delete all Personal Data

Retention for Legal Purposes

Processor may retain Personal Data to the extent required by applicable law, with confidentiality obligations continuing to apply.

Certification of Deletion

Upon request, Processor will provide written certification that Personal Data has been deleted or returned.

Liability and Indemnification

Liability

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service, except as prohibited by Data Protection Laws.

Indemnification

Processor will indemnify Controller for claims arising from Processor's breach of its obligations under this DPA or Data Protection Laws, subject to the limitations in the Terms of Service.

Controller Responsibilities

Controller is responsible for:

  • Ensuring it has a lawful basis for Processing under Data Protection Laws
  • Providing lawful Processing instructions to Processor
  • Complying with its obligations as a Controller under Data Protection Laws
  • Obtaining necessary consents from Data Subjects where required

General Provisions

Order of Precedence

In the event of conflict between this DPA and the Terms of Service, this DPA will prevail with respect to the Processing of Personal Data.

Modifications

Processor may update this DPA to reflect changes in Data Protection Laws or business practices. Material changes will be communicated in accordance with the Terms of Service.

Severability

If any provision of this DPA is held invalid or unenforceable, that provision will be reformed to the minimum extent necessary, and the remaining provisions will remain in full effect.

Governing Law

This DPA is governed by the laws specified in the Terms of Service, except where Data Protection Laws require otherwise.

Contact Information

For questions about this DPA or data processing: