This Data Processing Agreement ("DPA") forms part of the Terms of Service between ExpertLayer ("Processor") and the Client ("Controller") and governs the processing of Personal Data as defined below.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by ExpertLayer on behalf of Client.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
"Data Protection Laws" means applicable data protection and privacy laws, including GDPR, CCPA, and other relevant regulations.
2. Scope and Duration
2.1 Scope
This DPA applies to all Personal Data processed by ExpertLayer in connection with the Services provided under the Terms of Service.
2.2 Duration
This DPA remains in effect for the duration of the Services agreement and continues until all Personal Data is deleted or returned.
3. Data Processing Details
3.1 Categories of Personal Data
ExpertLayer may process the following categories of Personal Data:
- Contact information (names, email addresses, phone numbers)
- Professional information (job titles, company details)
- Communication data (emails, chat messages, call logs)
- Customer interaction data (support tickets, feedback)
- Website and system usage data
- Any other Personal Data contained in Client Data
3.2 Categories of Data Subjects
- Client's employees and authorized users
- Client's customers and prospects
- Client's vendors and business contacts
- Website visitors and service users
3.3 Purpose of Processing
ExpertLayer processes Personal Data for the following purposes:
- Providing AI automation services
- Customer support and account management
- Service improvement and optimization
- Security monitoring and incident response
- Legal compliance and dispute resolution
4. Controller and Processor Obligations
4.1 Controller Responsibilities
Client warrants that:
- It has lawful basis for processing Personal Data
- It has provided required notices to Data Subjects
- It has obtained necessary consents where required
- Processing instructions comply with Data Protection Laws
- It will not instruct ExpertLayer to process Personal Data unlawfully
4.2 Processor Responsibilities
ExpertLayer will:
- Process Personal Data only on documented instructions from Client
- Ensure confidentiality of Personal Data
- Implement appropriate technical and organizational measures
- Assist Client with Data Subject rights requests
- Assist Client with data protection impact assessments
- Delete or return Personal Data upon termination
5. Security Measures
5.1 Technical Measures
- Encryption of Personal Data in transit and at rest
- Access controls and authentication systems
- Regular security testing and vulnerability assessments
- Secure development practices
- Network security and monitoring
5.2 Organizational Measures
- Employee training on data protection
- Confidentiality agreements with staff
- Incident response procedures
- Regular security audits and reviews
- Data minimization practices
5.3 Security Standards
ExpertLayer maintains certifications and complies with:
- SOC 2 Type II requirements
- ISO 27001 standards (where applicable)
- Industry-specific security frameworks
- Regular third-party security assessments
6. Sub-Processors
6.1 Authorization
Client authorizes ExpertLayer to engage sub-processors for specific processing activities.
6.2 Current Sub-Processors
[List current sub-processors with their roles and locations]
6.3 New Sub-Processors
ExpertLayer will provide 30 days' notice before engaging new sub-processors. Client may object on reasonable data protection grounds.
6.4 Sub-Processor Obligations
All sub-processors will be bound by data protection obligations equivalent to this DPA.
7. International Data Transfers
7.1 Transfer Mechanisms
International transfers of Personal Data will be protected by:
- Adequacy decisions
- Standard Contractual Clauses
- Binding Corporate Rules
- Other approved transfer mechanisms
7.2 Additional Safeguards
Where required, ExpertLayer will implement additional technical and organizational measures to protect transferred Personal Data.
8. Data Subject Rights
8.1 Assistance with Requests
ExpertLayer will assist Client in responding to Data Subject requests, including:
- Access requests
- Rectification requests
- Erasure requests
- Restriction of processing
- Data portability requests
- Objection to processing
8.2 Response Timeframe
ExpertLayer will respond to assistance requests within 10 business days or as otherwise agreed.
8.3 Direct Requests
If ExpertLayer receives direct requests from Data Subjects, it will redirect them to Client unless legally required to respond directly.
9. Data Breach Notification
9.1 Incident Detection
ExpertLayer maintains monitoring systems to detect potential Personal Data breaches.
9.2 Notification Timeline
ExpertLayer will notify Client of any Personal Data breach within 72 hours of becoming aware of the incident.
9.3 Incident Information
Notifications will include:
- Nature and extent of the breach
- Categories and approximate numbers of affected Data Subjects
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact information for further details
9.4 Investigation and Remediation
ExpertLayer will investigate incidents and take appropriate remedial measures in consultation with Client.
10. Data Protection Impact Assessments
ExpertLayer will provide reasonable assistance to Client in conducting Data Protection Impact Assessments when:
- The processing is likely to result in high risk to Data Subjects
- Required by applicable Data Protection Laws
- Requested by Client for legitimate business purposes
11. Audits and Compliance
11.1 Documentation
ExpertLayer will maintain records demonstrating compliance with this DPA and applicable Data Protection Laws.
11.2 Audit Rights
Client may audit ExpertLayer's compliance with this DPA through:
- Review of compliance documentation
- Third-party audit reports
- On-site audits (with reasonable notice and at Client's expense)
11.3 Certification
ExpertLayer will maintain relevant compliance certifications and provide copies upon request.
12. Data Retention and Deletion
12.1 Retention Period
Personal Data will be retained only as long as necessary for the purposes outlined in this DPA or as required by law.
12.2 Deletion Process
Upon termination or Client request, ExpertLayer will:
- Delete all Personal Data within 30 days
- Provide certification of deletion
- Return Personal Data if requested before deletion
12.3 Legal Holds
ExpertLayer may retain Personal Data longer if required by legal obligations or pending legal proceedings.
13. Liability and Indemnification
13.1 Liability Allocation
Each party's liability for data protection violations is governed by the main Services agreement.
13.2 Regulatory Fines
Where fines are imposed due to joint Controller-Processor violations, liability will be allocated based on responsibility for the violation.
14. Dispute Resolution
Disputes regarding this DPA will be resolved through the dispute resolution mechanisms specified in the main Services agreement.
15. DPA Modifications
15.1 Legal Updates
ExpertLayer may update this DPA to reflect changes in Data Protection Laws with 30 days' notice.
15.2 Service Changes
Material changes to data processing practices will require Client consent or the opportunity to terminate Services.
16. Governing Law
This DPA is governed by the same law as the main Services agreement, with Data Protection Laws taking precedence for data protection matters.
17. Contact Information
For DPA-related inquiries, contact:
- Data Protection Officer: privacy@expertlayer.co
- Legal Department: legal@expertlayer.co
- Phone: +1 (832) 699-0608
By using our Services, you acknowledge and agree to the terms of this Data Processing Agreement.
Effective Date: 7th August 2025
