Data Processing Agreement (DPA)

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Adaptive Solutions Group LLC ("Processor" or "we") and the customer ("Controller" or "you") for the use of ADSG Health Check services ("Services").

This DPA reflects the parties' agreement with regard to the processing of Personal Data in accordance with the requirements of the General Data Protection Regulation (GDPR) EU 2016/679 and other applicable data protection laws.

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
• Processing: Any operation performed on Personal Data, as defined in GDPR Article 4(2).
• Controller: The entity which determines the purposes and means of processing Personal Data.
• Processor: The entity which processes Personal Data on behalf of the Controller.
• Data Subject: An identified or identifiable natural person.
• Sub-processor: Any third party engaged by the Processor to process Personal Data.

3. Scope and Roles

3.1 Processor Role: Adaptive Solutions Group LLC acts as a Processor when processing Personal Data on behalf of the Controller through the ADSG Health Check platform.

3.2 Controller Role: You (the customer) act as the Controller determining the purposes and means of processing Personal Data of your employees and users.

3.3 Scope of Processing: We process only the Personal Data necessary to provide the Services, including:

• User account information (name, email, role)
• NetSuite metadata (script names, object names, configuration settings)
• Audit history and findings data
• Usage analytics and activity logs

4. Processor Obligations

4.1 Processing Instructions: We shall process Personal Data only on documented instructions from you, unless required by applicable law.

4.2 Confidentiality: We ensure that persons authorized to process Personal Data have committed themselves to confidentiality.

4.3 Security Measures: We implement appropriate technical and organizational measures including:

• Encryption at rest (AES-256-CBC) and in transit (TLS 1.3)
• Row-level security (RLS) for multi-tenant data isolation
• Regular security audits and vulnerability assessments
• Access controls and authentication (OAuth 2.0)
• Backup and disaster recovery procedures

4.4 Sub-processors: We may engage Sub-processors (listed in Section 7) and shall:

• Provide 30 days notice of any new Sub-processor
• Ensure Sub-processors are bound by equivalent data protection obligations
• Remain liable for Sub-processor acts and omissions

4.5 Data Subject Rights: We shall assist you in responding to Data Subject requests including:

• Right of access (Article 15 GDPR)
• Right to rectification (Article 16 GDPR)
• Right to erasure (Article 17 GDPR)
• Right to data portability (Article 20 GDPR)
• Right to restriction of processing (Article 18 GDPR)

4.6 Data Breach Notification: We shall notify you without undue delay (within 48 hours) upon becoming aware of a Personal Data breach.

4.7 Data Protection Impact Assessment: We shall provide reasonable assistance with Data Protection Impact Assessments when required.

4.8 Deletion or Return: Upon termination, we shall delete or return all Personal Data within 90 days, unless longer retention is required by law.

5. Controller Obligations

You (the Controller) shall:

• Ensure you have a lawful basis for processing under GDPR Article 6
• Provide clear processing instructions to the Processor
• Ensure Data Subjects have been informed of processing activities
• Not instruct processing that would violate applicable data protection laws
• Maintain records of processing activities as required by GDPR Article 30

6. International Data Transfers

6.1 Location: Personal Data is primarily stored and processed in the United States.

6.2 Standard Contractual Clauses: For transfers from the EEA, UK, or Switzerland to the United States, we rely on the EU Standard Contractual Clauses (2021/914) approved by the European Commission.

6.3 Supplementary Measures: We implement supplementary technical and organizational measures including:

• End-to-end encryption
• Pseudonymization where feasible
• Strict access controls limited to necessary personnel
• Transparency regarding government access requests (none to date)

7. Sub-processors

We engage the following Sub-processors to provide the Services:

You may object to the appointment of a new Sub-processor within 30 days of notification by contacting:privacy@adaptivesuitesolutions.com

8. Data Retention

8.1 Retention Period: We retain Personal Data for the duration of the service agreement, plus 1 year for audit purposes.

8.2 Deletion: After the retention period, Personal Data is automatically deleted unless you request earlier deletion (available via Settings → Privacy & Data Management).

9. Audits and Compliance

9.1 Audit Rights: You have the right to audit our compliance with this DPA, subject to:

• 30 days advance written notice
• Reasonable frequency (max once per year unless breach suspected)
• Execution of a confidentiality agreement
• Reimbursement of our reasonable costs

9.2 Documentation: We provide documentation of our security measures and compliance efforts upon reasonable request.

10. Liability and Indemnification

10.1 Limitation: Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service.

10.2 Indemnification: We shall indemnify you against losses resulting from our breach of this DPA, to the extent permitted by the Terms of Service.

11. Term and Termination

This DPA remains in effect for the duration of the Terms of Service. Upon termination:

• We will cease processing Personal Data
• We will delete or return Personal Data within 90 days
• You may request earlier deletion via API or support

12. Contact Information

For questions or requests related to this DPA, contact: