Last updated: May 25, 2026
This Data Processing Addendum (“DPA”) forms a part of the agreement between you and Netsertive, Inc. (“Agreement”). Such Agreement may refer to you as Client, Customer, Partner or other such designated name, all of which shall have the same meaning as “Controller” or “Data Exporter” in this DPA. For purposes of this DPA, Netsertive, Inc. may be referred to as “Processor” or “Data Importer”. Unless expressly defined in the Definitions section herein, all capitalized terms have the meanings defined in the Agreement text.
This DPA is intended to apply globally, and its safeguards are designed to meet or exceed the requirements of the applicable Data Protection Laws. These obligations apply to all Personal Data processed under the Agreement, regardless of where the data originates or is processed.
Purpose, Term and Relationship with the Agreement
1.1. Purpose.
The purpose of this DPA is to set forth the additional terms and obligations for the Processor to manage its operations with respect to Personal Data in a confidential, secure manner and in accordance with applicable laws and regulations known as the Data Protection Laws. The processing of Personal Data shall be performed by Processor only to fulfil the Business Purpose as further described in the Agreement.
1.2. Term.
The term of this DPA shall be the same as the term of the Agreement, beginning on the Effective Date of the Agreement and including any extensions, renewals or additions to the Agreement.
1.3. Relationship with the Agreement.
This DPA is incorporated into and forms part of the Agreement. In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail regarding the Processing of Personal Data. This DPA shall be governed by the laws and jurisdiction specified in the Agreement, except where Data Protection Laws require otherwise. In such cases, and specifically for the purposes of the SCCs and the rights of Data Subjects, this DPA shall be governed by the laws of the jurisdiction in which the Data Exporter is established, which shall be a jurisdiction that allows for third-party beneficiary rights. (e.g., an EU Member State, the UK, or Switzerland).
Processor’s Obligations
2.1. Processing.
The Processor will only process the Personal Data to the extent, and in such a manner, as is necessary to a) fulfil the Business Purpose, b) fulfil the Controller’s written instructions, or c) comply with the terms of the Agreement. The Processor will not sell, share or Process the Personal Data for any other purpose or in a way that does not comply with this DPA, the Agreement or the Data Protection Laws. The Processor must promptly notify the Controller if, in its opinion, the Controller’s instructions do not comply with the Data Protection Laws.
2.2. Instructions.
The Processor shall comply promptly with any reasonable Controller written instructions requiring the Processor to amend, transfer, delete or otherwise Process the Personal Data, or to stop, mitigate or remedy any unauthorized Processing.
2.3. Confidentiality.
The Processor will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Controller or this DPA specifically authorizes the disclosure, or as required by law, court or regulator. If a law, court or regulator requires the Processor to Process or disclose the Personal Data to a third party, the Processor shall inform the Controller of such legal or regulatory requirement and give the Controller an opportunity to object or challenge the requirement, unless the law or legitimate regulatory authority prohibits the giving of such notice.
2.4. Assistance.
The Processor will reasonably assist the Controller with meeting the Controller’s compliance obligations under the Data Protection Laws for Processing covered in the Agreement, taking into account the nature of the Processor’s Processing and the information available to the Processor, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the relevant Supervisory Authority under the Data Protection Laws.
2.5. Changes to Data Protection Laws.
If the Processor becomes aware of any changes to the Data Protection Laws that may reasonably be interpreted as adversely affecting the Processor’s performance of this DPA, Processor shall promptly notify the Controller.
Authorized Employees
3.1. Employee Data Handling.
The Processor will ensure that its employees: (i) are informed of the confidential nature of the Personal Data, are bound by confidentiality obligations and use restrictions that prevent disclosure or otherwise unauthorized Processing of Personal Data, (ii) have undertaken training on data security and protection and how it relates to their handling of Personal Data, and (iii) are aware of the Processor’s and their own duties and obligations under this DPA.
3.2. Employee Trustworthiness.
The Processor will take commercially-reasonable steps to ensure the trustworthiness of Processor’s employees who may have access to the Personal Data and will limit access to Personal Data to only those employees who need to have the Personal Data to fulfil the Business Purpose.
3.3. Data Security Officer.
Processor has appointed a data security officer where such appointment is required by Data Protection Laws and shall provide the Controller with such officer’s contact information upon request.
Sub-Processors
4.1. Authorized Sub-Processors.
Controller authorizes the use of the Sub-Processors as referenced in EXHIBIT 3 – SUB-PROCESSORS (“Sub-Processors List”). The Sub-Processors List at the designated URL includes each Sub-Processor’s name and location; the Processor shall maintain the Sub-Processors List and may add or remove Sub-Processors from time to time. The Controller is responsible for reviewing this list on a regular basis.
