Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between SCM ("Processor," "we," "us") and the Customer ("Controller," "you") and governs the processing of personal data by SCM on behalf of the Customer.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
• "Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Sub-processor" means any third party engaged by SCM to process Personal Data on behalf of the Controller.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
• "Standard Contractual Clauses" (SCCs) means the contractual clauses adopted by the European Commission for international data transfers.

2. Scope and Purpose of Processing

2.1 Subject Matter

SCM processes Personal Data on behalf of the Controller solely to provide the SCM platform and related services as described in the Terms of Service.

2.2 Types of Personal Data

The following categories of Personal Data may be processed:

• Contact information (names, email addresses, phone numbers, addresses)
• Company information (company names, job titles, department)
• Communication content (emails, ticket content, notes)
• Activity data (interaction history, deal information, task assignments)
• Support data (ticket content, satisfaction survey responses)

2.3 Categories of Data Subjects

• Controller's employees and contractors
• Controller's customers and prospects
• Controller's business partners and vendors

2.4 Duration

Processing will continue for the duration of the subscription agreement plus the 90-day data export period following termination.

3. Obligations of the Processor

3.1 Processing Instructions

SCM will process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, SCM will inform the Controller of that legal requirement before processing, unless prohibited by law.

3.2 Confidentiality

SCM ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security Measures

SCM implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.3)
• Ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems
• Ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
• Regular testing, assessing, and evaluating the effectiveness of security measures
• Role-based access control and principle of least privilege
• Automated threat detection and intrusion prevention systems
• Employee security training and background checks
• Physical security controls at data center facilities

3.4 Sub-processors

SCM will not engage another processor without prior written authorization from the Controller. SCM will inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.

Current sub-processors are listed at usescm.com/legal/sub-processors (to be published).

3.5 Data Subject Rights

SCM will assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR (access, rectification, erasure, restriction, portability, objection). SCM will notify the Controller promptly of any request received directly from a Data Subject.

3.6 Data Breach Notification

SCM will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. The notification will include:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

3.7 Data Protection Impact Assessments

SCM will assist the Controller in ensuring compliance with the Controller's obligations regarding data protection impact assessments and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to SCM.

4. Data Transfers

4.1 Location of Processing

Personal Data is processed primarily within the European Economic Area (EEA) and the United States. SCM will inform the Controller of any transfers outside the EEA and ensure appropriate safeguards are in place.

4.2 Transfer Mechanisms

For transfers outside the EEA, SCM relies on:

• Standard Contractual Clauses (SCCs) as adopted by the European Commission
• Adequacy decisions by the European Commission where applicable
• Supplementary measures as necessary to ensure essentially equivalent protection

5. Audits

SCM will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Such audits will be conducted with reasonable advance notice and during normal business hours, and will not unreasonably interfere with SCM's operations.

6. Deletion and Return of Data

Upon termination of the subscription, SCM will:

• Provide 90 days for the Controller to export all Personal Data in standard formats
• After the export period, delete all Personal Data from production systems within 30 days
• Delete all Personal Data from backup systems within 90 days of the export period
• Provide written confirmation of deletion upon request

7. Controller's Obligations

The Controller warrants that:

• It has a lawful basis for the processing of Personal Data
• It has provided appropriate notice to Data Subjects regarding the processing
• It has obtained necessary consents where required
• Its instructions to SCM are lawful and comply with applicable data protection laws

8. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.

9. Governing Law

This DPA is governed by the same law governing the Terms of Service, except that issues specific to GDPR compliance are governed by EU law.

10. Contact

For DPA-related inquiries:

SCM — Data Protection Officer
Email: dpo@usescm.com