Data Processing Agreement - Remova

1. Purpose and Scope

This Data Processing Agreement ("DPA") forms part of the Master Service Agreement between Remova.org ("Processor") and the Client ("Controller") for the provision of privacy protection services. This DPA governs the processing of Personal Data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable privacy regulations.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person.

"Controller" means the Client who determines the purposes and means of processing Personal Data.

"Processor" means Remova.org, which processes Personal Data on behalf of the Controller.

"Data Subject" means the individual to whom Personal Data relates.

"Processing" has the meaning given in applicable data protection laws.

3. Data Processing Details

3.1 Subject Matter and Duration

The subject matter of processing is the provision of privacy protection services including CBP confidentiality filings, data removal services, and monitoring. The duration of processing is for the term of the service agreement plus any retention period required by law.

3.2 Nature and Purpose of Processing

Processing activities include:

Collection and storage of company and contact information
Filing confidentiality requests with government agencies
Submitting takedown requests to data brokers
Monitoring public databases and platforms for data exposure
Generating reports and analytics on privacy protection status

3.3 Categories of Personal Data

Business contact information (names, email addresses, phone numbers)
Company information and trade data
Professional titles and business relationships
Communication records and service interactions

3.4 Categories of Data Subjects

Client company employees and representatives
Business partners and suppliers mentioned in trade data
Individuals associated with company trade activities

4. Processor Obligations

4.1 Processing Instructions

Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries, unless required to do so by applicable law.

4.2 Confidentiality

Processor ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption of Personal Data in transit and at rest
Regular security assessments and penetration testing
Access controls and authentication mechanisms
Regular backup and disaster recovery procedures
Employee training on data protection and security

4.4 Sub-processing

Processor may engage sub-processors with Controller's general authorization. Current sub-processors include:

Cloud hosting providers (AWS, Google Cloud) - Infrastructure
Email service providers - Communications
Legal service providers - CBP filings and legal compliance

5. Data Subject Rights

Processor shall assist Controller in fulfilling its obligations to respond to requests for exercising Data Subject rights, including:

Right of access and data portability
Right to rectification and erasure
Right to restriction of processing
Right to object to processing

6. Data Breach Notification

Processor shall notify Controller without undue delay after becoming aware of a personal data breach, and in any case within 24 hours. The notification shall include available information about the breach, its likely consequences, and measures taken or proposed to address the breach.

7. International Transfers

Any transfer of Personal Data to third countries shall be subject to appropriate safeguards, including Standard Contractual Clauses approved by the European Commission or other legally recognized transfer mechanisms.

8. Data Retention and Deletion

Upon termination of services, Processor shall, at Controller's choice, return or delete all Personal Data, except where retention is required by applicable law. Deletion shall be completed within 90 days of termination.

9. Audits and Compliance

Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller, upon reasonable notice and during business hours.

10. Liability and Indemnification

Each party's liability for damages arising from any breach of this DPA shall be subject to the limitation of liability provisions in the Master Service Agreement. Processor shall indemnify Controller against claims arising from Processor's breach of this DPA.

11. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Delaware, United States. For EU clients, any disputes relating to data protection matters shall be subject to the jurisdiction of the courts in the EU Member State where the Controller is established.

12. Amendments and Effective Date

This DPA may only be amended in writing signed by both parties. This DPA is effective as of the date of execution and shall remain in effect for the duration of the Master Service Agreement.

Data Processing Agreement (DPA)

Ready to Sign