Legal
Last updated: June 1, 2026
This Data Processing Agreement (the “DPA”) is entered into by and between SyntheticPulse Inc. (“Processor”) and the entity or individual that has executed the agreement governing the use of the SyntheticPulse platform (“Controller”), and forms an integral part of the Terms of Service or Master Subscription Agreement between the parties (the “Agreement”).
The Controller acts as a data controller or business, and the Processor acts as a data processor or service provider, in respect of the processing of personal data under the Agreement. The parties intend this DPA to comply with and reflect the requirements of applicable data protection legislation, including Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”), the UK Data Protection Act 2018 and the UK GDPR, and the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (“CCPA/CPRA”), to the extent applicable.
RECITALS
Whereas: (A) The Controller wishes to subscribe to the Bijani Labs platform for the purpose of generating synthetic consumer intelligence, simulations, and reports (the “Services”). (B) In providing the Services, the Processor may process personal data on behalf of the Controller. (C) The parties agree that the Processor shall process such personal data only in accordance with the Controller’s documented instructions and this DPA. (D) Each party acknowledges that this DPA is necessary to meet the requirements of applicable data protection laws and to protect the rights of data subjects.
1.1 “Applicable Data Protection Law” means all laws, regulations, and regulatory requirements applicable to the processing of personal data under this DPA, including but not limited to the GDPR, UK GDPR, CCPA/CPRA, and any other national implementing legislation.
1.2 “Controller” means the entity that determines the purposes and means of the processing of personal data, as defined in Article 4(7) of the GDPR, and includes “business” as defined under the CCPA/CPRA.
1.3 “Data Subject” means an identified or identifiable natural person whose personal data is processed under this DPA, as defined in Article 4(1) of the GDPR, and includes “consumer” as defined under the CCPA/CPRA.
1.4 “Personal Data” means any information relating to a Data Subject that is processed under this DPA, as defined in Article 4(1) of the GDPR, and includes “personal information” as defined under the CCPA/CPRA.
1.5 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed by the Processor.
1.6 “Processing” means any operation or set of operations performed on personal data, whether by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, or erasure.
1.7 “Processor” means the entity that processes personal data on behalf of the Controller, as defined in Article 4(8) of the GDPR, and includes “service provider” as defined under the CCPA/CPRA.
1.8 “SCCs” means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, or any successor mechanism.
1.9 “Sub-processor” means any natural or legal person engaged by the Processor to process personal data on behalf of the Controller in connection with the Services.
1.10 “Supervisory Authority” means an independent public authority established by an EU Member State, the UK Information Commissioner’s Office, or other competent regulator with jurisdiction over data protection matters.
2.1 This DPA applies to all processing of personal data carried out by the Processor on behalf of the Controller in connection with the Services. The term of this DPA shall commence on the earlier of (a) the date the Controller first accesses the Services or (b) the date the Agreement is signed, and shall continue until the later of (c) the termination of the Agreement or (d) the date on which all personal data has been deleted or returned in accordance with Section 12 (the “Term”).
2.2 The categories of personal data processed, the categories of data subjects, the nature and purpose of processing, and the retention periods are described in Schedule 1 (Processing Details) attached hereto. The Processor shall process personal data only for the duration necessary to provide the Services, unless otherwise required by applicable law.
2.3 This DPA survives termination or expiration of the Agreement for so long as the Processor continues to process or retain any personal data on behalf of the Controller.
3.1 The Processor shall process personal data only on the documented instructions of the Controller, unless required to do otherwise by applicable law (in which case the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest).
3.2 The Controller’s instructions for processing are set out in the Agreement, this DPA, and the Controller’s use of the Services through the Bijani Labs platform interface and APIs. The Controller may provide additional documented instructions consistent with the scope of the Agreement by submitting a support request through the SyntheticPulse platform or by written notice to the Processor.
3.3 The Controller warrants that it has obtained all necessary consents, permissions, and authorizations required under Applicable Data Protection Law for the Processor to process personal data in accordance with this DPA. The Controller shall indemnify the Processor against any claims, losses, or damages arising from the Controller’s failure to comply with this warranty.