4.2. New Sub-Processors.
If Processor adds a new Sub-Processor, Processor shall update the Sub-Processors List and send Controller a notification by email to its designated e-mail contact. Unless Controller submits a written objection (which objection must be on reasonable, substantial grounds and be directly related to such new Sub-processor’s ability to comply with substantially similar obligations to those set out in this DPA) within ten (10) days of notification of a new Sub-Processor, such new Sub-Processor shall be considered authorized by the Controller.
4.3. Objection to New Sub-Processor.
If the Controller objects in accordance with Section 4.2, Processor shall have the right to cure any objection and will work with Controller in good faith to resolve such objection, including by: a) continuing to fulfil the Business Purpose without the affected component(s), if feasible, b) implementing a commercially reasonable alternative; or c) allowing Controller to terminate only the part(s) of the Agreement which could not be met without the affected component(s), pursuant to its terms.
4.4. Use of Sub-Processors.
Where Controller authorizes, and Processor uses, a Sub-processor as described in this Section 4:
4.4.1. The Processor will restrict the Sub‑Processor’s access to only that Personal Data which is necessary to provide or maintain the fulfilment of the Business Purpose.
4.4.2. The Processor will either a) enter into or confirm an agreement or terms of use with the Sub‑Processor that requires the Sub‑Processor to meet the same requirements necessary to comply with the Data Protection Laws or b) in certain cases involving large established companies such as major advertising platforms (including, without limitation Google, LLC., Meta Platforms, Inc. Microsoft Corporation, etc.), be considered compliant with 4.4.2(a) due to Processor’s adherence to the standard data processing terms and/or SCCs provided by such major platforms, which Controller acknowledges.
4.4.3. The Processor will remain responsible for its obligations under this DPA and for any acts or omissions of the Sub‑Processor that cause the Processor to breach any of the Processor’s obligations under this DPA.
Security of Personal Data
5.1. Maintaining Data Security.
The Processor shall implement appropriate technical and organizational measures against accidental, unauthorized or unlawful Processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, disclosure or damage of Personal Data, including but not limited to, the security measures set out in EXHIBIT 2 – TECHNICAL & ORGANIZATIONAL MEASURES.
5.2. Security Measures.
The Processor must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
5.2.1. The anonymization and encryption of Personal Data;
5.2.2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
5.2.3. The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical Security Incident; and
5.2.4. A process for regularly assessing the effectiveness of the security measures.
Security Incidents
6.1. Security Incident.
The Processor will (a) notify the Controller of a Security Incident without undue delay after becoming aware of it, and (b) take appropriate measures to address the Security Incident, including steps to mitigate any adverse effects.
6.2. Controller Assistance.
To enable the Controller to notify a Security Incident to supervisory authorities or to Data Subjects (as applicable), Processor will cooperate with and assist the Controller by including in its notice such information about the Security Incident as Processor is able to disclose, taking into account the nature of the Processing, the information available to Processor, and any restrictions on disclosure, including confidentiality obligations.
6.3. Non-intrusive Security Incidents.
A Non-intrusive Security Incident is not subject to this Section 6. A Non-intrusive Security Incident is one that does not result in unauthorized access to Personal Data or to any Processor systems or facilities storing Personal Data. Such incidents may include, without limitation, pings or other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log‑on attempts, denial‑of‑service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers), and similar events.
6.4. No Fault.
The Controller agrees that Processor’s obligation to notify or respond to a Security Incident under this Section 6 is not, and will not be construed as, an acknowledgement of fault or liability by Processor with respect to the Security Incident.
6.5. Communication.
Any notification of a Security Incident will be delivered to the Controller’s designated contact by any reasonable method chosen by Processor, including email. The Controller is solely responsible for ensuring that its contact information is accurate and kept up to date with Processor.
6.6. Notification Obligations.
If Processor notifies the Controller of a Security Incident, or if the Controller otherwise becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, the Controller is responsible for (a) determining whether any further notification or other obligation arises under applicable Data Protection Laws, and (b) taking all necessary steps to comply with those obligations. The Controller acknowledges that it is best positioned to determine the likely consequences of a Security Incident involving its Personal Data.
Data Transfers of Personal Data
7.1. Mechanism.
Processor may only process Personal Data outside the EEA, UK, or Switzerland under one of the following conditions: a) The transfer is into a territory subject to a valid and current adequacy decision under the applicable Data Protection Laws; or b) the parties use a valid cross-border transfer mechanism under the Data Protection Laws.
