Data Processing Agreement

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by us on your behalf through the DXSignal service.

"Processing" has the meaning given in the GDPR and includes any operation performed on Personal Data.

"Sub-processor" means any third party appointed by us to process Personal Data on your behalf.

"Data Subject" means the individual to whom Personal Data relates.

3.1 Instructions: We will process Personal Data only on documented instructions from you, unless required to do so by applicable law.

3.2 Confidentiality: We ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security: We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit and at rest
• Regular security assessments and testing
• Access controls and authentication mechanisms
• Incident response and breach notification procedures
• Regular backups and disaster recovery capabilities

3.4 Sub-processing: We will not engage another processor without your prior written authorization. Current sub-processors are listed in Annex A below.

3.5 Data Subject Rights: We will assist you in responding to requests for exercising Data Subject rights under GDPR, including access, rectification, erasure, and data portability.

3.6 Data Breach: We will notify you without undue delay after becoming aware of a Personal Data breach affecting your data.

3.7 Deletion: We will delete or return all Personal Data to you at the end of the provision of services, unless retention is required by law.

3.8 Audit: We will make available all information necessary to demonstrate compliance with this DPA and allow for audits by you or an auditor mandated by you.

4.1 Location: Personal Data is primarily processed and stored within the European Union and the United States using Microsoft Azure infrastructure.

4.2 Safeguards: Where Personal Data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Binding Corporate Rules where applicable

4.3 Azure Compliance: Our primary infrastructure provider, Microsoft Azure, maintains GDPR compliance and provides appropriate data processing agreements and safeguards.

We implement the following security measures:

We will assist you in fulfilling your obligations to respond to Data Subject requests:

• Right of Access: We provide user data export functionality to facilitate access requests
• Right to Rectification: Users can update their profile information through the service
• Right to Erasure: We provide account deletion functionality and will delete data upon request
• Right to Data Portability: We export data in JSON format for portability
• Right to Object: Users can disable specific data processing features
• Right to Restrict Processing: We will support processing restrictions as instructed

For assistance with Data Subject requests, contact us at privacy@dxsignal.com

In the event of a Personal Data breach, we will notify you without undue delay and within 72 hours of becoming aware of the breach. The notification will include:

• Nature of the breach and categories of data affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact point for further information

8.1 Liability: Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability in the Service Agreement.

8.2 Indemnification: We will indemnify you against claims by Data Subjects arising from our failure to comply with this DPA, subject to you providing prompt notice and reasonable cooperation.

This DPA will commence on the date of the Service Agreement and will remain in effect for the duration of the Service Agreement. Upon termination:

• We will delete or return all Personal Data within 30 days
• Certification of deletion will be provided upon request
• Data may be retained where required by applicable law

We currently engage the following sub-processors to provide the DXSignal service:

We will notify you of any changes to sub-processors at least 30 days in advance. You may object to the appointment of a new sub-processor on reasonable grounds.