3.4 The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes Applicable Data Protection Law. In such circumstances, the Processor shall be entitled to suspend the execution of the relevant instruction pending the Controller’s revised instructions.
3.5 The Processor shall maintain a written record of all processing activities carried out on behalf of the Controller as required under Article 30(2) of the GDPR and shall make such record available to the Controller upon reasonable request.
4.1 The Processor shall ensure that any person authorized to process personal data on its behalf (including its employees, agents, contractors, and Sub-processors) is subject to a binding obligation of confidentiality, whether by contract, statutory obligation, or equivalent legal mechanism.
4.2 The Processor shall ensure that access to personal data is limited to those individuals who require such access to perform the Services. The Processor shall maintain a current list of roles and categories of personnel authorized to access personal data and shall provide such list to the Controller upon request.
4.3 The confidentiality obligation set forth in this Section 4 shall survive termination of this DPA and continue indefinitely with respect to any personal data that remains in the Processor’s possession or control.
5.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to the risk, including all measures described in Schedule 2 (Security Measures) attached hereto.
5.2 At a minimum, the Processor shall maintain the following security measures:
(a) Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), least-privilege principles, and periodic access reviews for all systems processing personal data.
(b) Encryption: Encryption of personal data at rest using AES-256 or equivalent industry-standard algorithms, and encryption of data in transit using TLS 1.2 or higher. Encryption keys are managed through a hardware security module (HSM) or equivalent key management service.
(c) Network Security: Firewalls, intrusion detection and prevention systems (IDPS), network segmentation, DDoS protection, and regular vulnerability scanning of all production systems.
(d) Pseudonymization & Anonymization: Where technically feasible, the Processor shall apply pseudonymization or anonymization techniques to personal data to reduce the risk of re-identification.
(e) Logging & Monitoring: Comprehensive audit logging of all access to and operations on personal data, with centralized log aggregation, real-time alerting, and retention of logs for a minimum of twelve (12) months.
(f) Business Continuity & Disaster Recovery: Automated backups at least every twenty-four (24) hours, with encrypted backup storage in a separate geographic region. The Processor maintains a business continuity plan (BCP) and disaster recovery plan (DRP) tested at least annually.
(g) Vulnerability Management: Regular penetration testing conducted at least annually by independent third-party assessors, automated vulnerability scanning on a continuous basis, and a structured patch management program with defined SLAs for remediation.
(h) Security Incident Management: A documented incident response plan that includes procedures for detection, containment, eradication, recovery, and post-incident review. The incident response team is on-call 24/7/365.
(i) Personnel Security: Background verification checks for all employees with access to personal data, annual security and data protection training for all personnel, and mandatory privacy awareness training upon hire.
(j) Physical Security: Data center physical access controls including biometric authentication, 24/7 video surveillance, on-site security personnel, and multi-factor access procedures at all facilities hosting personal data.
5.3 The Processor shall regularly test, assess, and evaluate the effectiveness of these security measures. The Processor may update or modify these measures from time to time provided that such updates do not materially reduce the level of protection afforded to personal data.
6.1 The Processor shall notify the Controller without undue delay and, in any event, within twenty-four (24) hours of becoming aware of a Personal Data Breach affecting personal data processed on behalf of the Controller. Such notification shall be sent to the Controller’s designated security contact via the email address provided in the Controller’s account settings or by alternative means if the Controller’s primary contact is unavailable.
6.2 The notification shall include, to the extent available at the time of notification and updated as further information becomes known:
(a) a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate volume of personal data records affected;
(b) the name and contact details of the Processor’s data protection officer or other point of contact from whom further information may be obtained;
(c) a description of the likely consequences of the Personal Data Breach; and
(d) a description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including measures to mitigate its potential adverse effects.
