Data Processing Agreement

Template for execution with Services Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Services Agreement between Rad Blue, Inc., a Delaware corporation ("Processor," "Aurium," "we," or "us") and the entity agreeing to these terms ("Controller," "Customer," or "you").

This DPA reflects the parties' commitment to comply with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and the California Consumer Privacy Act ("CCPA").

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed by Aurium on behalf of Customer.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Sub-processor" means any third party engaged by Aurium to process Personal Data on behalf of Customer.
• "Data Subject" means the individual to whom Personal Data relates.

3. Scope and Roles

3.1 Roles

• Customer is the Controller of Personal Data
• Aurium is the Processor acting on Customer's instructions

3.2 Categories of Data Subjects

• Customer employees and representatives
• Customer's leads and prospects
• Business contacts

3.3 Types of Personal Data

• Contact information (name, email, phone, address)
• Professional information (company, title, LinkedIn profile)
• Communication content (messages, meeting details)

4. Aurium Obligations

4.1 Processing Instructions

• Process Personal Data only on documented instructions from Customer
• Inform Customer if an instruction violates applicable law

4.2 Security Measures

Implement appropriate technical and organizational measures, including:

• Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
• Access controls and authentication
• Regular security testing
• Incident response procedures
• Employee security training

4.3 Data Subject Rights

• Assist Customer in responding to Data Subject requests
• Notify Customer of any Data Subject requests received directly
• Not respond to Data Subject requests without Customer's authorization

5. Sub-processors

5.1 Authorized Sub-processors

5.2 Changes to Sub-processors

• Aurium will notify Customer of new Sub-processors at least 14 days before engagement
• Customer may object to a new Sub-processor within 14 days of notification
• If Customer objects and Aurium cannot accommodate, Customer may terminate the affected services

6. International Transfers

For transfers of Personal Data outside the EEA/UK, Aurium relies on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement (IDTA) for UK transfers

7. Security Incidents

7.1 Notification

Aurium will notify Customer without undue delay (and within 72 hours where feasible) upon becoming aware of a Personal Data breach.

7.2 Notification Contents

• Nature of the breach
• Categories and approximate number of Data Subjects affected
• Likely consequences
• Measures taken or proposed to address the breach

8. Data Retention and Deletion

8.1 Retention

Aurium retains Personal Data for the duration of the Services Agreement plus 30 days.

8.2 Deletion

Upon termination or Customer's request:

• Aurium will delete Personal Data within 30 days
• Aurium will provide written confirmation of deletion upon request
• Backup data will be deleted within the normal backup cycle (14 days)

8.3 Return of Data

Upon request, Aurium will provide Customer with a copy of Personal Data in a commonly used, machine-readable format before deletion.

9. Contact

Aurium Data Protection Contact:

Rad Blue, Inc.
128 Sunset Blvd #1186
New Castle, DE 19720
Email: privacy@aurium.ai