Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between PrivaBase (operated by Spoon Seller LLC, "Processor") and the customer ("Controller") and reflects the parties' agreement regarding the processing of personal data in accordance with GDPR Article 28.

1. Definitions

"Personal Data," "Processing," "Controller," "Processor," and "Data Subject" have the meanings given in the GDPR (Regulation (EU) 2016/679).

2. Scope and Purpose

The Processor will process Personal Data solely for the purpose of providing the PrivaBase compliance platform services as described in the Terms of Service, including:

• Compliance assessments and monitoring
• Document generation and management
• Data subject request processing
• Vendor risk assessments
• Cloud security scanning
• Audit preparation and evidence collection

3. Categories of Data

Data subjects: Controller's employees, customers, vendors, and end users as determined by the Controller.

Types of personal data: Names, email addresses, job titles, IP addresses, compliance records, system configuration data, and any personal data uploaded by the Controller to the platform.

4. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorized to process have committed to confidentiality
• Implement appropriate technical and organizational security measures (see Security page)
• Assist the Controller in fulfilling data subject requests
• Delete or return all Personal Data upon termination of services
• Make available all information necessary to demonstrate compliance
• Allow for and contribute to audits and inspections

5. Sub-processing

The Controller authorizes the Processor to engage the subprocessors listed on our Subprocessors page. The Processor shall notify the Controller at least 30 days before adding or replacing a subprocessor. The Processor shall ensure each subprocessor is bound by data protection obligations no less protective than this DPA.

6. International Transfers

Personal Data is processed in the United States. For transfers from the EEA/UK, the parties rely on the EU Standard Contractual Clauses (SCCs) as adopted by the European Commission. The SCCs are incorporated by reference into this DPA.

7. Security Measures

The Processor implements the technical and organizational measures described on our Security page, including:

• AES-256-GCM encryption for sensitive data at rest
• TLS 1.3 for data in transit
• Access controls and authentication
• Regular security assessments
• Audit logging and monitoring

8. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

9. Data Retention and Deletion

Upon termination of services or upon the Controller's request, the Processor shall delete all Personal Data within 30 days, unless retention is required by applicable law. The Processor shall provide written confirmation of deletion upon request.

10. Term

This DPA shall remain in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller and shall automatically terminate when the Processor no longer processes Personal Data on behalf of the Controller.