6.3 The Processor shall cooperate fully with the Controller in connection with any notification obligations the Controller may have to a Supervisory Authority or affected data subjects under Applicable Data Protection Law, including providing all information reasonably requested by the Controller in connection with such notifications.
6.4 The Processor shall document all Personal Data Breaches in accordance with Article 33(5) of the GDPR, including the facts relating to the breach, its effects, and the remedial action taken. Such documentation shall be made available to the Controller and any Supervisory Authority upon request.
7.1 The Controller is solely responsible for responding to requests from data subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, objection, and rights relating to automated decision-making and profiling.
7.2 To the extent that a data subject makes a request directly to the Processor, the Processor shall promptly forward the request to the Controller within forty-eight (48) hours and shall provide the Controller with the data subject’s identity and contact information, the nature of the request, and the date of receipt.
7.3 The Processor shall assist the Controller by implementing appropriate technical and organizational measures to fulfill the Controller’s obligation to respond to data subject requests. Such assistance shall include, where applicable:
(a) providing the Controller with the ability to access, rectify, export, or delete personal data through the Bijani Labs platform interface and APIs;
(b) responding promptly to Controller requests for data subject information that cannot be accessed through the platform interface, including searches across backup and archival systems;
(c) providing technical support for data portability requests by exporting personal data in a structured, commonly used, machine-readable format (e.g., JSON or CSV); and
(d) implementing technical measures to enable the Controller to comply with requests for restriction of processing or objection to processing, including temporary suspension of processing for specific data subjects.
7.4 The Processor shall not respond to a data subject request on behalf of the Controller unless expressly authorized to do so in writing by the Controller. The Processor shall immediately inform the Controller if a data subject makes a request that cannot be fulfilled using the standard platform functionality, and the parties shall cooperate in good faith to determine an appropriate response.
8.1 The Processor shall provide reasonable assistance to the Controller in connection with any data protection impact assessment (DPIA) that the Controller is required to conduct under Article 35 of the GDPR, taking into account the nature of the processing and the information available to the Processor.
8.2 Such assistance shall include, upon the Controller’s written request and to the extent reasonably available:
(a) a description of the envisaged processing operations and the purposes of processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Controller’s objectives;
(c) information regarding the technical and organizational security measures implemented by the Processor pursuant to Section 5 and Schedule 2;
(d) information regarding Sub-processors engaged by the Processor pursuant to Section 10; and
(e) any other information reasonably necessary for the Controller to assess the risks to the rights and freedoms of data subjects and to determine appropriate safeguards.
8.3 The Processor shall also assist the Controller with any prior consultation with a Supervisory Authority that the Controller is required to undertake under Article 36 of the GDPR or equivalent provisions of Applicable Data Protection Law, by providing relevant documentation and information about the Processor’s processing activities.
9.1 Upon termination or expiration of the Agreement or upon the Controller’s written request at any time (whichever occurs first), the Processor shall, at the Controller’s option, delete or return to the Controller all personal data processed on behalf of the Controller. The Processor shall complete such deletion or return within thirty (30) calendar days of the effective date of termination or receipt of the Controller’s written request, as applicable (the “Deletion Period”).
9.2 If the Controller elects return of personal data, the Processor shall provide the data in a structured, commonly used, machine-readable format (JSON or CSV) via secure file transfer or direct download link. The Processor shall ensure the integrity and usability of the returned data.
9.3 After the Deletion Period, the Processor shall delete all copies of personal data from its production systems, backup systems, disaster recovery systems, and any other storage media in its possession or control, unless applicable law requires continued retention. Where deletion from backup systems is not immediately technically feasible (e.g., tape archives), the Processor shall isolate such data from further processing and securely delete it within the next backup rotation cycle or within ninety (90) days, whichever is sooner.
9.4 The Processor shall provide the Controller with a written certification of deletion within fourteen (14) calendar days following completion of the deletion process, detailing the systems from which personal data has been deleted and confirming that no copies remain in the Processor’s possession or control.
9.5 Notwithstanding the foregoing, the Processor may retain personal data to the extent required by applicable law or regulation (including tax, anti-money laundering, and record-keeping requirements), provided that the Processor continues to treat such retained data in accordance with the terms of this DPA and Applicable Data Protection Law for so long as it is retained.
10.1 The Controller may, no more than once per calendar year (unless a Personal Data Breach has occurred or a Supervisory Authority has raised a concern regarding the Processor’s compliance), conduct an audit of the Processor’s compliance with this DPA. The Controller shall provide at least thirty (30) calendar days’ prior written notice of its intent to conduct an audit.
10.2 The audit shall be conducted during regular business hours, in a manner that minimizes disruption to the Processor’s operations, and at the Controller’s sole expense. The audit may be conducted by the Controller’s internal personnel or by an independent third-party auditor selected by the Controller and reasonably acceptable to the Processor. The auditor shall enter into a confidentiality agreement with the Processor prior to the audit.
10.3 The scope of the audit shall be limited to the Processor’s processing activities, security measures, and data handling practices directly relevant to the personal data processed on behalf of the Controller. The audit may include review of the Processor’s policies, procedures, records, and information systems, but shall not extend to the Processor’s systems or data relating to other customers.
10.4 In lieu of conducting its own audit, the Controller may accept the Processor’s SOC 2 Type II, ISO 27001, or equivalent independent third-party audit report as evidence of compliance with this DPA, provided such report is from the most recent audit period and is made available to the Controller upon execution of a non-disclosure agreement. If the Controller accepts such report, the Controller shall not be entitled to conduct a separate audit under this Section for the applicable audit period.
10.5 The Processor shall maintain all records of processing activities as required under Article 30 of the GDPR and shall make such records available to the Controller and any Supervisory Authority upon request.
11.1 The Controller provides general written authorization for the Processor to engage the Sub-processors listed below. The Processor shall remain fully liable to the Controller for the performance of each Sub-processor’s obligations and for any acts or omissions of its Sub-processors as if they were the Processor’s own acts or omissions.
11.2 Authorized Sub-processors:
(a) Amazon Web Services (AWS) — Cloud infrastructure, compute, and storage (United States, EU, Asia-Pacific). SOC 2, ISO 27001, FedRAMP.
(b) Google Cloud Platform (GCP) — Cloud infrastructure, AI/ML compute, and data analytics (United States, EU). SOC 2, ISO 27001, FedRAMP.
(c) Microsoft Azure — Cloud infrastructure and enterprise identity management (United States, EU). SOC 2, ISO 27001, FedRAMP.
(d) Vercel Inc. — Web application hosting and content delivery (United States, EU). SOC 2, ISO 27001.
(e) Stripe, Inc. — Payment processing for subscription billing (United States, EU). SOC 2, PCI DSS Level 1.
(f) Twilio Inc. (SendGrid) — Transactional email delivery and notifications (United States, EU). SOC 2, ISO 27001.
(g) Datadog, Inc. — Application performance monitoring and observability (United States, EU). SOC 2, ISO 27001.
(h) Elasticsearch (Elastic B.V.) — Search and log analytics infrastructure (United States, EU). SOC 2, ISO 27001.
(i) Snowflake Inc. — Data warehousing and analytics (United States, EU). SOC 2, ISO 27001.
(j) Cloudflare, Inc. — CDN, DDoS protection, and DNS resolution (global edge network). SOC 2, ISO 27001, FedRAMP.
12.1 The Processor shall provide the Controller with written notification at least thirty (30) calendar days prior to engaging any new Sub-processor or replacing an existing Sub-processor. Such notification shall be sent to the Controller’s designated point of contact via email and shall include the name and location of the proposed Sub-processor, a description of the processing services to be provided, and evidence of the Sub-processor’s compliance with Applicable Data Protection Law (including relevant certifications and audit reports).
12.2 The Controller may object to the engagement of a proposed Sub-processor within fourteen (14) calendar days of receiving the Processor’s notification (the “Objection Period”). Any objection must be based on reasonable grounds relating to the proposed Sub-processor’s inability to comply with Applicable Data Protection Law or provide adequate data protection safeguards.
