This Data Processing Agreement ("DPA") is made between DutchTexan ("DutchTexan") and the entity using our services ("Account"). This DPA outlines the terms regarding how DutchTexan processes personal data on behalf of the Account in relation to the services provided under our Terms of Service agreement ("Agreement").

This DPA is part of the Agreement and takes effect upon signing or as specified in the Agreement. In case of any inconsistencies between this DPA and the Agreement, this DPA will prevail concerning data processing matters.

Definitions

- CCPA: Refers to the California Consumer Privacy Act, including its amendments.

- California Personal Information: Personal Data protected under the CCPA.

- Terms such as Controller, Processor, Data Subject, and others are defined as per Data Protection Laws.

- Account Personal Data: Identifiable information contained in Account Data under the Agreement.

- Data Protection Laws: Global laws governing data protection and privacy that apply to the data processing activities under the Agreement.

- Europe: Includes the EU, EEA, Switzerland, and the UK.

- European Data: Personal Data protected under European data laws.

- European Data Protection Laws: Includes GDPR and related laws applicable in Europe.

- GDPR: The EU General Data Protection Regulation and its UK version.

- Standard Contractual Clauses: Legal clauses ensuring data protection during international transfers.

- UK Addendum: A supplement for international data transfers, issued by the UK authority.

Compliance

Both parties commit to adhering to all applicable Data Protection Laws, which this DPA complements but does not replace.

Controller/Processor Roles

DutchTexan acts as a processor of Account Personal Data on behalf of the Account, which functions as a controller or processor.

Consents

The Account ensures it has obtained necessary consents for data transfer to DutchTexan, indemnifying DutchTexan against any failures to comply.

Processing Scope and Purpose

Annex A details the processing scope, purpose, data types, and data subjects involved in the data handled by DutchTexan.

Instructions from Account

DutchTexan processes data only per the Account's instructions unless legally required otherwise, in which case DutchTexan informs the Account if allowed.

Personnel Access

DutchTexan restricts data access to authorized personnel bound by confidentiality obligations.

Security Measures

DutchTexan implements technical and organizational security measures appropriate to the risk level, considering potential data breaches.

Use of Subprocessors

The Account agrees that DutchTexan may use Subprocessors with equivalent data protection obligations. DutchTexan remains responsible for Subprocessor compliance.

Data Subject Rights

DutchTexan assists the Account in handling requests from Data Subjects as required by data protection laws.

Breach Notification

DutchTexan promptly notifies the Account of any data breaches, providing information for necessary reporting and mitigation.

Data Protection Impact Assessments

DutchTexan supports the Account in conducting impact assessments and consultations required by data protection authorities.

Data Deletion or Return

Upon request, DutchTexan will delete or return Account Personal Data after service termination, unless otherwise required by law.

Audit Rights

DutchTexan facilitates audits to demonstrate compliance, with reasonable notice from the Account.

International Data Transfers

DutchTexan may transfer data outside Europe while ensuring compliance with data protection requirements through safeguards like Standard Contractual Clauses.

General Terms

This DPA is governed by Delaware law, with disputes resolved in Delaware courts.

Annex A: Processing Details

Parties: Data exporter is the Account; data importer is DutchTexan.

Processing Description: Covers data types, processing purposes, and duration related to DutchTexan services.

Annex B: Security Measures

Access Control: Strict access management.

Encryption: Data encrypted in transit and at rest.

Data Minimization: Collecting only necessary data.

Security Audits: Regular assessments and penetration tests.

Incident Response: Plans for addressing data breaches.

Employee Training: Ongoing data protection education.

Physical Security: Secure data facilities.

Backup and Recovery: Robust data protection and recovery plans.

Vendor Management: Ensuring Subprocessors meet standards.

Annex C: Subprocessors

Authorized Subprocessors include:

- Google Cloud Services

- Amazon Web Services

- Twilio, and others as listed.