Data Processing Addendum.
1. Parties
This Data Processing Addendum (“DPA”) is entered into between EDGAR Analyst, Inc. (“Processor”) and the customer identified in the underlying agreement (“Controller”), and supplements the master subscription, terms of service, or order form between the parties (the “Agreement”).
2. Definitions
Capitalized terms not defined here have the meaning given in the Agreement or in applicable Data Protection Laws (including the GDPR, UK GDPR, and CCPA/CPRA). “Customer Data” means data that Controller submits to or has processed through the Service.
3. Scope & roles
Controller is the controller of Customer Data that is personal data. Processor processes such personal data only on behalf of Controller. For CCPA purposes, Processor acts as a service provider and not as a third party.
4. Processing details
| Field | Detail |
|---|---|
| Subject matter | Provision of the EDGAR Analyst Service per the Agreement. |
| Duration | For the term of the Agreement, plus the deletion period in Section 12. |
| Nature & purpose | Hosting, indexing, AI inference, monitoring, support, security, and billing. |
| Data categories | Account identifiers, work contact details, queries, monitor configurations, exports, audit log entries. |
| Data subjects | Controller's authorized users and personnel. |
| Special categories | Not intended. Controller agrees not to upload special category data through Service inputs. |
5. Processor obligations
- Process personal data only on documented instructions from Controller, including instructions in the Agreement and the Service configuration.
- Ensure that personnel authorized to process personal data are bound by appropriate confidentiality obligations.
- Implement and maintain the technical and organizational measures described in our Security page and Annex II.
- Assist Controller, taking into account the nature of processing, to fulfill obligations to respond to data subject requests and to maintain security and breach notifications.
6. Subprocessors
Controller authorizes Processor to engage subprocessors to provide the Service. Processor maintains a current list of subprocessors and will give Controller at least 30 days’ notice of any new subprocessor (by updating the list and via email to designated contacts). Controller may object on reasonable data protection grounds, in which case the parties will work in good faith to resolve. Processor remains liable for its subprocessors’ performance under this DPA.
Current subprocessor list: trust@edgaranalyst.com.
7. Security
Processor implements and maintains appropriate technical and organizational measures designed to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, or disclosure. These measures are described in detail on our Security page and include encryption in transit and at rest, access controls, logging, vulnerability management, and personnel training. Processor is pursuing SOC 2 Type II attestation.
8. Breach notification
Processor will notify Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Data. Notice will include the information required by Article 33 GDPR to the extent known. Processor will reasonably cooperate with Controller's investigation and remediation.
9. Data subject requests
Processor will, taking into account the nature of the processing, provide reasonable assistance to enable Controller to respond to requests from data subjects to exercise their rights. If Processor receives a data subject request directed to Controller's data, Processor will redirect the data subject to Controller and notify Controller without undue delay.
10. Audits
Processor will make available to Controller all information reasonably necessary to demonstrate compliance with this DPA, including SOC 2 reports (under NDA) once available and other certifications. Once per year, on at least 30 days’ notice and during business hours, Controller may conduct an audit limited to information necessary to verify compliance, subject to confidentiality and to not disrupt the Service.
11. International transfers
Where personal data subject to the GDPR or UK GDPR is transferred to a country not deemed adequate, the parties agree the EU Standard Contractual Clauses (Module Two: Controller to Processor) and the UK International Data Transfer Addendum are incorporated by reference. The optional docking clause and Clause 17 Option 1 (Irish law) apply unless the parties’ main establishments require otherwise.
12. Return & deletion
On termination of the Agreement, Processor will, at Controller's option, return or delete Customer Data within 30 days (with up to an additional 60 days for backup deletion). Processor may retain personal data to the extent required by applicable law or for security and audit purposes, in which case the obligations of this DPA continue to apply.
13. Order of precedence
In the event of any conflict between this DPA and the Agreement with respect to processing of personal data, this DPA controls. In the event of a conflict between this DPA and the Standard Contractual Clauses, the SCCs control.
For execution copies and a countersigned PDF, contact legal@edgaranalyst.com. We will route via DocuSign.