Data Processing Agreement
This Data Processing Agreement (this “DPA”) forms part of, and is incorporated by reference into, the Master Services Agreement (the “MSA”) between Idea2, Ltd., a Colorado LLC doing business as Slingr (“Processor” or “Slingr”), and the customer identified in the MSA (“Controller” or “Client”). Capitalized terms not defined in this DPA have the meanings given in the MSA.
This DPA sets out the terms governing Slingr’s Processing of Personal Data on behalf of Client in connection with the Services. To the extent Slingr Processes Personal Data on behalf of Client in the performance of the Services, the Parties agree as follows. In the event of any conflict between this DPA and the MSA on a matter relating to the Processing of Personal Data, the terms of this DPA control.
1. Definitions
“Applicable Data Protection Law” means all laws and regulations applicable to the Processing of Personal Data under the MSA, including, as applicable: (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); (b) the UK General Data Protection Regulation and the UK Data Protection Act 2018 (collectively, “UK GDPR”); (c) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”); and (d) any other privacy or data protection law applicable to the Parties in connection with the Services.
“Controller,” “Processor,” “Data Subject,” “Personal Data,” “Personal Data Breach,” “Processing,” and “Sub-processor” have the meanings given to them in the EU GDPR (or, where the context requires, in the comparable Applicable Data Protection Law). In the CCPA context, references to “Controller” shall be read to include “Business” and references to “Processor” shall be read to include “Service Provider,” as those terms are defined in the CCPA.
“EU SCCs” means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914. “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner. “Restricted Transfer” means a transfer of Personal Data from a jurisdiction whose laws restrict cross-border transfers to a jurisdiction not subject to an adequacy decision.
2. Subject Matter, Duration, and Nature of Processing
The subject matter of the Processing is the performance of the Services by Slingr under the MSA, including the development, deployment, operation, and (where elected by Client) ongoing management of custom software solutions. Slingr will Process Personal Data on behalf of Client for the duration of the MSA, plus any additional period required to return or delete Personal Data under Section 10 below.
The nature and purpose of the Processing, the types of Personal Data Processed, and the categories of Data Subjects are described in Schedule A at the end of this DPA. Client may update Schedule A by written notice to Slingr; provided that material changes requiring Slingr to materially alter its security measures or sub-processor arrangements shall be agreed in writing between the Parties.
3. Roles of the Parties
With respect to Personal Data Processed by Slingr under the MSA, Client is the Controller (or, where Client is itself acting as a processor for a third party, the relevant processor) and Slingr is the Processor. Slingr will Process Personal Data only on behalf of, and in accordance with documented instructions from, Client. The MSA, this DPA, Schedule A, and Schedule B constitute Client’s documented instructions to Slingr.
Slingr will inform Client if, in Slingr’s reasonable opinion, an instruction infringes Applicable Data Protection Law; in such case, Slingr is not obligated to follow that instruction until the matter is resolved. Client is responsible for ensuring that (a) Client has provided all notices and obtained all consents and authorizations necessary under Applicable Data Protection Law for Slingr to Process Personal Data as contemplated by the MSA; (b) Client’s instructions to Slingr comply with Applicable Data Protection Law; and (c) Personal Data provided to Slingr is accurate and up to date in all material respects.
4. Slingr’s Obligations as Processor
Slingr will Process Personal Data only (a) as necessary to perform its obligations under the MSA, (b) on Client’s documented instructions, or (c) as required by applicable law (in which case Slingr will, unless prohibited by law, inform Client of the legal requirement before Processing).
Slingr will ensure that all personnel authorized to Process Personal Data are bound by written or statutory obligations of confidentiality, and that access to Personal Data is restricted to personnel who need it to perform their duties under the MSA. Slingr will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, or disclosure. The current measures are described in Schedule C.
Taking into account the nature of the Processing and the information available to Slingr, Slingr will provide reasonable assistance to Client in fulfilling Client’s obligations under Applicable Data Protection Law with respect to: (a) responding to requests from Data Subjects to exercise their rights; (b) conducting data protection impact assessments; (c) consulting with supervisory authorities; and (d) responding to and mitigating Personal Data Breaches.
