This Data Processing Addendum ("DPA") forms part of the services agreement between EDGENOVA LLC ("Processor") and the client ("Controller") whenever the Processor processes personal data on behalf of the Controller in the course of providing engineering services.
Where required by GDPR Article 28, this DPA is deemed executed by the parties when the Controller counter-signs the underlying services agreement. A signed PDF version is available on request from [email protected].
01Rôles
The Controller determines the purposes and means of processing personal data. The Processor (EDGENOVA LLC) processes personal data only on the documented instructions of the Controller, as set out in the services agreement, the SOW, and this DPA.
02Nature et durée
Nature and purpose: engineering, hosting, automation, technical support. Duration: the term of the services agreement. Categories of data subjects: Controller's end-users, employees, contractors, prospects. Categories of personal data: contact details, account identifiers, technical logs, plus any additional categories defined in the SOW.
03Sous-traitants
The Processor may engage sub-processors listed on the Sous-traitants page. The Controller grants general authorisation to engage sub-processors, subject to the Processor imposing contractual obligations at least as protective as this DPA. The Processor gives the Controller at least 30 days' notice of new sub-processors and honours reasoned objections.
04Transferts internationaux
Where personal data is transferred outside the EEA or UK to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Commission Decision 2021/914) — Module 2 (Controller-to-Processor) — by reference. The UK IDTA applies to UK transfers.
05Mesures de sécurité
- TLS 1.3 for data in transit; AES-256 for data at rest.
- Access on a need-to-know basis with individual accounts and MFA.
- Encrypted backups, tested restore procedure, 30-day retention.
- Access and change logging retained for at least 90 days.
- Written incident-response procedure with 72-hour breach notification.
06Demandes des personnes concernées et audits
The Processor assists the Controller with data subject access, rectification, deletion and portability requests within reasonable timeframes. The Processor makes available all information necessary to demonstrate compliance and permits audits at reasonable intervals and with reasonable notice.
07Restitution et suppression
On termination, the Processor returns or deletes personal data on the Controller's written instruction, subject to legal retention requirements (typically 10 years for accounting records).
08Exemplaires signés
A counter-signed DPA is available on request. Email [email protected] with your company name and the SOW reference; we return a PDF within one business day.