Skip to main content

Data Processing Agreement

Effective: February 24, 2026Version 1.0

This Data Processing Agreement (“DPA”) supplements the Terms of Service (“Agreement”) between Ataraxia GRC, Inc. (“Processor”) and the customer entity identified in the Agreement (“Controller”). This DPA governs the processing of personal data by Processor on behalf of Controller in connection with the Service.

1. Definitions

  • “Controller” means the entity that determines the purposes and means of processing personal data (the Customer).
  • “Processor” means the entity that processes personal data on behalf of the Controller (Ataraxia GRC).
  • “Data Subject” means an identified or identifiable natural person whose personal data is processed.
  • “Personal Data” means any information relating to a Data Subject, as defined under applicable data protection laws.
  • “Processing” means any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, combination, erasure, or destruction.
  • “Subprocessor” means any third party engaged by Processor to process personal data on behalf of Controller.

2. Scope and Roles

This DPA applies to all processing of personal data by Processor on behalf of Controller in connection with the Service. Controller acts as the data controller, and Processor acts as the data processor. Processor shall process personal data only on documented instructions from Controller, except where required by applicable law.

3. Processing Purposes

Processor shall process personal data solely to provide the Service as described in the Agreement, including:

  • Account management and authentication
  • Compliance assessment and SPRS score calculation
  • Document generation (SSPs, POA&Ms, policies)
  • AI-powered compliance guidance and copilot features
  • Email communications (transactional and support)
  • Payment processing (via Stripe)
  • Service improvement through anonymized analytics

4. Subprocessors

Controller authorizes Processor to engage the subprocessors listed at ataraxiagrc.com/subprocessors. Processor shall:

  • Provide at least 30 days’ prior written notice before adding or replacing a subprocessor
  • Ensure each subprocessor is bound by data protection obligations no less protective than those in this DPA
  • Remain fully liable for the acts and omissions of its subprocessors

If Controller objects to a new subprocessor, Controller may terminate the Agreement within 30 days of notification, and Processor will provide a pro-rata refund of prepaid fees.

5. Security Measures

Processor implements and maintains appropriate technical and organizational measures to protect personal data, including:

  • Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls: Row-level security, role-based access control, multi-factor authentication
  • Audit logging: Comprehensive logging of access and state changes for compliance review
  • Incident response: Documented procedures for identifying, containing, and resolving security incidents
  • Employee training: Security awareness training for all personnel with access to personal data
  • Vulnerability management: Regular security updates and dependency monitoring

6. Data Breach Notification

Processor shall notify Controller without undue delay, and in any event within 72 hours after becoming aware of a personal data breach. The notification shall include:

  • A description of the nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach, including measures to mitigate its effects
  • Contact information for the Processor’s designated point of contact

7. Data Subject Requests

Processor shall promptly notify Controller upon receiving a request from a Data Subject to exercise their rights under applicable data protection law (access, rectification, erasure, portability, restriction, or objection). Processor shall assist Controller in responding to such requests through appropriate technical and organizational measures, insofar as this is possible.

8. Data Deletion

Upon termination of the Agreement, Processor shall:

  • Provide Controller with a 30-day window to export personal data
  • Delete all personal data within 90 days after the export window closes, unless retention is required by applicable law
  • Certify deletion in writing upon Controller’s request

Anonymized aggregate data that cannot be used to identify any individual may be retained indefinitely.

9. Audit Rights

Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA. Upon reasonable written request (no more than once per year), Processor shall:

  • Provide Controller with relevant compliance documentation, including security certifications and audit reports
  • Cooperate with reasonable audit or inspection activities, subject to confidentiality protections and reasonable scheduling

Audits shall be conducted at Controller’s expense during normal business hours with at least 30 days’ prior notice.

10. International Data Transfers

Personal data is processed and stored in the United States. If Controller requires specific data transfer mechanisms for transfers from the European Economic Area, United Kingdom, or Switzerland, Processor will execute Standard Contractual Clauses (SCCs) as adopted by the European Commission upon request.

11. Term

This DPA is effective as of the date of the Agreement and remains in effect for the duration of the Agreement. The DPA shall automatically terminate upon termination of the Agreement, subject to Processor’s obligations regarding data deletion and return as set forth herein.

Contact

For questions about this Data Processing Agreement or to request execution of a DPA, contact us at privacy@ataraxiagrc.com.