7.2. Data Privacy Framework.
The parties agree that Processor shall process Personal Data originating from the EEA, UK, or Switzerland in the United States in reliance on the Data Privacy Framework (DPF), the UK Extension to the DPF, and the Swiss-U.S. DPF (as applicable). Processor shall maintain its self-certification under the DPF for the duration of the Agreement.
7.3. SCC Fallback.
If the DPF is ever invalidated or ceases to apply to a transfer of Personal Data, the SCCs (Module 2: Controller-to-Processor) are hereby incorporated by reference. For the purposes of the SCCs: a) Module 2 applies; b) the “Data Exporter” is Controller and the “Data Importer” is Processor; c) the optional Docking Clause (Clause 7) is included; d) the Bridge Clause: Annex I of the SCCs is deemed populated by EXHIBIT 1 of this DPA, and Annex II of the SCCs is deemed populated by EXHIBIT 2 of this DPA; and e) Governing law and jurisdiction shall be the courts of the Data Exporter’s primary EEA establishment (or Ireland if no such establishment exists).
7.4. UK & Swiss Transfers.
For transfers from the United Kingdom, the UK International Data Transfer Addendum (issued by the ICO) is incorporated by reference and supplements the SCCs. For transfers from Switzerland, the SCCs shall be interpreted to protect the data of Swiss natural and legal persons, and “Supervisory Authority” shall include the Swiss FDPIC.
7.5. Transfer Assessments.
To the extent required by Data Protection Laws, Processor shall provide reasonable assistance to Controller in conducting necessary Transfer Impact Assessments (TIAs) and implementing additional safeguards required to legitimize the transfer.
Rights of Data Subjects
8.1. Data Subject Notification.
Processor shall, to the extent permitted by law, notify Controller without undue delay in writing upon receipt of a request by a Data Subject to exercise rights under Data Protection Laws (e.g., access, rectification, erasure, data portability, or objection to Processing (“Data Subject Request”). Processor shall advise Data Subject to submit such request to the Controller, and the Controller shall be responsible for responding to such request including, where necessary, by using the functionality of Processor’s systems.
8.2. Controller Assistance.
Taking into account the nature of the Processing applicable to any Data Subject Request, Processor shall provide reasonable assistance to Controller by implementing appropriate technical and organizational measures, insofar as this is possible, to assist Controller in its obligation to respond to such Data Subject Request. Such assistance will be provided by Processor only if a) Controller is unable to respond to the request without Processor’s assistance and b) Processor is able to do so in accordance with all applicable laws. Processor reserves the right to charge Controller a reasonable fee for such assistance, unless prohibited under applicable Data Protection Laws.
Information and Audit Rights.
9.1.
Controller is granted information and audit rights as described in this Section 9 and which shall occur no more than once per calendar year.
9.2. Information Request.
Upon written request, Processor shall provide Controller with answers to Controller’s questionnaire or, if applicable, a copy of its most recent third-party security audit report (eg: SOC, DPF or similar).
9.3. Audit Procedure.
If a response to an information request does not reasonably satisfy Controller’s compliance requirements and if Controller has serious cause to believe that Processor is in material breach of its DPA obligations, Controller may conduct an audit of Processor’s facilities. Such audit must: (i) be conducted by a mutually agreed qualified third-party auditor; (ii) require 30 days’ notice; (iii) be at Controller’s sole expense; (iv) not be unreasonably disruptive to Processor’s business; and (v) be subject to strict confidentiality obligations.
9.4. Sub-Processor Audits.
Controller acknowledges that Processor cannot grant direct audit rights into third-party Sub-Processors. Processor shall, upon written request, provide available security certifications for such Sub-Processors. If, after receiving such available Sub-Processor security certifications, Controller has reasonable cause to request additional information from a Sub-Processor, then upon written request, Processor will use its available audit rights with Sub-Processor and share the non-confidential results with Controller.
Data Deletion and Retention
10.1. Data Deletion.
On termination of the Agreement, the Processor shall in accordance with applicable terms in the Agreement, securely delete or destroy all Personal Data received pursuant to the Agreement, to the extent permitted by applicable Data Protection Laws.
10.2. Data Retention.
Certain data, including Personal Data, may be required to be retained by applicable law, a legal or regulatory body, or for compliance with corporate governance, or for routine archival, backup or disaster recovery policies. If Processor is so required, it shall use any such retained data only for the policy or legal purposes for which it is retained and all such data shall remain subject to the confidentiality and data protection obligations of this DPA, which obligations shall survive termination of the Agreement.