12.3 If the Controller raises a valid objection within the Objection Period, the Processor shall not engage the proposed Sub-processor and shall work with the Controller in good faith to find a mutually acceptable resolution, which may include the Processor (a) selecting an alternative Sub-processor, (b) modifying the proposed Sub-processor’s contractual or security arrangements to address the Controller’s concerns, or (c) enabling the Controller to migrate to a different service configuration that avoids the disputed Sub-processor.
12.4 If the Processor cannot reasonably accommodate the Controller’s objection and no mutually acceptable resolution is reached within thirty (30) calendar days of the Processor’s receipt of the objection, the Controller may terminate the Agreement and this DPA without penalty upon written notice to the Processor.
12.5 The Processor shall ensure that each Sub-processor is contractually bound by data protection obligations that are at least as protective as those imposed on the Processor under this DPA, including obligations with respect to confidentiality, security, data breach notification, data subject rights, deletion, audits, and international transfers.
13.1 The Controller acknowledges that the Processor may transfer personal data to countries outside the European Economic Area (EEA), the United Kingdom, and Switzerland for the purpose of providing the Services, including to the United States and other jurisdictions where the Processor or its Sub-processors maintain facilities.
13.2 To the extent that any processing of personal data involves a transfer of personal data from the EEA, the United Kingdom, or Switzerland to a country that has not been deemed by the European Commission (or, in the case of the UK, the UK Secretary of State) to provide an adequate level of data protection, the parties agree that such transfers shall be governed by the SCCs (Module Two – Controller to Processor and Module Three – Processor to Processor, as applicable). The SCCs are deemed incorporated into this DPA by reference and shall be completed as follows:
(a) The optional docking clause (Clause 7) shall apply.
(b) In Clause 9 (Use of sub-processors), the option of general written authorization shall apply, and prior notice of at least thirty (30) calendar days shall be required for any changes.
(c) In Clause 11 (Redress), the optional language regarding independent dispute resolution shall not apply.
(d) The competent supervisory authority under Clause 13 shall be the Irish Data Protection Commission or the UK Information Commissioner’s Office, as applicable.
13.3 In the alternative to SCCs, where a valid adequacy decision under Article 45 of the GDPR applies to the recipient country (including the UK adequacy decision and the EU-US Data Privacy Framework), transfers shall be deemed to provide adequate safeguards and no additional transfer mechanism shall be required.
13.4 For transfers subject to the CCPA/CPRA, the Processor shall be deemed a “service provider” and shall not (a) retain, use, or disclose personal information for any purpose other than for the specific purpose of performing the Services, (b) retain, use, or disclose such information outside the direct business relationship between the parties, or (c) combine personal information received from the Controller with personal information received from or on behalf of any other entity, except as permitted by the CCPA/CPRA.
13.5 The Processor shall ensure that all Sub-processors are bound by SCCs or other valid transfer mechanisms with the Processor, and shall provide the Controller with copies of such agreements upon request (with commercial terms redacted).
14.1 Each party’s liability arising out of or related to this DPA, whether in contract, tort, or otherwise, shall be subject to the limitations of liability set forth in the Agreement. The Processor’s total aggregate liability for all claims arising under or in connection with this DPA (including claims relating to data protection, security breaches, and violations of Applicable Data Protection Law) shall be limited to the total fees paid or payable by the Controller to the Processor under the Agreement during the twelve (12) month period immediately preceding the event giving rise to such liability.
14.2 Nothing in this DPA shall limit or exclude either party’s liability for (a) death or personal injury caused by its negligence, (b) fraud or fraudulent misrepresentation, (c) any liability that cannot be excluded or limited under Applicable Data Protection Law, or (d) the Controller’s payment obligations under the Agreement.
