Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the agreement between EnrichGraph ("Processor," "we," "us") and the Customer ("Controller," "you") for the provision of professional profile data services.

This DPA applies to the processing of Personal Data by EnrichGraph on behalf of the Customer in connection with the Services, as required by the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Definitions

For the purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Sub-processor" means any third party engaged by EnrichGraph to process Personal Data on behalf of the Customer.
• "Security Incident" means any unauthorized access, acquisition, use, or disclosure of Personal Data.

3. Roles and Responsibilities

3.1 Customer as Controller: The Customer determines the purposes and means of processing Personal Data and is responsible for:

• Ensuring lawful basis for processing
• Providing required notices to Data Subjects
• Obtaining necessary consents where applicable
• Responding to Data Subject requests

3.2 EnrichGraph as Processor: EnrichGraph processes Personal Data only on documented instructions from the Customer and is responsible for:

• Processing data only as instructed
• Implementing appropriate security measures
• Assisting with Data Subject requests
• Notifying of Security Incidents

4. Processing Instructions

EnrichGraph shall process Personal Data only:

• In accordance with the Customer's documented instructions
• As necessary to provide the Services
• As required by applicable law (with prior notice where permitted)

If EnrichGraph believes an instruction violates applicable data protection law, it shall promptly notify the Customer.

5. Categories of Data Processed

The types of Personal Data processed may include:

• Professional profile information (name, job title, company)
• Work experience and employment history
• Education and qualifications
• Professional skills and endorsements
• Publicly available professional information
• Company and organizational data
• Any other data submitted by Customer for processing

6. Security Measures

EnrichGraph implements and maintains appropriate technical and organizational security measures, including:

• Encryption of data in transit and at rest (AES-256)
• Access controls and authentication mechanisms
• Regular security assessments and penetration testing
• Employee security training and confidentiality obligations
• Incident response and disaster recovery procedures
• Physical security of data centers

7. Sub-processors

7.1 Authorization: The Customer provides general authorization for EnrichGraph to engage Sub-processors for the provision of Services.

7.2 Notification: EnrichGraph shall notify the Customer of any intended changes to Sub-processors at least 30 days in advance, providing the Customer an opportunity to object.

7.3 Obligations: EnrichGraph shall ensure Sub-processors are bound by data protection obligations no less protective than those in this DPA.

8. Data Subject Rights

EnrichGraph shall assist the Customer in responding to Data Subject requests, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object

EnrichGraph shall notify the Customer promptly upon receiving any request directly from a Data Subject.

9. Security Incidents

9.1 Notification: EnrichGraph shall notify the Customer of any Security Incident without undue delay, and in any event within 72 hours of becoming aware.

9.2 Information: Notification shall include:

• Nature of the Security Incident
• Categories and approximate number of Data Subjects affected
• Likely consequences of the incident
• Measures taken or proposed to address the incident

10. International Data Transfers

For transfers of Personal Data outside the European Economic Area (EEA), EnrichGraph shall ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules where applicable
• Adequacy decisions by relevant authorities
• Additional supplementary measures as required

11. Data Retention and Deletion

11.1 Retention: EnrichGraph shall retain Personal Data only for as long as necessary to provide the Services and fulfill legal obligations.

11.2 Deletion: Upon termination of the Services or upon Customer request, EnrichGraph shall delete or return all Personal Data within 30 days, unless retention is required by law.

12. Audits and Compliance

EnrichGraph shall:

• Make available information necessary to demonstrate compliance
• Allow for and contribute to audits conducted by the Customer or an authorized auditor

13. CCPA Compliance

For California residents, EnrichGraph acts as a "Service Provider" under the CCPA and:

• Shall not sell Personal Information
• Shall not retain, use, or disclose Personal Information for purposes other than providing Services
• Shall assist with consumer rights requests
• Certifies understanding of these restrictions

14. Term and Termination

This DPA shall remain in effect for the duration of the Services agreement. Upon termination, the provisions regarding data deletion, confidentiality, and liability shall survive.

15. Amendments

This DPA may be amended by EnrichGraph to reflect changes in data protection laws or our processing activities. Material changes will be notified to Customers at least 30 days in advance.

16. Contact Information

For questions about this DPA or to exercise any rights, please contact: