Data Processing Agreement

Data Processing Agreement (DPA)

Last updated: February 12, 2025

CorralData Inc. (“us”, “we”, “our” or “company”) has adopted in full an industry-standard Data Processing Agreement (DPA) from oneDPA.

The oneDPA contract was created collaboratively by a group of leading law firms and in-house teams with input from the wider legal community. The terms of oneDPA have been discussed extensively to ensure it meets legal requirements while remaining balanced, fair and easy to understand.

This page outlines the specific stipulations of CorralData Inc.’s DPA as a processor to our customers.

Parties’ Relationship

Processor (Company) to Controller (Customer).

Parties’ roles

Controller: The customer will act as the Controller (as defined in Section 1 of the Terms).
Processor: CorralData Inc. will act as the Processor (as defined in Section 1 of the Terms).

Term

This DPA commences on the final date of signature and continues for the term of the Main Agreement, plus any legally required data-retention period.

Breach Notification Period

Within 72 hours after becoming aware of a personal data breach and without undue delay.

Sub-processor Notification Period

30 days before the new sub-processor is granted access to Personal Data.

Liability Cap

Each party’s aggregate liability under this DPA will not exceed the liability caps set out in the Main Agreement.

Governing Law and Jurisdiction

As per the Main Agreement.

Data Protection Laws

All applicable laws, regulations and court orders governing Personal Data processing, including (without limitation):

  • European Union General Data Protection Regulation (EU 2016/679)
  • UK GDPR and UK Data Protection Act 2018
  • California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020
  • Texas Data Privacy and Security Act 2024
  • Colorado Privacy Act 2023
  • Virginia Consumer Data Protection Act 2023
  • Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) (“PIPEDA”)
  • and any comparable U.S. state privacy statute or other national privacy law in force during the term.

Where Personal Health Information is processed, the parties will also comply with any applicable provincial health information legislation (for example, Ontario’s PHIPA), each as amended from time to time.

Services Related to Processing

Provision of CorralData’s data-analysis platform and ongoing support services.

HIPAA; Business Associate Agreement — U.S.

CorralData supports compliance with the U.S. Health Insurance Portability and Accountability Act (“HIPAA”). Where CorralData will create, receive, maintain, or transmit Protected Health Information (“PHI”) on Customer’s behalf, the parties shall enter into a separate Business Associate Agreement (“BAA”) that sets forth the specific obligations applicable to PHI.

Key points: The BAA will prevail for PHI-related conflicts; it will incorporate HIPAA-compliant security, breach-notification and reporting measures; and CorralData will assist with HIPAA breach response and provide evidence of safeguards on request.

Canadian Personal Health Information; Provincial Health Addendum (PHA)

To the extent Canadian Personal Data or Personal Health Information (as defined by provincial law) is processed under this DPA, the parties will comply with PIPEDA and any applicable provincial health information legislation (including, without limitation, Ontario’s PHIPA, Alberta’s HIA, and Québec’s Act 25), each as amended from time to time.

Provincial Health Addendum (PHA): For Canadian Personal Health Information, the parties will enter into a separate PHA or equivalent instrument that sets forth the specific provincial obligations, establishes security and breach-notification measures materially comparable to a HIPAA BAA, and clarifies incident response, audit and data-return/deletion obligations for Personal Health Information.

The PHA will prevail over this DPA for provincial PHI conflicts. If requested by the Controller, the Processor will negotiate and execute the PHA in good faith and provide evidence of required safeguards. Absent an executed PHA, the Processor will, to the extent practicable, observe obligations materially equivalent to a HIPAA-style BAA for Canadian PHI.

Duration of Processing

For the Term of this DPA.

Nature and Purpose of Processing

Ingestion, storage and management of Personal Data—where hashing or aggregation is not possible—solely to provide services described in the Main Agreement.

Personal Data

Customer email addresses, shipping and billing addresses, and other Personal Data supplied via integrated platforms.

Data Subjects

Customer’s customers and prospects.

Transfer Mechanism

Standard Contractual Clauses (Commission Decision (EU) 2021/914, Module 2) and, where applicable, the UK International Data Transfer Addendum, or any replacement mechanism recognised under Data Protection Laws. If Personal Data originates in Canada, the Processor will implement appropriate safeguards that provide a level of protection substantially equivalent to that required under PIPEDA and will, where required by PIPEDA or applicable provincial law, obtain the Controller’s prior written consent or otherwise provide notice.

Terms

  1. What is this agreement about?

    1.1 Purpose. The parties enter this DPA for processing Personal Data as defined above.
    1.2 Definitions.
    (a) adequate country – a country recognised under Data Protection Laws as providing adequate protection for Personal Data;
    (b) Controller, data subject, personal data breach, process/processing, Processor and supervisory authority have the meanings given in Data Protection Laws;
    (c) Business and Service Provider have the meanings given in the CCPA/CPRA;
    (d) Sub-Processor means another processor engaged by the Processor to perform specific processing activities with Personal Data.
  2. What are each party’s obligations?

    2.1 Controller obligations. Controller instructs Processor to process Personal Data in accordance with this DPA and is responsible for all required notices, consents, licences and legal bases.
    2.2 Processor obligations.
    (a) process Personal Data only per this DPA and Controller instructions (unless legally required otherwise);
    (b) not sell, retain or use Personal Data beyond this DPA and Main Agreement;
    (c) inform Controller immediately if any instruction infringes Data Protection Laws;
    (d) apply the technical and organizational measures in Annex 1 to ensure security appropriate to risk;
    (e) notify Controller of a personal data breach within the Breach Notification Period and assist as required;
    (f) ensure authorised personnel are bound by confidentiality;
    (g) without undue delay, reasonably assist Controller with data-protection impact assessments, data-subject requests and supervisory-authority engagement;
    (h) on request, provide information demonstrating compliance;
    (i) allow audits once per year during business hours (except in breach situations);
    (j) upon request, return or delete Personal Data at the end of the Term unless retention is legally required.
    2.3 Warranties. Each party warrants that it and its staff and subcontractors will comply with Data Protection Laws throughout the Term.
  3. Sub-processing

    3.1 Use of sub-processors. Controller authorises Processor to engage sub-processors. Current sub-processors are listed in Annex 2.
    3.2 Requirements.
    (a) impose equivalent DPA obligations on sub-processors;
    (b) ensure appropriate safeguards for international transfers;
    (c) remain liable for acts, errors or omissions of sub-processors.
    3.3 Approvals. Processor may appoint new sub-processors with 30-days’ prior notice.
    3.4 Objections. Controller may reasonably object; if unresolved, either party may terminate this DPA.
  4. International personal data transfers

    4.1 Processor will transfer Personal Data outside the UK, EEA or an adequate country only on documented instructions.
    4.2 Where a party outside the UK or EEA receives Personal Data, SCC/IDTA applies.
    4.3 If SCC/IDTA proves insufficient, the data importer will implement supplementary measures.
    4.4 Public-authority requests will be challenged and minimised where legally possible.
  5. Other important information

    5.1 Survival. Provisions intended to survive remain in force.

    5.2 Order of precedence. (a) Transfer Mechanism, (b) this DPA, (c) Main Agreement.

    5.3 Notices. Formal notices must be in writing to the contacts on the DPA front page.

    5.4 Third parties. Except affiliates, no third party may enforce this DPA.

    5.5 Entire agreement. This DPA supersedes prior discussions and agreements on its subject matter.

    5.6 Amendments. Must be agreed in writing.

    5.7 Assignment. Neither party may assign without the other’s consent.

    5.8 Waiver. Failure to enforce a right is not a waiver.

    5.9 Governing law and jurisdiction. As per the Main Agreement.

ANNEX 1 – Security Measures

Technical and organizational measures to ensure the security of Personal Data

a) Access Control

i) Preventing unauthorized product access

  • Outsourced processing: infrastructure on AWS; contractual safeguards with vendors.
  • Physical and environmental security: AWS data centers with SOC 2 Type II and ISO 27001.
  • Authentication: uniform password policy plus enforced two-factor authentication for all accounts accessing PII via SSO or native login.
  • Authorization: role-based access tied to dataset attributes.

ii) Preventing unauthorized product use

  • Network access controls via VPCs, security groups and firewalls.
  • Web Application Firewall for public endpoints.
  • Static code analysis and annual third-party penetration testing.

iii) Limitation of privilege and authorization reviews

  • Just-in-time access approvals, logged and reviewed; high-risk privileges reviewed semi-annually.
  • Background checks where legally permitted.

b) Transmission Control

  • HTTPS/TLS for all interfaces.
  • Data encrypted at rest using industry-standard algorithms.

c) Input Control

  • Comprehensive logging, aggregation and alerting on anomalous activity.
  • Incident response with documented resolution steps and customer notification per this DPA.

d) Availability Control

  • AWS infrastructure aims for 99.95 percent uptime with N+1 redundancy.
  • Multi-AZ replication and backups.
  • Tested disaster-recovery plans ensuring failover without single points of failure.

ANNEX 2 – Sub-processors

Current sub-processors are listed at: https://corraldata.com/sub-processors/

This list is maintained and updated by CorralData. The Processor will provide the Controller with at least 30 days’ prior written notice before adding new sub-processors and will ensure that any sub-processor is bound by obligations equivalent to those in this DPA.

Book a Demo