Slingr will not (a) sell, share, rent, or otherwise disclose Personal Data to any third party for any purpose other than the performance of the Services or as otherwise permitted by this DPA; (b) retain, use, or disclose Personal Data outside the direct business relationship with Client; or (c) combine Personal Data received from Client with personal information received from any other source, except for purposes expressly permitted by Applicable Data Protection Law. No monetary or other valuable consideration is provided for the disclosure of Personal Data to Slingr under the MSA.
5. Sub-processors
Client provides Slingr with general written authorization to engage Sub-processors for the Processing of Personal Data. The specific Sub-processors engaged for a given engagement vary by the scope, hosting platform, AI tooling, and other technical choices applicable to that engagement and are identified in the applicable Work Order. Schedule B describes the categories of Sub-processors Slingr commonly engages and includes representative examples; it is not an exhaustive list of all Sub-processors that may be engaged across Slingr’s Client base.
Slingr will notify Client in writing of any intended addition or replacement of a Sub-processor at least thirty (30) days before the change takes effect. Client may object in writing on reasonable data protection grounds within fifteen (15) days of notification. If the Parties cannot resolve the objection within thirty (30) days, Client may terminate the affected Work Order on written notice. Slingr will enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those in this DPA, and remains liable to Client for its Sub-processors’ acts and omissions.
6. Personal Data Breach Notification
Slingr will notify Client without undue delay, and in any event no later than seventy-two (72) hours, after Slingr becomes aware of a Personal Data Breach affecting Client’s Personal Data. The notification will include, to the extent then known: (a) the nature and circumstances of the Breach; (b) the categories and approximate number of Data Subjects and Personal Data records affected; (c) the likely consequences; (d) the measures taken or proposed to address and mitigate it; and (e) contact information for further inquiries. Slingr will cooperate reasonably with Client in investigating and responding to the Breach. Slingr’s notification of, or response to, a Breach will not be construed as an acknowledgment of fault or liability.
7. Data Subject Rights Assistance
If Slingr receives a request from a Data Subject relating to the Processing of Personal Data on behalf of Client, Slingr will not respond to the request directly (unless required by law or where Slingr is permitted to confirm receipt and refer the Data Subject to Client). Slingr will forward the request to Client without undue delay. Slingr will provide reasonable technical and organizational assistance to enable Client to respond within the timeframes required by Applicable Data Protection Law. Where assistance required is significant, Slingr may charge for that assistance at the rates set forth in the MSA or applicable Work Order.
8. International Data Transfers
Client acknowledges that Slingr operates from offices in the United States and engages personnel in other jurisdictions, including Argentina and other countries where Slingr maintains personnel or Sub-processors. Personal Data may be transferred to and Processed in these jurisdictions in the course of the Services. Slingr will ensure that any such transfer is made in compliance with Applicable Data Protection Law.
Where Processing of Personal Data subject to the EU GDPR or UK GDPR involves a Restricted Transfer, the EU SCCs (Module 2, Controller-to-Processor) are incorporated into this DPA by reference and apply to such transfer, with the following selections: (a) Clause 7 (Docking Clause) not used; (b) Clause 9 (Use of Sub-processors): Option 2 (General Written Authorization), with a notice period of thirty (30) days as set forth in Section 5; (c) Clause 11 (Redress): the optional independent dispute resolution language not used; (d) Clause 17 (Governing Law): the law of the Member State in which the data exporter is established, or, if not applicable, Ireland; (e) Clause 18 (Forum and Jurisdiction): the courts of the Member State in which the data exporter is established, or, if not applicable, Ireland; (f) Annexes I, II, and III of the EU SCCs are completed by Schedule A, Schedule C, and Schedule B respectively.
Where the Processing involves a Restricted Transfer subject to the UK GDPR, the UK Addendum is incorporated into this DPA and applies to such transfer. The Parties select Tables 1, 2, and 3 of the UK Addendum to be completed by the corresponding parts of the EU SCCs and the Schedules to this DPA, and Table 4 (right to terminate) is granted to the importer.
Slingr will, on Client’s reasonable request, provide information reasonably necessary to enable Client to conduct a transfer impact assessment.
9. Audits and Inspections
Slingr will make available information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Law, including (where applicable) Slingr’s then-current SOC 2 or ISO/IEC 27001 audit reports, copies of Sub-processor agreements (redacted as necessary), and descriptions of Slingr’s technical and organizational measures.
If the documentation made available is not reasonably sufficient, Client may, no more than once in any twelve (12) month period (and additionally where reasonably required following a Personal Data Breach affecting Client’s Personal Data or a documented regulatory inquiry), conduct or commission an audit of Slingr’s relevant systems and procedures. Audits shall be conducted on at least thirty (30) days’ prior written notice, during Slingr’s normal business hours, in a manner that does not unreasonably interfere with operations, subject to confidentiality obligations no less protective than the MSA, and at Client’s cost unless the audit reveals a material breach by Slingr. Client may use a qualified independent third-party auditor (other than a competitor of Slingr) subject to Slingr’s reasonable approval.
10. Return or Deletion of Personal Data
Upon termination or expiration of the MSA, or upon Client’s earlier written request, Slingr will, at Client’s option, return or delete all Personal Data Processed on behalf of Client, including copies, within thirty (30) days. Slingr may retain Personal Data to the extent (a) required by applicable law; (b) retained in routine automated backups that are deleted in the ordinary course and not accessed for productive use during retention; or (c) necessary for the establishment, exercise, or defense of legal claims. Retained Personal Data remains subject to this DPA for so long as it is retained.
Slingr will certify in writing to Client, upon reasonable request, that it has returned or deleted Personal Data in accordance with this Section 10.
11. CCPA Service Provider Terms
Where Processing of Personal Data is subject to the CCPA, Slingr is a “service provider” to Client and Client is the “business” (or, where applicable, a service provider to another business). Slingr will not: (a) sell or share Personal Data within the meaning of the CCPA; (b) retain, use, or disclose Personal Data for any purpose other than the specific business purpose of performing the Services or as otherwise permitted by the CCPA; (c) retain, use, or disclose Personal Data outside the direct business relationship between Client and Slingr; or (d) combine Personal Data received from or on behalf of Client with personal information received from any other source, except as permitted under 11 CCR § 7050(b) or comparable provisions. Slingr certifies that it understands these restrictions and will comply with them, and will notify Client if it determines it can no longer meet its obligations under the CCPA.
12. Liability, Term, and General
The liability of each Party under this DPA is subject to the limitations and exclusions of liability set forth in the MSA, including Section 15 of the MSA. This DPA takes effect on the Effective Date of the MSA (or, if later, the date on which Slingr first Processes Personal Data on behalf of Client) and continues for the duration of the MSA and for so long thereafter as Slingr Processes any Personal Data on Client’s behalf.
Slingr may modify this DPA from time to time on reasonable prior notice to Client where required to reflect changes in Applicable Data Protection Law, changes in the EU SCCs or UK Addendum, or changes in Slingr’s standard practices, provided that any modification shall not materially diminish the level of protection afforded to Personal Data. In the event of conflict between this DPA and the MSA on a matter relating to Personal Data, this DPA controls. In the event of conflict between this DPA and the EU SCCs, the EU SCCs control with respect to EU Restricted Transfers; the UK Addendum controls with respect to UK Restricted Transfers.
Schedule A — Description of Processing
Subject matter and duration. Processing of Personal Data in connection with the development, deployment, operation, and (where elected) ongoing managed services for custom software solutions under the MSA. Duration: term of the MSA, plus the period needed for return or deletion under Section 10 above.
Nature and purpose. Hosting, storage, transmission, access, retrieval, modification, deletion, monitoring, security operations, technical support, and other Processing activities necessary to operate and maintain the Solution and provide the Services.
Types of Personal Data. To be specified by Client in the applicable Work Order. Typical categories include: (a) Client personnel contact information; (b) Client end-user account and profile information; (c) Client end-user application data; (d) authentication and audit data; and (e) such other categories as Client may direct.
Categories of Data Subjects. To be specified by Client in the applicable Work Order. Typical categories include: (a) Client’s employees, contractors, and other personnel; (b) Client’s customers, end-users, or other individuals whose data Client processes in the Solution; and (c) such other categories as Client may direct.
Special categories. To be specified by Client in the applicable Work Order. Slingr does not knowingly Process special categories of Personal Data unless expressly contemplated by the Work Order.
Frequency. Continuous, for the duration of the MSA and any Work Order under which the Solution is operated.
Controller / Processor. Client is the Controller; Slingr is the Processor.
Schedule B — Sub-processors
Slingr’s engagements are technology-agnostic. The specific cloud hosting provider, AI inference provider, communications provider, identity provider, and other third-party services used in a given engagement depend on the architecture and tooling elected by Client in the applicable Work Order. The specific Sub-processors engaged on behalf of Client are identified in the applicable Work Order at the time of contracting, and may include vendors other than those described in this Schedule B.
Slingr maintains an up-to-date list of the Sub-processors engaged in each Client’s active engagement, available to Client on request by contacting security@slingr.io. Changes are notified in accordance with Section 5 above. Common categories of Sub-processors Slingr may engage, with representative examples, include:
- Cloud hosting and infrastructure — Google Cloud Platform; Amazon Web Services; Microsoft Azure; Client-elected provider.
- AI / ML inference providers — OpenAI; Google Gemini; Anthropic; AWS Bedrock; other Client-elected providers.
- Communications and messaging — SendGrid; Twilio; AWS SES; Client-elected provider.
- Identity and authentication — Auth0; Okta; Google Identity; Microsoft Entra ID; Client-elected provider.
- Monitoring and observability — Datadog; Sentry; New Relic; Grafana Cloud; Client-elected provider.
- Payment processing — Stripe; Adyen; PayPal; Client-elected provider.
- Other — Other third-party services as required by the Solution architecture and identified in the applicable Work Order.
Slingr personnel located in jurisdictions including Argentina and the United States may access Personal Data in the performance of the Services. Such access constitutes a transfer for purposes of Applicable Data Protection Law where applicable, and is subject to the transfer mechanisms set forth in Section 8 above.
Schedule C — Technical and Organizational Measures
Slingr implements the following technical and organizational measures to protect Personal Data. Slingr may update these measures from time to time, provided that no update shall materially diminish the level of protection afforded to Personal Data.
- Customer isolation. Each Client engagement is operated in a dedicated, logically separated environment (currently, a per-Client Google Cloud Platform project). Personal Data of one Client is not commingled with Personal Data of any other Client at the storage, network, or compute layer.
- Encryption in transit. TLS 1.2 or higher for all network communications and HTTPS for web-facing endpoints.
- Encryption at rest. Industry-standard at-rest encryption provided by the underlying cloud provider; customer-managed keys available where elected in a Work Order.
- Access controls. Role-based access, least-privilege principles, and multi-factor authentication for privileged access. Access is granted on onboarding and promptly revoked on role change or termination.
- Audit logging. Audit logs of access to and operations on Personal Data within Slingr-managed environments are retained for periods reasonable for security investigations and compliance requirements.
- Network security. Network isolation through virtual private networks or cloud-provider-equivalent controls, with firewall rules and network policies on inbound and outbound traffic.
- Vulnerability management. Regular application of security patches and dependency updates. Critical vulnerabilities are addressed under the Severity 1 response time in Schedule 1 §S1.10 of the MSA.
- Backup and recovery. Commercially reasonable backup and disaster recovery procedures for Solutions hosted on Slingr-managed infrastructure. Backups containing Personal Data are subject to the same encryption and access controls as production data.
- Personnel. All personnel with access to Personal Data are bound by written confidentiality obligations and receive periodic data-protection and information-security training.
- Vendor management. Sub-processors are evaluated for data protection and security practices before engagement and bound by contractual obligations no less protective than this DPA.
- Incident response. Documented incident response procedures covering detection, containment, eradication, recovery, post-incident review, and notification to Client under Section 6 above.
- Physical security. Physical security of cloud data centers is provided by the underlying cloud provider under its certified security programs (such as SOC 2, ISO 27001, ISO 27701). Slingr does not operate its own data center facilities for the Processing of Client Personal Data.
- Data minimization. Slingr Processes only the Personal Data necessary to perform the Services. Slingr does not retain Personal Data beyond the period required to perform the Services, subject to Section 10 above.