📋 Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between OnChain Media Labs ("Processor") and the customer ("Controller") for the provision of advertising technology services.
1
Definitions
📄 Personal Data
Any information relating to an identified or identifiable natural person
⚙️ Processing
Any operation performed on Personal Data
👤 Data Subject
The individual to whom Personal Data relates
🔗 Sub-processor
Any third party engaged by the Processor to process Personal Data
2
Scope and Purpose
This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of advertising technology services. The Processor will only process Personal Data in accordance with the Controller's documented instructions.
3
Processor Obligations
The Processor shall:
Process Personal Data only on documented instructions from the Controller
Ensure persons authorized to process Personal Data are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Assist the Controller in responding to Data Subject requests
Delete or return Personal Data upon termination of services
Make available information necessary to demonstrate compliance
Allow for and contribute to audits and inspections
4
Security Measures
The Processor implements the following security measures:
🔐 Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
🔍 Regular vulnerability assessments and penetration testing
🔑 Access controls and multi-factor authentication
🚨 Incident response and breach notification procedures
💾 Business continuity and disaster recovery measures
✅ SOC 2 Type II certification
5
Sub-processors
The Controller provides general authorization for the Processor to engage Sub-processors. The Processor shall maintain an up-to-date list of Sub-processors and notify the Controller of any intended additions or replacements. Sub-processors are subject to the same data protection obligations as the Processor.
6
International Transfers
Where Personal Data is transferred outside the EEA, the Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.
7
Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject requests, including requests for access, rectification, erasure, restriction, portability, and objection.
8
Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any event within 48 hours) upon becoming aware of a Personal Data breach. The notification shall include the nature of the breach, categories of data affected, and proposed remediation measures.
9
Audit Rights
The Controller may audit the Processor's compliance with this DPA upon reasonable notice. The Processor shall make available all information necessary to demonstrate compliance and allow for inspections.
10
Term and Termination
This DPA shall remain in effect for the duration of the service agreement. Upon termination, the Processor shall delete or return all Personal Data unless retention is required by applicable law.
If you have any questions about this policy, please contact us at [email protected]