Data Processing
Agreement

Purpose & roles

This Data Processing Agreement (“DPA”) describes how Mytrion Systems processes personal data on behalf of a client in connection with a consulting engagement. Where we process personal data that you control — for example, data contained in systems or documents you give us access to during an audit or architecture review — you act as the controller and we act as the processor. This DPA supplements our Terms of Service and the relevant Engagement Document and applies only to such processing.

Definitions

Terms such as “personal data,” “processing,” “controller,” “processor,” and “data subject” have the meanings given to them under applicable data-protection law. “Applicable law” means the data-protection and privacy laws that apply to the processing. “Sub-processor” means a third party engaged by us to process personal data on your behalf.

Scope of processing

The subject matter, duration, nature, and purpose of the processing are determined by the engagement. The nature of the processing is advisory support — reviewing, analyzing, and documenting systems and information so that we can provide recommendations. The personal data and categories of data subjects involved depend on what your environment contains and on the access you provide; typically this may include contact details and employment-related information of your personnel and, where relevant, information about your customers. We process personal data only to perform the engagement and only on your documented instructions.

Our obligations

As your processor, we will:

• process personal data only on your documented instructions, including for transfers, unless required otherwise by law;
• ensure that personnel authorized to process personal data are bound by appropriate confidentiality obligations;
• implement and maintain appropriate technical and organizational security measures;
• respect the conditions for engaging sub-processors set out below;
• assist you, taking into account the nature of the processing, in responding to data-subject requests and in meeting your security, breach-notification, and assessment obligations; and
• make available information reasonably necessary to demonstrate compliance with this DPA.

Your obligations

As controller, you are responsible for establishing a lawful basis for the processing, for the accuracy of the personal data you provide, and for ensuring that your instructions to us comply with applicable law. You will provide instructions that are lawful and will not require us to process personal data in a way that would cause us to breach applicable law.

Confidentiality

We treat all personal data processed under this DPA as confidential information. Access is limited to personnel who need it to perform the engagement, and those personnel are subject to confidentiality commitments. These obligations continue after the engagement ends. Our broader practices are described in our Security & Confidentiality Policy.

Security measures

We maintain technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to individuals. Measures may include access controls, least-privilege practices, encryption of data in transit where appropriate, secure storage, logging, and regular review of our safeguards.

Sub-processors

You provide general authorization for us to engage sub-processors to support the processing, such as reputable providers of secure storage and collaboration tools. Where we engage a sub-processor, we impose data-protection obligations substantially similar to those in this DPA, and we remain responsible for the sub-processor’s performance. We will inform you of intended changes concerning the addition or replacement of sub-processors and give you the opportunity to object on reasonable data-protection grounds.

Assistance & data-subject rights

Taking into account the nature of the processing, we will provide reasonable assistance to help you fulfill your obligation to respond to requests from data subjects exercising their rights, such as access, correction, deletion, restriction, and portability. If we receive a request directly from a data subject relating to your data, we will, where permitted, direct the request to you rather than responding ourselves.

Personal data breaches

If we become aware of a personal data breach affecting personal data we process on your behalf, we will notify you without undue delay after becoming aware of it and will provide information reasonably available to us to help you meet your notification obligations. We will take reasonable steps to investigate the breach, mitigate its effects, and prevent recurrence, and will cooperate with you in good faith.

Audits

On reasonable prior written notice, and subject to confidentiality and to reasonable limits on frequency and disruption, we will make available information necessary to demonstrate compliance with this DPA and will allow for and contribute to reasonable assessments. Where appropriate, we may satisfy audit requests by providing existing documentation describing our controls.

International transfers

We are based in the United States, and processing may take place there or in other locations where we or our sub-processors operate. Where personal data is transferred across borders, we will rely on a lawful transfer mechanism where one is required and will take steps to ensure the data remains protected consistent with applicable law and this DPA.

Return & deletion

On termination or expiry of the engagement, and at your choice, we will return or delete the personal data we process on your behalf, unless applicable law requires us to retain it. We may retain copies as required by law or within routine backups for a limited period, during which the data remains protected under this DPA and is deleted in the ordinary course of our backup cycle.

Contact

For matters relating to this Data Processing Agreement, contact Mytrion Systems: