Data Processing Addendum (DPA) – Overview
SafetyIntel signs a DPA when we process Client Personal Data as a processor under a Master Services Agreement or Statement of Work.
- Roles. Client = Controller; SafetyIntel = Processor (for client data) and Controller for website/marketing data.
- Scope. Processing is limited to providing the Services (concierge/referral, research, coordination, reporting).
- Security. We maintain encryption in transit and at rest, RBAC, logging/monitoring, least-privilege, secure SDLC, and annual penetration testing.
- Subprocessors. We maintain a list available on request and provide 30 days’ prior notice of changes; clients may object on reasonable grounds.
- Transfers. EU/UK data transfers use SCCs and appropriate safeguards.
- Breach notification. We notify without undue delay and within 72 hours of becoming aware of a relevant personal-data breach.
- Deletion. After termination, we delete Client Personal Data following a short operational period (normally within 90 days), with backups/logs purged on their schedules.
- Audits. We provide reasonable evidence of controls and support audits under standard conditions (see DPA).
➡️ To receive the current DPA: email legal@SafetyIntel.org.