Data Processing Agreement

1. Definitions

• “Controller” means the Client, the entity that determines the purposes and means of processing Personal Data.
• “Processor” means Flynaut LLC, which processes Personal Data on behalf of the Controller.
• “Personal Data” means any information relating to an identified or identifiable natural person, as defined by the GDPR (Article 4(1)), CCPA, or other applicable data protection law.
• “Processing” means any operation performed on Personal Data, including collection, recording, storage, use, disclosure, or destruction.
• “Sub-Processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Scope and Purpose of Processing

This DPA applies to all Personal Data processed by the Processor on behalf of the Controller in connection with the Services. The Processor shall process Personal Data only to the extent necessary to perform the Services and only in accordance with the Controller's documented instructions.

3. Obligations of the Processor

3.1 Processing Instructions

• Process Personal Data only on documented instructions from the Controller
• Not process Personal Data for any purpose other than the specific purposes set forth in the MSA and this DPA
• Not sell Personal Data as defined by the CCPA or any other applicable law
• Not retain, use, or disclose Personal Data for any commercial purpose other than providing the Services

3.2 Confidentiality

All personnel authorized to process Personal Data have committed themselves to confidentiality obligations. Access is restricted to only those personnel who require access to perform the Services.

3.3 Security Measures

The Processor implements and maintains appropriate technical and organizational measures including:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
• Multi-factor authentication for all systems that access Personal Data
• Role-based access control with least-privilege principles
• Regular vulnerability scanning and penetration testing
• Intrusion detection and prevention systems
• Security event logging and monitoring
• Documented incident response procedures
• Annual security awareness training for all personnel

4. Sub-Processors

4.1 Authorization

The Controller provides general written authorization for the Processor to engage Sub-Processors. The Processor shall maintain a current list of Sub-Processors.

4.2 Notification of Changes

The Processor shall notify the Controller at least 30 days before engaging a new Sub-Processor. The Controller may object within 14 days by providing reasonable grounds.

4.3 Current Sub-Processors

5. Data Subject Rights

The Processor shall promptly assist the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection). The Processor shall notify the Controller within 48 hours of receiving a data subject request directly.

6. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach. The notification shall include a description of the breach, categories and number of data subjects affected, likely consequences, and measures taken to address it.

7. Audit Rights

The Controller may audit the Processor's compliance with this DPA upon 30 days' written notice, during normal business hours, no more than once per 12-month period. The Processor's current SOC 2 Type II report and ISO 27001 certificate satisfy routine audit requirements.

8. International Data Transfers

If Personal Data is transferred outside the Controller's jurisdiction, the Processor shall ensure appropriate transfer safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission.

9. Data Retention and Deletion

Upon termination or expiration of the Services, the Processor shall delete or return all Personal Data within 30 days at the Controller's election. The Processor shall provide written certification of deletion upon request.

10. Service-Specific Terms

10.1 OneProtect (Managed Security Services)

Security event data retained for a minimum of 13 months per SOC compliance. Incident investigation data retained for 2 years from incident closure. All OneProtect analysts undergo background checks.

10.2 AI and Data Services

• ML models trained on Controller's data only with explicit written consent
• Models trained on Controller's data are owned by the Controller
• Processor does not use Controller's data to improve its own AI products
• Data used for AI training is isolated from other client environments

10.3 Cloud and Infrastructure Services

Data residency requirements specified per engagement. Processor does not migrate data across regions without Controller's written consent. Infrastructure configurations are documented and version-controlled.

10.4 Application Development

Source code and application data are the Controller's intellectual property. Processor retains no copies after project completion unless specified in the MSA. Development environments are isolated from production. Test data uses anonymized or synthetic data.

11. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the MSA.

12. Term and Termination

This DPA shall remain in effect for the duration of the MSA and for as long as the Processor continues to process Personal Data on behalf of the Controller.

13. Contact

Flynaut LLC
Attn: Privacy Team
Michigan, United States
Email: [email protected]