Data Processing Agreement

Effective Date: 4/23/25

DATA PROCESSING AGREEMENT


Last Updated: April 23, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written or electronic agreement between CHERISHED SOLUTIONS, LLC ("Processor") and the user or customer ("Controller") for the provision of services ("Services") that may involve the processing of personal data.


This DPA is designed to comply with data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA), as applicable.


1. DEFINITIONS


  • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject").


  • "Processing" means any operation performed on Personal Data, such as collection, storage, use, or disclosure.


  • "Data Protection Laws" means all laws relating to data protection and privacy applicable to the Processing of Personal Data under this DPA.


  • "Data Subject Request" means a request from a Data Subject to exercise their rights under Data Protection Laws.


  • "Supervisory Authority" means an independent public authority responsible for monitoring the application of Data Protection Laws.


2. PROCESSING OF PERSONAL DATA


2.1 Processor's Obligations


Processor shall:


  • Process Personal Data only on documented instructions from Controller


  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations


  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk


  • Assist Controller in complying with obligations to respond to Data Subject Requests


  • Assist Controller in ensuring compliance with security, data breach notification, and impact assessment obligations


  • Delete or return all Personal Data after the end of the provision of Services


  • Make available to Controller all information necessary to demonstrate compliance with this DPA

2.2 Details of Processing


  • Subject Matter: The provision of Services by Processor to Controller.


  • Duration: The duration of the Services agreement.


  • Nature and Purpose: Processing necessary to provide the Services.


  • Categories of Data Subjects: Controller's users, customers, prospects, employees, suppliers, and other individuals whose Personal Data may be processed.


  • Types of Personal Data: Contact information, account details, transaction history, and other data provided or generated through use of the Services.


3. SUB-PROCESSORS


3.1 Authorization


Controller authorizes Processor to engage sub-processors to perform specific processing activities, provided that Processor:

  • Conducts appropriate due diligence on sub-processors


  • Enters into written agreements with sub-processors with data protection terms no less protective than this DPA


  • Remains fully liable for the performance of sub-processors

3.2 Changes to Sub-processors


Processor shall inform Controller of any intended changes concerning the addition or replacement of sub-processors, giving Controller the opportunity to object to such changes.


4. DATA TRANSFERS


4.1 Cross-Border Transfers


For transfers of Personal Data from the European Economic Area, UK, or Switzerland to countries not deemed to provide adequate protection, Processor shall implement appropriate safeguards such as Standard Contractual Clauses or other valid transfer mechanisms.


5. DATA SUBJECT RIGHTS


5.1 Assistance with Data Subject Requests


Processor shall assist Controller in responding to Data Subject Requests through appropriate technical and organizational measures.


5.2 Direct Requests


If Processor receives a Data Subject Request directly, it shall promptly inform Controller and not respond without Controller's prior authorization.


6. PERSONAL DATA BREACH


6.1 Notification


Processor shall notify Controller without undue delay after becoming aware of a Personal Data breach and shall provide relevant information to assist Controller in meeting any notification obligations.


6.2 Remediation


Processor shall take reasonable steps to identify the cause of a breach and to remediate the cause to prevent recurrence.


7. DATA PROTECTION IMPACT ASSESSMENTS


Processor shall provide reasonable assistance to Controller with any data protection impact assessments and prior consultations with Supervisory Authorities.


8. DELETION OR RETURN OF DATA


Upon termination of Services, Processor shall delete or return all Personal Data as requested by Controller and delete existing copies unless retention is required by law.


9. AUDIT RIGHTS


Controller may audit Processor's compliance with this DPA by requesting relevant documentation or certifications.


10. MODIFICATIONS TO THIS DPA


We reserve the right to modify this DPA as required to comply with applicable laws or regulations, or to address new or amended data processing activities. Controller will be notified of any material changes to this DPA.


11. CONTACT INFORMATION


For questions about this Data Processing Agreement, please contact:


CHERISHED SOLUTIONS, LLC


Email: [email protected]


Phone: (720) 704-1585

©2025 Cherished Solutions, llc