Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") forms part of the Agreement between Reblox Solutions LLC, doing business as PipeLime ("Processor" or "PipeLime"), and the Customer ("Controller") who has agreed to PipeLime's Terms of Service.

This DPA applies where and to the extent PipeLime processes Personal Data on behalf of the Customer in the course of providing the Service. This DPA is entered into in accordance with Article 28 of the General Data Protection Regulation (GDPR) and equivalent provisions under applicable data protection laws.

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data processing matters.

1. Scope and Roles

2. Details of Processing

3. Customer Instructions

PipeLime shall process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law. The Customer's instructions are defined by:

• The Terms of Service and this DPA
• The Customer's configuration and use of the Platform features
• Any additional written instructions provided by the Customer and agreed upon by PipeLime

PipeLime shall immediately inform the Customer if, in PipeLime's opinion, an instruction infringes applicable data protection law. PipeLime shall not be obligated to independently assess whether the Customer's instructions comply with applicable law.

4. Confidentiality

PipeLime shall ensure that all personnel authorized to process Personal Data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel who require such access to perform their duties in connection with the Service.

5. Security Measures (Article 32)

PipeLime implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption: Encryption of Personal Data in transit (TLS/HTTPS) and at rest
• Access Controls: Role-based access controls, multi-factor authentication for administrative access, and the principle of least privilege
• Infrastructure Security: Hosting on secure cloud infrastructure with regular security updates and patching
• Monitoring: Continuous monitoring for security incidents, with automated alerts for suspicious activity
• Backup and Recovery: Regular data backups with tested recovery procedures to ensure availability and resilience
• Incident Response: Documented incident response procedures for handling security breaches
• Employee Training: Regular security awareness training for all personnel with access to Personal Data
• Audit Trail: Logging of access to and modifications of Personal Data for accountability and audit purposes

PipeLime shall regularly assess and improve these measures to account for evolving threats and technological developments.

6. Sub-Processors

The Customer provides general authorization for PipeLime to engage sub-processors to assist in providing the Service. PipeLime's current sub-processors are listed below:

Notification of changes: PipeLime shall notify the Customer at least 30 days before adding or replacing a sub-processor, providing the Customer an opportunity to object to the change. If the Customer objects on reasonable data protection grounds, and PipeLime cannot reasonably accommodate the objection, either party may terminate the affected services.

PipeLime shall impose on each sub-processor, by way of a written contract, data protection obligations that are no less protective than those set out in this DPA.

7. Assistance with Data Subject Rights

PipeLime shall assist the Customer in responding to data subject rights requests under applicable data protection law. Specifically:

• If PipeLime receives a data subject request directly, PipeLime shall promptly redirect the request to the Customer, unless legally prohibited from doing so
• PipeLime shall provide the Customer with reasonable technical and organizational assistance to fulfill data subject requests (access, rectification, erasure, restriction, portability, objection)
• PipeLime shall make available to the Customer the Personal Data necessary to respond to such requests within a reasonable timeframe

8. Data Breach Notification

PipeLime shall notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records affected
• The name and contact details of the point of contact at PipeLime
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its adverse effects

PipeLime shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

9. Data Protection Impact Assessment

Where required by applicable data protection law, PipeLime shall provide reasonable assistance to the Customer in carrying out a Data Protection Impact Assessment (DPIA) and, where necessary, prior consultation with the relevant supervisory authority, in each case solely in relation to processing carried out by PipeLime on behalf of the Customer.

10. Data Return and Deletion

Upon termination or expiration of the Customer's subscription:

• Data Export: The Customer may request an export of their data within 30 days of termination. PipeLime shall provide the data in a commonly used, machine-readable format.
• Data Deletion: After the 30-day post-termination retention period, PipeLime shall delete or anonymize all Customer Personal Data, including data held by sub-processors, unless retention is required by applicable law.
• Certification: Upon request, PipeLime shall provide written confirmation that Personal Data has been deleted.

11. Audits and Inspections

PipeLime shall make available to the Customer all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer, subject to the following conditions:

• The Customer shall provide at least 30 days' written notice of any audit
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with PipeLime's operations
• The Customer shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by PipeLime
• Auditors shall be bound by confidentiality obligations
• Audit frequency shall be limited to once per 12-month period, unless required by a supervisory authority or in response to a data breach

12. International Data Transfers

PipeLime is located in the United States. Where Personal Data originating from the European Economic Area (EEA), United Kingdom (UK), or Switzerland is transferred to the United States or other countries without an adequate level of data protection, PipeLime shall ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs): The European Commission-approved Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated into this DPA by reference and shall apply to transfers of Personal Data from the EEA to countries without adequacy decisions.
• UK International Data Transfer Addendum: For transfers from the UK, the UK International Data Transfer Addendum to the EU SCCs shall apply.
• Swiss Addendum: For transfers from Switzerland, the applicable Swiss data transfer mechanisms shall apply.
• Supplementary Measures: PipeLime implements supplementary technical measures (encryption, pseudonymization, access controls) and organizational measures (policies, training, contractual safeguards) to ensure an adequate level of protection for transferred data.

13. Term

This DPA shall remain in effect for the duration of the Customer's use of the Service and shall automatically terminate upon the completion of all processing activities and the deletion of all Personal Data as described in Section 10, unless applicable law requires continued retention.