Data Processing Agreement (DPA)
This Data Processing Agreement ("DPA") is entered into by and between Grable Auction Inc., operating as Zynous ("Processor"), and the Client ("Controller") to govern the processing of data in connection with Zynous SaaS services.
1. Introduction
This Data Processing Agreement ("DPA") is entered into by and between Grable Auction Inc., operating as Zynous ("Processor"), and the Client ("Controller") to govern the processing of data in connection with Zynous SaaS services.
2. Roles and Responsibilities
- Controller: The Client remains the Data Controller, responsible for the lawfulness, accuracy, and integrity of their data.
- Processor: Zynous acts as Data Processor, processing data strictly on behalf of and under instruction from the Controller.
3. Scope of Processing
Processor will process the following types of data:
- Social Media Page IDs
- Analytics data and performance metrics
- Post content (text, captions, timestamps, engagement metrics)
Purpose: To provide analytics, reporting, and content processing services via the Zynous SaaS platform.
4. Duration of Processing
This DPA remains in effect for the duration of the Client's engagement with Zynous. Data processing ceases upon termination or deletion request.
5. Sub-processors
Processor may engage the following sub-processors:
- Amazon Web Services (hosting infrastructure)
- Google Services (Gmail, Docs, Sheets for operational workflows)
Processor remains fully responsible for the actions of sub-processors and ensures they operate under appropriate security and confidentiality measures.
6. Security Measures
- Data is encrypted at rest using AWS KMS.
- Data is encrypted in transit via HTTPS/TLS.
- Access is restricted to authorized internal developers only.
- Administrative access requires local execution with JWT-based authentication.
- Audit logs are maintained and reviewed regularly.
7. Data Retention and Deletion
- Data is retained indefinitely unless a verified deletion request is submitted by the Client.
- Upon deletion request, Processor will securely erase all data in a timely manner.
- Backups containing deleted data are securely destroyed as soon as possible.
8. Client Rights
- Clients may request deletion, access, or clarification of their data.
- Data export is not currently supported but may be considered upon request.
- Processor will respond to rights requests in accordance with applicable law.
9. Breach Notification
In the event of a confirmed data breach affecting client data:
- Processor will promptly notify affected clients without undue delay.
- Processor will provide relevant information regarding the breach, mitigation steps, and remediation measures.
10. Confidentiality
Processor and its personnel shall keep all client data strictly confidential and shall not disclose it to unauthorized parties except as required by law or necessary to perform processing services.
11. Governing Law
This DPA is governed by the laws of Canada and applicable federal and state laws of the United States where clients are located.
12. Amendments
Any amendments to this DPA must be made in writing and signed by both parties. Processor may update procedures or sub-processors but remains responsible for compliance.
13. Entire Agreement
This DPA, together with the Privacy Policy, Terms of Use, and any other executed agreements, constitutes the full agreement regarding processing of client data.