Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the agreement between Polymorph, Inc. (“Polymorph,” “we,” “us,” or “our”) and the customer (“Customer”) for the use of our products and services (the “Services”). It describes how we process personal data on Customer’s behalf. Where Customer is subject to data protection laws such as the GDPR or the CCPA, this DPA applies to that processing.
Roles of the parties
For personal data that Polymorph processes on Customer’s behalf in providing the Services, Customer acts as the controller (or business) and Polymorph acts as the processor (or service provider). Polymorph processes such personal data only on Customer’s documented instructions, including as set out in the agreement and this DPA.
Scope of processing
The subject matter is the provision of the Services. The duration is the term of the agreement. The nature and purpose of processing is to host, analyze, and present data so that Customer can understand and act on how its users engage with its product. The categories of data subjects and personal data are determined by Customer through its use of the Services, and typically include Customer’s end users and their usage and account information.
Our obligations
- Process personal data only on Customer’s documented instructions, unless required to do otherwise by law.
- Ensure that personnel authorized to process personal data are bound by confidentiality.
- Implement appropriate technical and organizational security measures, as described in our Security Policy.
- Not sell personal data and not process it outside the direct business relationship.
Sub-processors
Customer authorizes Polymorph to engage sub-processors to support the Services, such as cloud hosting and analytics providers. We impose data protection obligations on sub-processors that are no less protective than this DPA, and we remain responsible for their performance. We will make available a current list of sub-processors and provide a mechanism to notify Customer of changes so Customer may object on reasonable grounds.
Data subject requests
Taking into account the nature of the processing, we will provide reasonable assistance to help Customer respond to requests from data subjects to exercise their rights. If we receive such a request directly, we will, where permitted, direct the individual to Customer.
Personal data breaches
We will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer’s personal data, and we will provide information reasonably available to us to help Customer meet its notification obligations.
International transfers
Where personal data is transferred across borders, we rely on appropriate transfer mechanisms, such as the standard contractual clauses, where required by applicable law.
Audits
We will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for audits, including inspections, conducted by Customer or an auditor on Customer’s behalf, on reasonable prior notice and subject to confidentiality.
Return and deletion
On termination of the Services, and at Customer’s choice, we will delete or return Customer’s personal data, and delete existing copies unless retention is required by law.
Contact us
To request a signed copy of this DPA or to ask a question, contact founders@usepolymorph.com.