14.3 The Controller shall indemnify and hold harmless the Processor and its Affiliates, officers, directors, employees, and agents from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable legal fees) arising out of or related to (a) the Controller’s breach of its obligations under this DPA or Applicable Data Protection Law, (b) the Controller’s instructions to the Processor that violate Applicable Data Protection Law, or (c) any dispute between the Controller and a data subject relating to the processing of personal data under this DPA.
14.4 The Processor shall indemnify and hold harmless the Controller and its Affiliates, officers, directors, employees, and agents from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable legal fees) arising out of or related to (a) the Processor’s breach of its obligations under this DPA or Applicable Data Protection Law, or (b) any act or omission of the Processor or its Sub-processors that results in a Personal Data Breach affecting personal data processed under this DPA.
15.1 This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without reference to its conflict of laws principles. However, where the GDPR or UK GDPR applies to the processing of personal data, the data protection provisions of the GDPR or UK GDPR shall take precedence over any conflicting provisions of Delaware law.
15.2 Any dispute arising out of or relating to this DPA that is not resolved by negotiation between the parties shall be subject to the exclusive jurisdiction of the courts located in Wilmington, Delaware, unless Applicable Data Protection Law requires that a dispute be brought before the courts of an EU Member State or the United Kingdom, in which case the parties submit to the jurisdiction of the Irish courts or the English courts, respectively.
15.3 Nothing in this DPA limits the rights of data subjects to bring proceedings before the competent courts or Supervisory Authorities as provided by Applicable Data Protection Law.
16.1 This DPA shall commence on the Effective Date and shall continue in full force and effect until the later of (a) termination of the Agreement or (b) the date on which all personal data has been deleted or returned in accordance with Section 9.
16.2 If the Controller terminates the Agreement pursuant to Section 12.4 (Sub-processor Change) or due to the Processor’s material breach of this DPA, the Processor shall refund to the Controller any prepaid fees for the remaining portion of the applicable subscription term.
16.3 The obligations set forth in Sections 4 (Confidentiality), 9 (Deletion & Return of Data), 14 (Liability & Indemnification), and 15 (Governing Law) shall survive termination or expiration of this DPA. Additionally, any rights or remedies accrued by either party prior to termination shall survive.
16.4 Upon termination of the Agreement for any reason, the Controller’s access to the Bijani Labs platform and the Services shall be suspended, and the Processor shall initiate the data deletion or return process described in Section 9.
17.1 The Processor’s Data Protection Officer (DPO) can be reached at all times using the following contact details:
Data Protection Officer
SyntheticPulse Inc.
100 Enterprise Lane, Suite 300
Wilmington, DE 19801, United States
Email: dpo@syntheticpulse.com
17.2 All data protection-related notices, requests, and communications under this DPA (including Personal Data Breach notifications, data subject requests, audit requests, and Sub-processor objections) shall be addressed to:
Legal & Compliance Team
Email: legal@syntheticpulse.com
Security: security@syntheticpulse.com
17.3 The Controller may update its designated contact and security contact information at any time through the Bijani Labs platform account settings or by written notice to the Processor.
1. Categories of Data Subjects: The Controller’s employees, contractors, and authorized users who register for and use the SyntheticPulse platform; the Controller’s customers, clients, or research subjects whose data is uploaded to or processed through the platform; any individuals whose personal data is contained within persona definitions, survey responses, research inputs, or other materials uploaded by the Controller.
2. Categories of Personal Data: Account registration data (name, email address, job title, organization name, billing information); user-generated content including persona definitions, survey responses, research data, and analytical outputs; technical usage data (IP addresses, browser information, session metadata, API logs); any other personal data that the Controller elects to upload or submit in connection with the use of the Services.
3. Special Categories of Data (Sensitive Data): The Processor does not intentionally collect or process special categories of personal data (Article 9 GDPR) or criminal conviction data (Article 10 GDPR). The Controller warrants that it shall not upload, submit, or otherwise make available any special categories of personal data to the platform unless the Controller has obtained the data subject’s explicit consent or has another lawful basis for such processing and has put in place appropriate safeguards. The Processor shall not be liable for any processing of special categories of data uploaded in breach of this warranty.