Definitions
The following definitions shall apply to this DPA. All other capitalized terms are defined as written in the body of this DPA if they do not appear in this Definitions section.
“Agreement” means the agreement, with all terms and conditions, entered into by Processor and Controller for the provision of products and services, which includes any schedules, exhibits, or amendments.
“Authorized Employee” means a Processor’s employee who has a need to know or otherwise access Personal Data to enable Processor to perform its obligations under this DPA or the Agreement.
“Business Purpose(s)” means the business requirements for which Processor was engaged to process Controller’s Personal Data.
“Controller” means the entity that has executed the Agreement with Processor and acts as a Data Exporter under the Data Protection Laws.
“Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data and privacy in effect during the term of the Agreement, including, as applicable: a) European Laws: The EU General Data Protection Regulation (GDPR) and the ePrivacy Directive; b) UK, Swiss and Brazilian Laws: The UK GDPR and the UK Data Protection Act, The Swiss Federal Act on Data Protection (FADP), the Brazilian General Data Protection Law (LGPD); c) Canadian Laws: The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA); d) U.S. Laws: The California Consumer Privacy Act (CCPA), as amended, and all other applicable U.S. state privacy laws; and e) Data Privacy Frameworks: The EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. All references to specific Data Protection Laws in this DPA shall include any subsequent amendments, modifications, re-enactments, or successor legislation to such laws, and any regulations, guidance, codes of practice, or other instruments issued pursuant to such laws, and Processor shall remain compliant with all such applicable changes.
“Data Subject” means, as applicable: an identified or identifiable person to whom Personal Data relates, whether data is that of Controller or of Controller’s contractors, prospects, customers or end-users; the meaning as set forth in Data Protection Laws and including such similar terms as defined therein, including “Consumer” or “Individual”.
“Data Exporter” means the party that is providing data to a Processor for processing, in this case being the Controller.
“Data Importer” means the party that is receiving data for processing, in this case being the Processor.
“Data Transfer” means the process of sending Personal Data outside the EEA, UK, or Switzerland.
“DPA” means this Data Processing Agreement.
“European Economic Area” or “EEA” means all the European Union member state countries plus Iceland, Liechtenstein and Norway.
“European Union” or “EU” means the 27 member state countries of the European Union.
“Personal Data” has the meaning given in the Data Protection Laws, generally meaning information relating to an identified or identifiable individual.
“Process” or “Processing” means any operation or set of operations which is performed upon the Personal Data, whether or not by automatic means; such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction. Processing also includes transferring the Personal Data to third parties.
“Processor” means Netsertive, Inc.
“Security Incident” means unauthorized access to Personal Data or to any Processor systems or facilities storing Personal Data.
“SCCs” or “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as currently set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and as may be amended, replaced, or superseded from time to time by the European Commission.
“Sub-Processor” means any third party appointed by or on behalf of Processor to process Personal Data on behalf of Controller in connection with the Agreement.
“Supervisory Authority” means any local, state, national or multi-national independent public authority, regulatory body, or government agency responsible for enforcing the Data Protection Laws, including but not limited to EU Data Protection Authorities, the UK Information Commissioner’s Office (ICO), the Swiss Federal Data Protection and Information Commissioner, the Office of the Privacy Commissioner of Canada, the Brazilian National Data Protection Authority (ANPD) and the U.S. state attorneys general or privacy agencies, along with any other similar legitimate regulatory authority with jurisdiction over the Processing of Personal Data under the Agreement.
EXHIBIT 1 – DESCRIPTION OF PROCESSING
(Incorporating Annex I of the SCCs)
Subject Matter: The subject matter of the Processing is for the use and access to products and services described in the Agreement between Controller and Processor, to meet the Business Purpose.
Nature and Purpose: The nature and purpose of the Processing or data transfer is to process certain Personal Data within normal operations of the products and services under the Agreement.
Frequency and Duration of Processing: The frequency and duration of the Processing is generally continuous, depending upon the usage of the products and services under the Agreement by Controller or its users, for the duration of the Agreement.
Categories of Personal Data: The categories of Personal Data include names, titles, employers, access/login credentials, contact and location information (including email addresses, phone numbers, mailing addresses, IP addresses, localization data, advertising identifiers, cross-device tracking identifiers and others), system usage logs, purchase data, segmentation data and other similar data.
