Data Processing Agreement

1. Definitions

In this Data Processing Agreement ("DPA"):

• "Controller" means the Customer who determines the purposes and means of processing Personal Data.
• "Processor" means The Devious LLC, processing Personal Data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data.
• "Data Subject" means the individual whose Personal Data is processed.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679.
• "UK GDPR" means the GDPR as incorporated into UK law.

2. Scope and Purpose

This DPA applies when the Processor processes Personal Data on behalf of the Controller in connection with the Ferry service. The Processor will process Personal Data only as necessary to provide the data migration services described in the Terms of Service.

2.1 Categories of Data Subjects

Data subjects may include:

• Controller's customers and clients
• Controller's employees and staff
• Controller's business contacts
• Other individuals whose data is contained in uploaded files

2.2 Types of Personal Data

Personal Data processed may include:

• Names and contact information
• Email addresses
• Phone numbers
• Physical addresses
• Account information
• Transaction history
• Other data contained in uploaded files

2.3 Processing Activities

Processing activities include:

• File upload and storage
• Data parsing and field mapping
• AI-assisted data transformation
• Webhook delivery to Controller's systems
• Temporary storage during processing

3. Processor Obligations

The Processor agrees to:

3.1 Lawful Processing

• Process Personal Data only on documented instructions from the Controller
• Not process Personal Data for any purpose other than providing the Service
• Inform the Controller if any instruction infringes data protection laws

3.2 Confidentiality

• Ensure persons processing Personal Data are subject to confidentiality obligations
• Not disclose Personal Data to third parties except as permitted by this DPA

3.3 Security Measures

Implement appropriate technical and organizational measures including:

• Encryption of Personal Data in transit and at rest (TLS 1.3, AES-256)
• Access controls and authentication
• Regular security testing and vulnerability assessments
• Incident response and business continuity procedures
• Employee security training

3.4 Data Subject Rights

• Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability)
• Notify the Controller promptly of any Data Subject requests received directly
• Not respond to Data Subject requests without Controller authorization

3.5 Data Breach Notification

• Notify the Controller without undue delay (and within 48 hours) upon becoming aware of a Personal Data breach
• Provide sufficient information for the Controller to meet its breach notification obligations
• Cooperate with the Controller in investigating and remediating the breach

3.6 Deletion and Return

• Upon termination, delete or return all Personal Data at the Controller's choice
• Delete Personal Data within 30 days of termination unless legally required to retain
• Provide certification of deletion upon request

3.7 Audit Rights

• Make available information necessary to demonstrate compliance with this DPA
• Allow for and contribute to audits conducted by the Controller or an auditor
• Provide SOC 2 reports or equivalent certifications upon request

4. Sub-processors

4.1 Authorization

The Controller authorizes the Processor to engage Sub-processors to process Personal Data, subject to this Section 4.

4.2 Current Sub-processors

4.3 New Sub-processors

• The Processor will notify the Controller before engaging new Sub-processors
• The Controller may object within 30 days on reasonable grounds
• If the objection is not resolved, either party may terminate the affected services

4.4 Sub-processor Obligations

The Processor will ensure Sub-processors are bound by data protection obligations no less protective than those in this DPA.

5. International Transfers

5.1 Transfer Mechanisms

For transfers of Personal Data from the EEA, UK, or Switzerland to countries without adequate data protection, the Processor relies on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement (IDTA) for UK transfers
• Swiss-approved SCCs for Swiss transfers

5.2 Data Residency

Enterprise customers may request EU data residency, ensuring Personal Data is processed and stored exclusively within the European Economic Area.

6. Controller Obligations

The Controller agrees to:

• Ensure it has a lawful basis for processing Personal Data
• Provide appropriate notice to Data Subjects about the processing
• Obtain necessary consents where required
• Ensure the accuracy and quality of Personal Data uploaded
• Comply with applicable data protection laws

7. Liability

Liability under this DPA is subject to the limitations set forth in the Terms of Service. Each party is liable for its own breaches of applicable data protection laws.

8. Term and Termination

This DPA is effective upon acceptance of the Terms of Service and remains in effect until the Terms are terminated. Obligations that by their nature should survive termination will survive.

9. Governing Law

This DPA is governed by the laws specified in the Terms of Service, except that GDPR and UK GDPR provisions are governed by EU and UK law respectively.

10. Contact

For questions about this DPA or to exercise rights under it, contact:

• Email: dpa@ferry.dev
• Data Protection Officer: dpo@ferry.dev