PrimoDato

This Data Processing Agreement ("DPA") forms part of the agreement between PrimoDato, Inc. ("Processor") and the customer entity that has entered into the PrimoDato Terms of Service or another governing services agreement ("Controller"). This DPA applies where PrimoDato processes Personal Data on behalf of the Controller in connection with the Services.

1. Definitions

For purposes of this DPA, "Controller," "Processor," "Personal Data," "Processing," "Data Subject," and "Supervisory Authority" have the meanings given in the GDPR. "Sub-processor" means any third party engaged by PrimoDato to Process Personal Data on behalf of the Controller in connection with the Services.

2. Scope and Purpose of Processing

PrimoDato will Process Personal Data solely as necessary to provide, secure, support, and maintain the Services, and only on the documented instructions of the Controller unless otherwise required by applicable law. The nature of the Processing may include collection, storage, organization, retrieval, export, deletion, and transmission in the course of delivering account administration, search, export, billing, support, and security functions.

3. PrimoDato's Obligations as Processor

Process Personal Data only on documented instructions from the Controller.
Ensure that persons authorized to Process Personal Data are bound by confidentiality obligations.
Implement appropriate technical and organizational security measures.
Assist the Controller with responding to data subject requests where required.
Make information reasonably necessary to demonstrate compliance available to the Controller.
Notify the Controller if an instruction infringes applicable data protection law, where legally permitted.

4. Sub-processors

The Controller authorizes PrimoDato to engage Sub-processors to support the delivery of the Services. PrimoDato remains responsible for the performance of its Sub-processors to the extent required by applicable law.

Approved Sub-processors include:

Paddle for payment processing and billing operations.
Vercel for hosting, deployment, and edge delivery services.
MongoDB Atlas for application logging and operational data storage.
Upstash Redis for rate limiting, caching, and operational controls.
Resend for transactional email delivery.
AWS for storage, backup, and supporting infrastructure services.

PrimoDato will provide notice of material Sub-processor changes through its website, customer portal, or other reasonable means. The Controller may raise reasonable objections grounded in data protection concerns within a commercially reasonable period after notice.

5. Data Subject Rights

Taking into account the nature of the Processing, PrimoDato will provide reasonable assistance to help the Controller respond to requests from Data Subjects to access, correct, delete, restrict, or port Personal Data, or to object to Processing, where the Controller cannot fulfill those obligations independently through the Services.

6. Security Measures

PrimoDato maintains technical and organizational measures designed to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures include, as appropriate:

TLS 1.2 or higher for data in transit.
AES-256 or equivalent encryption at rest on supported infrastructure.
Role-based access controls and least-privilege permissions.
Audit logging for administrative and sensitive actions.
Secure software deployment and secrets management controls.
Periodic review of authentication, backup, and incident response controls.

7. Personal Data Breaches

PrimoDato will notify the Controller without undue delay after becoming aware of a confirmed Personal Data Breach involving Personal Data Processed under this DPA. Where feasible, that notification will be made within 72 hours of confirmation and will include the information reasonably available to PrimoDato about the nature of the incident, likely consequences, and measures taken or proposed to address it.

8. Data Transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland to countries not subject to an adequacy decision, PrimoDato will implement an appropriate transfer mechanism, including the European Commission's Standard Contractual Clauses ("SCCs"), together with supplementary measures where appropriate.

9. Audit Rights

Upon reasonable written request and subject to confidentiality obligations, PrimoDato will make available information reasonably necessary to demonstrate compliance with this DPA. Where such information is insufficient and required by applicable law, the Controller may conduct or appoint an independent auditor to conduct a limited audit no more than once per year, during normal business hours, and in a manner that does not unreasonably disrupt PrimoDato operations or compromise the security of other customers.

10. Deletion/Return of Data

Upon termination or expiration of the Services, PrimoDato will, at the Controller's choice and subject to technical feasibility, delete or return Personal Data Processed under this DPA, unless retention is required by applicable law. Residual copies may remain in secure backups for a limited period until overwritten or deleted in the ordinary course.

11. Governing Law

This DPA is governed by the governing law provision of the underlying agreement, except to the extent required otherwise by the SCCs or applicable data protection law.