Sensitive Data: Processing may include sensitive categories of data (including “Special Categories of Personal Data” as defined by Data Protection Laws) only to the extent such data is voluntarily submitted by a Data Subject in the course of the use of the products and services under the Agreement (e.g., information contained in an appointment request, inquiry form, phone call, or similar). Controller is responsible for ensuring that it has a valid legal basis for the processing of such sensitive data and that it does not provide directly, or encourage others to provide (through marketing activities), any sensitive data to Processor beyond what is strictly necessary for the Business Purpose.
Categories of Data Subjects: The categories of Data Subjects include a) Controller’s authorized users under the Agreement; b) Controller’s prospects, customers, business partners or vendors, along with those respective parties’ employees or users; and c) those individuals who may otherwise send or submit data, including a complaint or request. Transfers to Sub-Processors: Transfers to Sub-Processors are used solely for the Business Purposes and include such things as: data hosting, messaging, advertising placement, reporting or other necessary functions under the Agreement.
Competent Supervisory Authority: The Competent Supervisory Authority is, depending upon the Controller’s location, either a) for EU/EEA Data: the Supervisory Authority of the Member state in which Controller is established; b) for UK data: The UK Information Commissioner’s Office (ICO); c) for U.S. data: the regulator or agency with jurisdiction over Controller’s principal place of business; or d) for all other jurisdictions: the Supervisory Authority with primary jurisdiction over the Processing of Personal Data in the Controller’s territory.
EXHIBIT 2 – TECHNICAL & ORGANIZATIONAL MEASURES
(Incorporating Annex II of the SCCs)
Processor has implemented important technical and organizational measures in order to protect Personal Data, whether at rest (in storage) or in transit, and maintains strict, industry-standard safeguards regarding its personnel, access points and systems. Processor maintains relevant security and privacy policies and procedures that align with the following standard-setting organizations: International Organization of Standards (ISO), U.S. National Institute of Standards and Technology (NIST) and Open Web Application Security Project (OWASP) Foundation. Processor shall maintain the following security measures to protect the Personal Data:
1. Organizational Security
1.1. Information Security Program:
Maintain a written information security policy approved by management.
1.2. Training:
Provide annual data privacy and security training to all Authorized Employees.
1.3. Confidentiality:
Ensure all Authorized Employees have signed binding confidentiality agreements.
2. Technical Security & Access Control
2.1. Encryption:
Encrypt Personal Data, including stored audio files, video files and transcriptions, at rest and in transit using secure, industry-standard protocols, including Transport Layer Security (TLS) & Advanced Encryption Standard 256 (AES-256).
2.2. Authentication:
Require Multi-Factor Authentication (MFA) for access to production systems.
2.3. Least Privilege:
Limit access to Personal Data to Authorized Employees based on a “need-to-know” basis.
2.4. Vulnerability Management:
Conduct regular vulnerability scans and patch critical vulnerabilities in a timely manner.
2.5. Separation Control:
Processor employs logical tenant separation to ensure that Personal Data processed for different Controllers or for different Business Purposes is processed separately and cannot be accessed by unauthorized parties.
3. Physical Security
3.1. Data Centers:
Use enterprise-grade, third-party data center and hosting providers, including AWS & Google Cloud that maintain applicable industry-recognized security certifications (e.g., SOC 2, ISO 27001).
3.2. Office Security:
Maintain physical access controls at Processor’s corporate offices, including electronic, trackable key-card access or similar measures.
4. Resilience and Availability
4.1. Backups:
Perform regular backups of Personal Data and store them in a secure, off-site/redundant location.
4.2. Disaster Recovery:
Maintain a disaster recovery plan to ensure the timely restoration of data in the event of a technical incident.
4.3. Availability Control:
Processor maintains a redundant architecture and backup rotation policy to protect Personal Data against accidental destruction or loss and to ensure the timely restoration of data.
5. Order Control & Sub-Processors
5.1. Order control:
Processor maintains internal procedures to ensure that Personal Data is processed only in connection with the Business Purpose, the Data Protection Laws, and the Controller’s instructions.
5.2. Flow-down protection:
Processor ensures that Sub-Processors are bound by written agreements or have acceptable, industry-standard terms of use which provide at least the same level of protection as this DPA.
6. Audit and Monitoring
6.1. Logging:
Maintain system logs to track access and changes to Personal Data.
6.2. Assessments:
Regularly test and evaluate the effectiveness of these technical and organizational measures.
EXHIBIT 3 – SUB-PROCESSORS
Processor’s current Sub-Processor List (including name, location, and service description) is incorporated herein by reference and is maintained at:
www.netsertive.com/legal/dpa-sub-processors
Processor shall provide notice of any changes to this List in accordance with Section 4.2 of this DPA.
