Data Processing Addendum (DPA)

Introduction

This Data Processing Addendum (the "DPA") is entered into by and between you ("Customer", "you," and "yours") (collectively, with its Affiliates, "Customer") and SureHelp Solution ("SHS," "us," "we," or "our"). This DPA supplements and is incorporated into the existing agreement between Customer and SHS (the "Agreement") pursuant to which SHS will provide services ("Services") to Customer and has the same Effective Date as the Agreement.

Purpose:

In the course of providing the Services to Customer, SHS may Process Personal Data on behalf of Customer, and the parties agree to comply with the following provisions with respect to any Personal Data.

Definitions

"Affiliate"

means with respect to an entity, any other entity that, now or in the future, either directly or through one or more intermediaries, controls, is controlled by, or is under common control with, that entity or any of its successors.

"CCPA"

means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, and implementing regulations.

"Controller"

means the definition of a controller, business, or equivalent term under Data Protection Laws.

"Customer Personal Data"

means any Personal Data Processed by SHS (or a Sub-processor) on behalf of Customer pursuant to or in connection with the Agreement.

"Data Protection Laws"

means any applicable international, national, federal, state, local, municipal, or territorial law, regulation, or standard concerning data privacy and security, including GDPR, CCPA, PIPEDA, UK GDPR, etc.

"Data Subject"

means the definition of a data subject, consumer, or equivalent term under Data Protection Laws.

"GDPR"

means the General Data Protection Regulation, Regulation (EU) 2016/679.

"Personal Data"

means information that identifies or could reasonably identify a natural person, or is otherwise considered personal data under Data Protection Laws.

"Process / Processing"

means any operation performed on Personal Data such as collection, storage, use, disclosure, alteration, or deletion.

"Processor"

means the definition of a processor, service provider, or equivalent term under Data Protection Laws.

"Security Incident"

means any confirmed unauthorized access, disclosure, theft, loss, or misuse of Personal Data.

"Sub-processor"

means any person appointed by SHS to Process Personal Data on behalf of Customer under the Agreement.

"UK GDPR"

means the UK version of the EU GDPR as incorporated into UK law by the European Union (Withdrawal) Act 2018.

Term

The term of this DPA will commence on the Effective Date and continue as long as SHS Processes Customer Personal Data.

Processing of Customer Personal Data

Details on SHS's role as Processor, Customer authority, purposes of Processing, prohibitions on selling/sharing, compliance obligations, and Customer's responsibilities.

                    Key Responsibilities:
                    SHS acts as a Processor on behalf of Customer
Customer retains authority over Personal Data
Processing limited to service delivery purposes
No sale or sharing of Personal Data
Compliance with applicable data protection laws

                

Provider Personnel

SHS restricts employees from unauthorized Processing and requires confidentiality agreements.

                    Personnel Requirements:
                    Background checks for all personnel
Confidentiality agreements signed
Regular training on data protection
Access controls and monitoring
Immediate termination for violations

                

Sub-processors

General authorization for SHS to engage Sub-processors with Customer's right to object, and contractual protections required.

                    Sub-processor Requirements:
                    Customer notification of new Sub-processors
Right to object within 30 days
Contractual data protection obligations
Same level of protection as SHS
Regular audits and assessments

                

Security

SHS implements technical, organizational, and physical measures to protect Personal Data (see Exhibit B).

                    Security Measures Include:
                    Encryption of data in transit and at rest
Access controls and authentication
Regular security assessments
Incident response procedures
Business continuity planning

                

Cross-Border Transfers

Restricted Transfers will be governed by Standard Contractual Clauses (SCCs) and the UK Transfer Addendum as applicable.

                    Transfer Safeguards:
                    EU Standard Contractual Clauses
UK Transfer Addendum
Adequacy decisions where applicable
Additional safeguards as required
Regular review of transfer mechanisms

                

Data Subject Rights

SHS will reasonably cooperate with Customer to fulfill Data Subject access, deletion, and correction requests.

                    Supported Rights:
                    Right of access to Personal Data
Right to rectification
Right to erasure ("right to be forgotten")
Right to data portability
Right to restrict processing
Right to object to processing

                

Security Incident Response

SHS shall notify Customer within 72 hours of becoming aware of a Security Incident and cooperate on investigation.

