Data Processing Agreement.

"Controller", "processor", "personal data", "processing", "data subject", and "personal-data breach" mean what they mean in Article 4 of the EU GDPR and the UK GDPR. "Service provider" and "sale" have the meanings in the California Consumer Privacy Act / California Privacy Rights Act. "Standard Contractual Clauses" means the EU SCCs (2021/914);"UK IDTA" means the International Data Transfer Addendum issued by the UK ICO.

For engagement-related personal data, the client (you) is the controller. SUMMIT REACH LLC is the processor. For California, SUMMIT REACH is a service provider. We do not sell or share personal data received from a controller; we process only on documented instructions.

For visitor data on summitreachsoft.com(request logs, contact-form submissions), SUMMIT REACH is the controller and the public privacy notice at /privacy applies.

We process the categories of personal data, for the purposes, using the categories of data subjects, and for the duration set out in the engagement's statement of work. We process only on the controller's documented instructions, including any onward transfer. If we believe an instruction infringes applicable law, we say so in writing and pause until the instruction is corrected.

Every person we authorise to process personal data is bound by a written confidentiality obligation that survives termination of their relationship with SUMMIT REACH. Access is on a need-to-know basis.

We implement and maintain appropriate technical and organisational measures, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk to data subjects. The measures we use are described in /trust; the controller may request a current summary at any time and we will provide one inside ten business days.

The controller authorises the sub-processors listed at /subprocessors at the date of engagement. New sub-processors that process personal data require 30 days' prior notice via that page and direct email; the controller may object inside the notice window. If we cannot accommodate a reasonable objection, the controller may terminate the affected portion of the engagement without penalty.

We assist the controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the controller's obligation to respond to requests for the exercise of the data subject's rights — access, rectification, erasure, restriction, objection, portability — under Chapter III of the GDPR. Where a request reaches us directly, we forward it to the controller without undue delay and assist as instructed.

We notify the controller of a personal-data breach without undue delay and in any event within 48 hours of becoming aware of it. The notification describes the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed.

We assist the controller in conducting data-protection impact assessments where required under Article 35, and in consulting the supervisory authority where required under Article 36, by providing information and access reasonable to the controller's requirements.

Once per twelve-month period, on at least 30 days' notice and during normal business hours, the controller (or an independent auditor mandated by the controller and bound by confidentiality) may audit our compliance with this DPA. Audits are performed in a way that does not unreasonably disrupt our business or the rights of other controllers we serve. We accept industry-recognised third-party audit reports (SOC 2, ISO 27001) in lieu of on-site inspection where they answer the same questions.

Where personal data is transferred from the EEA, UK, or Switzerland to a country not subject to an adequacy decision, transfers rely on, in order:

• The EU–US Data Privacy Framework, where SUMMIT REACH or the sub-processor is certified and the transfer falls inside the certification scope; otherwise
• The EU Standard Contractual Clauses (Commission Implementing Decision 2021/914), Module Two (controller to processor), incorporated into this DPA by reference; and for UK transfers, the UK International Data Transfer Addendum to the EU SCCs.

We complete a transfer-impact assessment for each onward-transfer destination on request.

To the extent we process the personal information of California residents on the controller's behalf, we act as a service provider. We will not:

• Sell or share that personal information.
• Retain, use, or disclose it for any purpose other than the business purpose specified in the statement of work, or as otherwise permitted by the CCPA.
• Combine it with personal information received from other sources, except to perform the specified business purpose.

The controller may take reasonable and appropriate steps to ensure our use of personal information is consistent with their obligations under California privacy law.

On termination, at the controller's choice, we delete or return all personal data processed under the engagement, and delete existing copies, within 30 calendar days. Backups expire on their own 90-day rolling schedule. Logs required by applicable law are retained for the period required by that law and then deleted.

The limitation of liability in the master engagement agreement applies to claims arising under this DPA, except where applicable law disallows such limitation (for example, Article 82(2) GDPR claims by a data subject).

This DPA is effective on the engagement effective date and terminates with the engagement, save for clauses that by their nature survive (confidentiality, audit, deletion, liability, governing law). In any conflict with the master engagement agreement, this DPA prevails for matters relating to processing of personal data.

Governing law and forum follow the master engagement agreement — Wyoming law, Sheridan, Wyoming forum — except where applicable law imposes the law of the data subject's place of residence on rights under that law.

This page sets out the canonical template. The binding DPA between you and SUMMIT REACH is the one signed at engagement, which incorporates this template by reference and adds the schedules (categories of personal data, categories of data subjects, sub-processor list, technical and organisational measures). The schedules are completed at engagement kickoff and reviewed annually.