Data Processing Agreement

Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Auctra Inc. ("Processor") and governs the processing of Personal Data under the EU General Data Protection Regulation (GDPR).

1. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person processed through the Service
• Processing: Any operation performed on Personal Data, including collection, storage, analysis, and deletion
• Data Subject: The individual to whom Personal Data relates
• Sub-processor: Any third party engaged by Auctra to process Personal Data

2. Scope and Roles

Controller: You determine the purposes and means of processing Personal Data

Processor: Auctra processes Personal Data on your behalf solely to provide the Service

This DPA applies to all Personal Data processed by Auctra when providing the authorization infrastructure service.

3. Processing Details

4. Processor Obligations

Auctra shall:

• Process Personal Data only on documented instructions from Controller
• Ensure persons authorized to process Personal Data are bound by confidentiality
• Implement appropriate technical and organizational measures (see Section 6)
• Only engage Sub-processors with Controller's consent (see Section 7)
• Assist Controller in responding to Data Subject requests
• Assist Controller in ensuring compliance with GDPR obligations
• Delete or return Personal Data upon termination of services
• Make available information necessary to demonstrate compliance

5. Controller Obligations

Controller shall:

• Ensure it has a legal basis for processing Personal Data
• Provide clear instructions for processing
• Ensure Personal Data transferred is accurate and up-to-date
• Comply with all applicable data protection laws
• Inform Auctra immediately of any Data Subject requests

6. Security Measures

Auctra implements the following measures:

• Encryption: TLS 1.3 in transit, AES-256 at rest
• Access Control: Role-based access, MFA required
• Monitoring: 24/7 security monitoring and logging
• Incident Response: Documented procedures with 24-hour notification
• Testing: Annual penetration testing and vulnerability scanning
• Backup: Encrypted backups with geo-redundancy
• Certification: SOC 2 Type II, ISO 27001, PCI DSS Level 1

7. Sub-processors

Auctra may engage the following Sub-processors. Controller provides general authorization for these Sub-processors:

Auctra will inform Controller of any intended changes concerning addition or replacement of Sub-processors with at least 30 days' notice.

8. Data Subject Rights

Auctra will assist Controller in fulfilling Data Subject rights requests:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object

Requests should be submitted to privacy@auctra.io with response within 30 days.

9. Data Breach Notification

Auctra will notify Controller of any Personal Data breach without undue delay and in any event within 24 hours of becoming aware. Notification will include available information about the breach, affected Data Subjects, likely consequences, and measures taken or proposed.

10. International Transfers

For transfers of Personal Data from the EU/EEA to third countries, Auctra relies on:

• Standard Contractual Clauses (EU Commission approved)
• Adequacy decisions where applicable
• Additional safeguards including encryption and access controls

11. Audit Rights

Controller may audit Auctra's compliance with this DPA once per year upon reasonable notice. Auctra's SOC 2 Type II report satisfies audit requirements unless Controller demonstrates specific concerns.

12. Data Deletion

Upon termination of services, Auctra will delete or return all Personal Data within 30 days, except where retention is required by law. Controller may request certification of deletion.

13. Contact