Data Processing Agreement

DPA highlights

• Customer is data controller; earthmove is data processor
• Confidentiality + appropriate technical & organizational measures (TOMs)
• Subprocessor list with 30-day notice for additions; customer right to object
• Data subject rights assistance within 30 days (Articles 15-22)
• Data breach notification within 72 hours of confirmation
• Standard Contractual Clauses (SCC) included for non-US transfers
• Audit rights: annual SOC 2 report when available + on-request CAIQ Lite
• Data deletion / return at end of services (30 days)