Data Processing Addendum
This DPA supplements the Terms of Service and applies where SurfacePoint processes personal data on behalf of a customer.
1. Roles and Scope
Customer acts as controller and SurfacePoint acts as processor for Customer Data processed in the Service, unless otherwise explicitly agreed in writing.
2. Processing Instructions
SurfacePoint processes personal data only on documented instructions from Customer, including use of the Service configuration and documented support requests.
3. Subject Matter and Duration
Processing covers account and operational data required to provide the Service during the subscription term and any defined post-termination retention/export window.
4. Confidentiality and Personnel Controls
Personnel with access to personal data are bound by confidentiality obligations and receive appropriate security/privacy training.
5. Subprocessors
Customer grants general authorization for subprocessors listed at /subprocessors/. SurfacePoint will provide notice of material subprocessor changes and customers may raise reasonable objections.
6. Security Measures (TOMs)
- Encryption in transit and at rest.
- Access management and least-privilege controls.
- Logging and monitoring of critical operations.
- Backup and recovery controls with periodic restore validation.
6A. Restricted and Export-Controlled Data
The standard hosted SurfacePoint Service is not currently available for export-controlled, ITAR/EAR, defense-controlled, government-classified, restricted, or unknown technical data unless a separate written agreement expressly allows that use. Customer must not include that data in Customer Data submitted to the standard hosted Service.
If Customer submits information about possible future restricted-data needs, SurfacePoint processes that information for account administration, product planning, sales follow-up, and security review. SurfacePoint does not determine legal classification, licensing requirements, or user eligibility for Customer's regulated or restricted data.
7. Audit and Assessment Rights
On reasonable notice and subject to confidentiality and security limits, Customer may request information sufficient to demonstrate compliance with this DPA.
8. Incident Notification
SurfacePoint will notify Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Data and will provide available details for response obligations.
9. Return or Deletion
Upon termination, SurfacePoint will return or delete personal data according to contract terms, unless retention is required by law.
10. International Transfers
Where required for cross-border processing, parties will rely on approved transfer mechanisms such as EU Standard Contractual Clauses and UK transfer addendum language.
11. Conflict and Precedence
If this DPA conflicts with the Terms for data protection matters, this DPA controls for those matters.