Data Processing Agreement

This Data Processing Agreement (the “DPA”) governs how we process personal data on behalf of customers of the 360review service. It forms part of the agreement between Dunbar App Inc. (the “Processor”) and the customer (the “Controller”) under Article 28 of Regulation (EU) 2016/679 (the “GDPR”).

To execute this DPA, please contact us and we will provide a counter-signed copy.

Parties

Processor: Dunbar App Inc., a Delaware (USA) corporation, registered at 8 The Green Suite 7013, Dover, DE 19901, USA. Tax ID 93-1507384.

Controller: the customer entity that has signed up for the 360review service.

1. Subject matter and duration

Provision of the 360review service, including collection of self-assessment and team-feedback responses, AI-assisted leadership reports, and related lifecycle communications. The DPA is in effect for as long as we process Customer Data on behalf of the Controller.

2. Nature and purpose of processing

We process Customer Data only for the following purposes:

• Operating the Service for the Controller’s authorised users
• Generating reports, gap analyses, and 90-day plans from collected responses
• Sending lifecycle and transactional emails to authorised users
• Customer support when requested by the Controller
• Securing the Service and detecting/preventing abuse

We do not use Customer Data to train AI models, market to data subjects, or for any purpose other than serving the Controller.

3. Categories of data subjects and personal data

Categories of data subjects:

• The Controller’s leaders (managers being assessed)
• The Controller’s team members (respondents, anonymous to the leader)
• The Controller’s administrators (multi-seat plan admins)

Categories of personal data:

• Leaders: name, email, locale, self-assessment ratings, AI-generated report content, account state, payment metadata
• Respondents: anonymous response token (no name or email collected), response ratings and free-text content
• Administrators: name, email, password hash, seat allocation

4. Obligations of the Processor

The Processor will:

• Process Customer Data only on the Controller’s documented instructions
• Ensure personnel processing Customer Data are bound by confidentiality obligations
• Implement appropriate technical and organisational measures (Annex 2)
• Engage sub-processors only in accordance with Section 6 below
• Assist the Controller in fulfilling data-subject rights requests under GDPR Articles 12–22
• Notify the Controller without undue delay (within 72 hours) of any personal-data breach
• At the Controller’s choice, return or delete all Customer Data at the end of services

5. Obligations of the Controller

The Controller will:

• Have a lawful basis for processing personal data submitted to the Service
• Inform data subjects of the processing as required by GDPR Articles 13 and 14
• Promptly forward any data-subject request requiring the Processor’s assistance

6. Sub-processors

The current sub-processor list is published at /legal/sub-processors. The Controller authorises the engagement of these sub-processors.

We will notify Controllers under an active DPA at least 14 days before any new sub-processor begins processing their data, where commercially feasible. The Controller may object on documented data-protection grounds; we will work in good faith to resolve any objection.

7. International transfers

The Processor is a US-incorporated entity operating EU-resident infrastructure. Customer Data is stored and processed within the European Economic Area (EEA), primarily in AWS Stockholm (eu-north-1) and MongoDB Atlas Stockholm (eu-north-1). For any access by the Processor’s US personnel, and for any data flow through US-located infrastructure (notably Resend’s email delivery infrastructure), the Processor relies on:

• the European Commission’s Standard Contractual Clauses (SCCs) — Decision 2021/914, Module Two (Controller-to-Processor)
• the EU-US Data Privacy Framework, where the relevant sub-processor is certified under it (Resend is so certified)
• the technical and organisational measures described in Annex 2

By signing this DPA, the parties incorporate the SCCs by reference. The SCCs prevail in the event of conflict with any other clause.

8. Data-subject rights

The Service supports the following data-subject rights:

• Access & rectification: via the dashboard and on request
• Erasure: on request, all data for a leader or the entire customer account is deleted within 30 days
• Portability: on request, customer data is exported in JSON or CSV and delivered within 30 days, at no cost
• Restriction & objection: processed within a reasonable time on request

9. Personal-data breaches

We will notify the Controller without undue delay and within 72 hours of becoming aware, with a description of the breach, affected data subjects, likely consequences, and measures taken.

10. Return or deletion of data

Within 30 days of termination, and at the Controller’s choice, we will return Customer Data in JSON or CSV, or delete all Customer Data from active systems. Backup rotation completes within 90 days.

11. Governing law

This DPA is governed by the laws of the State of Delaware, USA. The Standard Contractual Clauses incorporated under Section 7 are governed by the laws of Ireland in line with Clause 18 of the SCCs. This split applies uniformly to all customers.

Annex 1 — Sub-processors

See public list at /legal/sub-processors. Maintained per the obligations in Section 6.

Annex 2 — Technical and organisational measures

The Processor implements the following measures, in line with GDPR Article 32:

• Encryption. Customer Data is encrypted in transit and at rest using industry-standard methods.
• Access control. Access to production systems is limited to named personnel and protected by multi-factor authentication.
• Anonymity-by-design for respondents.Respondents do not provide any name, email, or identifier when answering the survey. The leader’s dashboard remains locked until a minimum number of responses have been received, with batched updates to prevent identifiability.
• Resilience. Backups, point-in-time restore, and regional redundancy are configured on the underlying infrastructure.
• AI processing. Survey response text sent to Microsoft Azure OpenAI is contractually prohibited from being used to train models or for any purpose beyond delivering the requested completion.
• Personnel. Personnel with access to Customer Data are bound by written confidentiality obligations.
• Sub-processors. All sub-processors are reviewed before engagement and contractually obligated to equivalent data-protection standards.
• Incident response. Documented incident-response procedures support the 72-hour breach-notification commitment.

Specific technical details (key-management providers, exact algorithms, infrastructure topology) are available to the Controller on a confidential basis on reasonable request.