Data Processing Agreement

1. Definitions

2. Scope and Purpose

This Data Processing Agreement (DPA) governs the processing of Personal Data by Covenant Labs, LLC in connection with the provision of the OpsEdge service to enterprise customers.

The purpose of processing includes:

• Facilitating service request creation and management
• Integrating with IBM Maximo systems for work order processing
• Providing user authentication and authorization
• Maintaining audit logs and compliance records
• Delivering technical support and system maintenance

3. Data Processing Instructions

The Processor shall process Personal Data only in accordance with the Controller's documented instructions, including:

• Processing Personal Data solely for the purposes specified in this DPA
• Implementing appropriate technical and organizational measures to ensure data security
• Maintaining confidentiality of Personal Data and not disclosing it to third parties without authorization
• Assisting the Controller in fulfilling data subject rights requests
• Providing reasonable assistance for data protection impact assessments

4. Security Measures

The Processor implements appropriate technical and organizational measures to protect Personal Data, including:

• Encryption of data in transit and at rest using industry-standard protocols
• Access controls and authentication mechanisms
• Regular security assessments and vulnerability testing
• Secure data centers with physical and environmental controls
• Incident response procedures and breach notification protocols
• Regular staff training on data protection and security

5. Sub-Processors

The Processor may engage sub-processors to assist in providing the OpsEdge service. The Processor shall:

• Maintain a list of sub-processors and notify the Controller of any changes
• Ensure sub-processors are bound by data protection obligations equivalent to this DPA
• Remain fully liable for the performance of sub-processors
• Provide the Controller with the opportunity to object to new sub-processors

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling data subject rights, including:

• Right of access to Personal Data
• Right to rectification of inaccurate Personal Data
• Right to erasure of Personal Data
• Right to restrict processing of Personal Data
• Right to data portability
• Right to object to processing

7. Data Retention and Deletion

Personal Data shall be retained only for as long as necessary to fulfill the purposes outlined in this DPA. Upon termination of the service or at the Controller's request, the Processor shall:

• Return all Personal Data to the Controller in a structured, commonly used format
• Delete all Personal Data from the Processor's systems
• Provide written confirmation of data deletion
• Maintain audit logs of data deletion activities

8. International Data Transfers

Where Personal Data is transferred outside the European Economic Area, the Processor shall ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Binding Corporate Rules or other appropriate transfer mechanisms
• Additional safeguards where required by applicable law

9. Audit and Compliance

The Processor shall:

• Maintain records of all processing activities
• Allow the Controller to audit the Processor's compliance with this DPA
• Provide reasonable assistance during audits and inspections
• Notify the Controller immediately of any data breaches or security incidents
• Cooperate with supervisory authorities as required

10. Liability and Indemnification

Each party shall be liable for its own violations of applicable data protection laws. The Processor's liability for data protection violations shall be limited to direct damages, subject to the limitations set forth in the main service agreement.

11. Governing Law and Dispute Resolution

This DPA shall be governed by the laws of the United States. Any disputes arising from this DPA shall be resolved through binding arbitration in accordance with the rules of the American Arbitration Association.

12. Contact Information

For questions regarding this Data Processing Agreement, please contact: