Last updated: 11/9/2025
This DPA forms part of the agreement between the customer ("Controller") and Direct Signal ("Processor") for the provision of the Service. It governs Processor's processing of personal data on behalf of Controller and is intended to satisfy requirements of GDPR/UK GDPR and similar laws.
Processor will process Customer Data solely to provide and improve the Service, for the term of the agreement, and shall delete or return Customer Data upon termination subject to agreed retention periods.
Controller determines the purposes and means of processing. Processor will process Customer Data only on documented instructions from Controller, unless required by law, in which case Processor will notify Controller (unless legally prohibited).
Processor ensures persons authorized to process Customer Data are bound by confidentiality and implements appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
Controller provides general authorization for Processor to engage sub‑processors. Processor will maintain a list of sub‑processors upon request and impose data protection obligations no less protective than those in this DPA. Processor will notify Controller of material changes and allow objection for reasonable, documented grounds; Controller’s sole remedy for objection is to terminate affected services.
Where required, the parties agree the EU/UK Standard Contractual Clauses (controller‑to‑processor module) are incorporated by reference, with Direct Signal as Processor and Customer as Controller, and supplementary safeguards applied as appropriate.
Taking into account the nature of processing, Processor will reasonably assist Controller with data subject requests and security obligations (Articles 32‑36 GDPR). Processor may charge reasonable fees for excessive or unfounded requests.
Processor will notify Controller without undue delay after becoming aware of a personal data breach and provide available information to assist Controller in meeting breach reporting obligations.
Upon reasonable prior written notice, Processor will make available information necessary to demonstrate compliance and allow audits by Controller or an independent auditor, limited to once annually (or more frequently if required by law). Audits must not unreasonably disrupt Processor’s business and may be satisfied by third‑party certifications.
Each party’s aggregate liability arising from or in connection with this DPA is limited as set forth in the main agreement. Controller will indemnify, defend, and hold harmless Processor from claims arising from Controller’s instructions, configurations, or unlawful data provided to the Service.
Upon termination, Processor will delete Customer Data from active systems within a commercially reasonable period, except where retention is required by law or for backup integrity, in which case data will be isolated and securely deleted on the next cycle.