4. Nature and Purpose of Processing: Provision of synthetic consumer intelligence services, including the generation of synthetic consumer personas, the simulation of consumer behavior and preferences, the analysis of survey data, the creation of research reports and dashboards, and related analytical and reporting services.
5. Retention Periods: Personal data is retained for the duration of the Agreement plus ninety (90) days following termination to facilitate data export. After this period, personal data is deleted in accordance with Section 9, subject to any applicable legal or regulatory retention requirements.
1. Data Center Security. All production infrastructure is hosted in SOC 2 Type II and ISO 27001 certified data centers operated by AWS, GCP, and Azure. Physical access is restricted by biometric authentication, 24/7 video surveillance, and on-site security personnel. Environmental controls include redundant power, climate control, and fire suppression systems.
2. Network Security. Multi-layer network architecture with separate public, private, and management subnets. All traffic is filtered through stateful firewalls and Web Application Firewalls (WAF). DDoS protection is provided via Cloudflare. Intrusion detection and prevention systems monitor all network traffic. TLS 1.2+ is enforced for all data in transit, and mutual TLS is used for inter-service communication.
3. Access Control. Access to production systems requires MFA and is governed by RBAC with least-privilege principles. Access is provisioned through a centralized identity provider with automated de-provisioning upon role change or termination. All access is logged and reviewed on a quarterly basis.
4. Encryption. All personal data is encrypted at rest using AES-256 with customer-managed encryption keys (CMEK) available upon request. Data in transit is encrypted using TLS 1.2 or higher. Encryption keys are stored in a HSM-backed key management service with automatic rotation. Database encryption uses transparent data encryption (TDE) with separate keys per tenant.
5. Application Security. Code is reviewed through mandatory peer review processes. Static application security testing (SAST) and software composition analysis (SCA) are run on every code commit. Dynamic application security testing (DAST) is conducted weekly. Penetration tests are performed annually by independent third-party assessors, and results are reviewed by the security team with remediation tracked to closure.
6. Monitoring & Incident Response. All system events are centralized in a SIEM platform (Datadog) with real-time alerting and automated correlation rules. The incident response team maintains a 24/7/365 on-call rotation. Incident response procedures are tested through tabletop exercises at least twice per year.
7. Vulnerability Management. Continuous vulnerability scanning of all production and development environments. Critical vulnerabilities are remediated within 24 hours, high-severity within 7 days, medium-severity within 30 days. A bug bounty program is maintained to solicit external security research.
8. Business Continuity & Disaster Recovery. Automated encrypted backups are performed every 24 hours with cross-region replication. Recovery Point Objective (RPO) is 24 hours and Recovery Time Objective (RTO) is 4 hours for production systems. The BCP/DRP is tested annually, and test results are documented and reviewed by management.
9. Personnel Security. All employees undergo background verification checks prior to hire. Security and data protection training is mandatory upon hire and annually thereafter. Employees sign confidentiality agreements. Access to personal data is logged and auditable per individual.
10. Vendor & Sub-processor Management. All Sub-processors undergo a security review prior to engagement, including review of SOC 2, ISO 27001, or equivalent certifications. Sub-processor contracts include data protection obligations consistent with this DPA. Sub-processor compliance is reviewed on an annual basis.
The Standard Contractual Clauses (SCCs) adopted by the European Commission Implementing Decision (EU) 2021/914 are incorporated by reference into this DPA. The parties agree that where the transfer of personal data from the EEA, the United Kingdom, or Switzerland to a country without an adequacy decision requires SCCs, the SCCs shall apply as follows:
Module Two (Controller to Processor) applies where the Controller is a data controller and the Processor is a data processor.
Module Three (Processor to Processor) applies where the Processor engages a Sub-processor that processes personal data subject to the GDPR.
Data exporter: The Controller.
Data importer: SyntheticPulse Inc. (or the Sub-processor as applicable).
In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail to the extent of the conflict. Copies of the executed SCCs are available upon written request.