Data Processing Agreement

1. Scope and Purpose

This Data Processing Agreement (“DPA”) is entered into between the Customer (“Data Controller”) and Wisenotary LLC (“Data Processor”) and supplements the Terms of Service and any applicable service agreement.

This DPA governs the processing of Personal Data by WiseNotary on behalf of the Customer in connection with the provision of Services.

2. Definitions

Terms used herein have the meanings set forth in the GDPR unless otherwise defined:

• “Personal Data” — any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller.
• “Processing” — any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• “Sub-processor” — any third party engaged by the Processor to process Personal Data.
• “Data Breach” — a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

3. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure that authorized persons are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to data subject requests
• Assist with GDPR Articles 32-36 compliance (security, DPIAs, prior consultation)
• Delete or return all Personal Data upon termination
• Make available all information necessary to demonstrate compliance
• Immediately inform the Controller if an instruction infringes GDPR

4. Sub-processors

The Processor may engage Sub-processors with the Controller's general written authorization. The Processor will inform the Controller of intended changes (additions or replacements) with opportunity to object within 14 days.

Current Sub-processors:

5. International Transfers

Where Personal Data is transferred outside the EU/EEA, the Processor ensures appropriate safeguards including Standard Contractual Clauses (SCCs) as approved by the European Commission and compliance with applicable adequacy decisions.

6. Security Measures

• AES-256 encryption at rest and TLS 1.3 in transit
• Access controls with multi-factor authentication
• Regular security audits and vulnerability assessments
• Intrusion detection and monitoring systems
• Incident response procedures with documented playbooks
• Employee security training and background checks
• Data backup with geographic redundancy and disaster recovery
• Logical data separation in multi-tenant architecture

7. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Data Breach. The notification shall include:

• Nature of the breach
• Categories and approximate number of affected data subjects
• Likely consequences
• Measures taken or proposed to mitigate the breach
• Contact point for further information

8. Audits

The Processor allows audits, including inspections, conducted by the Controller or an independent auditor. Audits shall be conducted with reasonable notice (at least 30 days) during normal business hours, with costs borne by the Controller unless the audit reveals material non-compliance.

9. Term and Termination

This DPA remains in effect for the duration of the service agreement and for as long as the Processor processes Personal Data. Upon termination, the Processor shall, at the Controller's choice, delete or return all Personal Data within 30 days and certify deletion.

10. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service. The Processor shall be liable for damage caused by processing that does not comply with GDPR or this DPA.

11. Contact

For DPA inquiries: privacy@wisenotary.com