Data Processing Addendum (DPA)

Effective 2022-11-07 — forms part of your agreement with dill Tech Inc.

This DPA applies where dill Tech Inc. processes personal data on your behalf in providing the Services. It supplements the Terms of Service.

1) Roles & scope

You are the “Controller” and dill Tech Inc. is the “Processor”. This DPA governs Processor’s processing of personal data on Controller’s documented instructions as necessary to provide the Services.

2) Processor obligations

  • Process personal data only on documented instructions from Controller.
  • Ensure personnel are bound by confidentiality.
  • Implement appropriate technical and organizational security measures.
  • Assist Controller with data subject requests and impact assessments.
  • Notify Controller without undue delay of any personal data breach.
  • Delete or return personal data at termination, unless law requires storage.

3) Sub-processors

Controller authorizes engagement of sub-processors to support the Services. Processor will impose data protection terms no less protective than this DPA and remains responsible for their performance. A list can be provided upon request at privacy@usulid.com.

4) International transfers

Where personal data is transferred internationally, Processor will use lawful transfer mechanisms (e.g., EU/UK Standard Contractual Clauses). If SCCs apply, they are incorporated by reference with Controller as “data exporter” and Processor as “data importer” (Module 2).

5) Audit & compliance

On reasonable notice, Controller may request information necessary to demonstrate compliance. If information is insufficient, Processor will allow audits once per 12 months (or following a breach), subject to confidentiality and security policies.

6) Security measures (summary)

  • Encryption in transit, access controls, MFA for privileged access.
  • Backups, disaster recovery, and vulnerability management.
  • Logging, monitoring, and least-privilege role controls.

Detailed measures may be provided upon request at privacy@usulid.com.

7) Assistance with requests

Processor will assist Controller in responding to data subject requests and regulator inquiries, taking into account the nature of processing.

8) Liability & precedence

Each party’s liability under this DPA is subject to the limitations in the underlying agreement. If there is conflict between this DPA and the Terms, this DPA prevails to the extent of the conflict.

Annex 1 — Data processing details

  • Subject matter: Provision of the Services.
  • Duration: Term of the agreement.
  • Nature & purpose: Hosting, analysis, storage, support.
  • Data subjects: Users, customers, counterparties, staff.
  • Categories of data: Identification data (name, email), documents and metadata you upload, logs/usage data. Sensitive/special categories only if you choose to upload them.
  • Transfers: As needed for global service delivery, per Section 4.

Annex 2 — Security measures

Processor maintains administrative, physical, and technical measures appropriate to the risk, including (without limitation) TLS, access controls, encryption at rest where applicable, and secure development practices.

Contact

Privacy/DPA contact: privacy@usulid.com. Postal: 18-17 Grove St., Queens, New York.