                    Incident Response Process:
                    Immediate containment and assessment
Notification within 72 hours
Detailed investigation and documentation
Remediation and prevention measures
Regular updates to Customer

                

Data Protection Impact Assessment

SHS shall reasonably cooperate with Customer in conducting required assessments.

                    Assessment Support:
                    Provision of relevant documentation
Technical and organizational details
Risk assessment information
Mitigation measures documentation
Ongoing cooperation and updates

                

Return or Destruction of Personal Data

Upon termination, SHS will return or delete Customer Personal Data unless required by law to retain.

                    Data Disposition:
                    Secure deletion of all Personal Data
Return of data in standard format
Certification of deletion/return
Retention only where legally required
Ongoing protection of retained data

                

Audit

Customer may audit SHS compliance with this DPA, subject to confidentiality and reasonable notice.

                    Audit Rights:
                    Reasonable notice required (30 days)
Confidentiality obligations apply
Access to relevant documentation
On-site audits permitted
Cost sharing for extensive audits

                

Jurisdiction and Governing Law

This DPA is governed by the laws of the State of Delaware. Any disputes shall be resolved in the state or federal courts located in Delaware.

Indemnification; Limitations on Liability

SHS's aggregate liability under this DPA shall not exceed the lesser of Customer's pro-rated monthly service charge during the period of liability or $500.

Severance

If any provision of this DPA is invalid or unenforceable, the remaining provisions shall remain in full force.

Exhibit A: Details of Processing

                    Processing Details:
                    Subject matter: Call answering, message taking, follow-ups, scheduling, CRM integrations
Duration: As per Agreement
Types of Data: Name, phone number, email, address, call content
Categories: Customer's clients, Customer's employees, and Customer's end-users

                

Exhibit B: Security Measures

Includes physical, electronic, and organizational measures such as access controls, encryption, backup procedures, incident response, and vendor management.

                    Security Framework:
                    ISO 27001 compliant security program
Regular penetration testing
Employee security training
Vendor security assessments
Business continuity planning

                

Data Processing Addendum (DPA)

Table of Contents

Introduction

Purpose:

Definitions

Term

Processing of Customer Personal Data

Key Responsibilities:

Provider Personnel

Personnel Requirements:

Sub-processors

Sub-processor Requirements:

Security

Security Measures Include:

Cross-Border Transfers

Transfer Safeguards:

Data Subject Rights

Supported Rights:

Security Incident Response

Incident Response Process:

Data Protection Impact Assessment

Assessment Support:

Return or Destruction of Personal Data

Data Disposition:

Audit

Audit Rights:

Jurisdiction and Governing Law

Indemnification; Limitations on Liability

Severance

Exhibit A: Details of Processing

Processing Details:

Exhibit B: Security Measures

Security Framework:

Download Data Processing Addendum

Core Services

Call Answering Service

Appointment Booking

Customer Management

Solutions

SureHelp Answer

SureHelp Schedule

SureHelp Intelligence

By Business Size

Small Business

Growing Business

Enterprise

By Industry

Health & Personal Care

Home & Property Services

Specialty Trades & Construction

Legal & Financial Services

Education & Coaching

Retail & eCommerce Support

Event & Venue Services

Nonprofits & Ministries

Franchise Businesses & Multi-location Chains

Learn & Grow

Success Stories

ROI Calculator

Implementation Guide

Support

Help Center

Webinars & Training

Integration Directory

Data Processing Addendum (DPA)

Table of Contents

Introduction

Purpose:

Definitions

Term

Processing of Customer Personal Data

Key Responsibilities:

Provider Personnel

Personnel Requirements:

Sub-processors

Sub-processor Requirements:

Security

Security Measures Include:

Cross-Border Transfers

Transfer Safeguards:

Data Subject Rights

Supported Rights:

Security Incident Response

Incident Response Process:

Data Protection Impact Assessment

Assessment Support:

Return or Destruction of Personal Data

Data Disposition:

Audit

Audit Rights:

Jurisdiction and Governing Law

Indemnification; Limitations on Liability

Severance

Exhibit A: Details of Processing

Processing Details:

Exhibit B: Security Measures

Security Framework:

Download Data Processing Addendum