Data Processing Agreement

1. Definitions

"Personal Data"

Any information relating to an identified or identifiable natural person that we process while providing services.

"Processing"

Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

"Data Controller" (You)

The entity that determines the purposes and means of processing Personal Data.

"Data Processor" (Us)

Mainstream Technology Group, processing Personal Data on behalf of the Data Controller.

"Sub-Processor"

Third-party service providers we engage to assist with processing activities.

"Data Subject"

The individual to whom Personal Data relates.

"Applicable Laws"

GDPR, CCPA, HIPAA, and other applicable data protection and privacy laws.

2. Scope & Roles

2.1 Your Role (Data Controller)

As Data Controller, you:

• Determine the purposes and means of processing Personal Data
• Ensure you have legal basis for processing under applicable laws
• Provide clear processing instructions to us
• Ensure data subjects are informed about processing activities
• Handle data subject rights requests as primary point of contact

2.2 Our Role (Data Processor)

As Data Processor, we:

• Process Personal Data only according to your documented instructions
• Maintain confidentiality of all Personal Data
• Implement appropriate technical and organizational security measures
• Assist with data subject rights requests
• Notify you of data breaches affecting Personal Data
• Delete or return data upon termination

2.3 Scope of Processing

We process Personal Data only for the following purposes:

• Providing managed security services as described in your service agreement
• Monitoring systems for security threats and incidents
• Responding to security events and performing incident response
• Maintaining system logs for security and compliance purposes
• Providing technical support and troubleshooting
• Generating security reports and analytics

3. Data Processing Principles

3.1 Processing Instructions

We process Personal Data only based on your documented instructions, which are established through:

• Your service agreement with us
• This Data Processing Agreement
• Written instructions provided via email or support tickets
• Configuration settings you establish in managed systems

If we believe an instruction violates applicable laws, we will inform you immediately and refrain from processing until the matter is resolved.

3.2 Types of Personal Data

We may process the following categories of Personal Data while providing services:

• User Account Data: Names, email addresses, usernames, job titles
• Authentication Data: Login credentials, authentication tokens (encrypted)
• System Logs: IP addresses, device identifiers, timestamps, user actions
• Security Event Data: Threat indicators, incident details, response actions
• Communication Data: Support tickets, email correspondence, phone call records
• Business Data: Files and documents stored on managed systems (we do not access content)

3.3 Data Subjects

Personal Data may relate to:

• Your employees and contractors
• Your customers and clients
• Your suppliers and business partners
• Any individuals whose data is stored on systems we manage

3.4 Confidentiality

All personnel with access to Personal Data are:

• Subject to confidentiality agreements
• Trained in data protection principles
• Granted access only on a need-to-know basis
• Required to follow security protocols

4. Security Measures

4.1 Technical Measures

We implement industry-standard technical security measures:

• Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access Controls: Role-based access with principle of least privilege
• Authentication: Two-step login required for all administrative access
• Network Security: Firewalls, intrusion detection, network segmentation
• Monitoring: 24/7 security monitoring and threat detection
• Backup: Encrypted backups with tested recovery procedures

4.2 Organizational Measures

We maintain organizational security controls:

• Information security policies and procedures
• Security awareness training for all staff
• Background checks for personnel with data access
• Incident response procedures and team
• Business continuity and disaster recovery plans
• Regular security assessments and audits

4.3 Security Standards

Our security program aligns with recognized frameworks:

• NIST Cybersecurity Framework
• ISO 27001 principles
• CIS Critical Security Controls
• Industry-specific requirements (HIPAA, PCI DSS when applicable)

5. Sub-Processors

5.1 Authorization

By entering into this DPA, you provide general authorization for us to engage Sub-Processors to assist with service delivery. We maintain responsibility for their compliance with this DPA.

5.2 Current Sub-Processors

We currently engage the following categories of Sub-Processors:

• Cloud Infrastructure: Hosting and data storage providers
• Security Tools: Threat intelligence and security software vendors
• Communication: Email and communication platform providers
• Analytics: Performance monitoring and analytics services

Note: A complete list of Sub-Processors is available upon request. Contact (603) 285-9680 x5050.

5.3 Sub-Processor Requirements

We ensure all Sub-Processors:

• Provide appropriate security measures
• Are bound by confidentiality obligations
• Agree to data protection terms substantially similar to this DPA
• Process data only for authorized purposes

5.4 Changes to Sub-Processors

If we engage new Sub-Processors or change existing ones:

• We will notify you at least 30 days in advance
• You may object for reasonable data protection grounds
• If we cannot accommodate your objection, you may terminate services related to that Sub-Processor

6. Data Subject Rights

6.1 Assistance with Requests

We will assist you in responding to data subject rights requests, including:

• Access: Providing copies of Personal Data
• Rectification: Correcting inaccurate data
• Erasure: Deleting data when legally required
• Restriction: Limiting processing activities
• Portability: Providing data in machine-readable format
• Objection: Ceasing certain processing activities

6.2 Request Process

When you receive a data subject rights request:

• Contact us immediately at (603) 285-9680 x5050
• Provide details of the request and required timeline
• We will respond within 5 business days with requested information or actions
• We will assist at no additional charge for reasonable requests

6.3 Direct Requests

If a data subject contacts us directly with a rights request:

• We will notify you within 2 business days
• We will not respond to the data subject without your instruction
• You remain responsible for the substantive response

7. Data Breach Notification

7.1 Notification Obligation

If we discover a Personal Data breach, we will notify you:

• Timeframe: Without undue delay, and in any case within 24 hours of discovery
• Method: Phone call to (603) 285-9680 followed by written notification
• 24/7 Contact: Available for Critical Infrastructure and Maximum Protection clients

7.2 Notification Content

Our breach notification will include:

• Nature of the breach and Personal Data affected
• Approximate number of data subjects and records affected
• Likely consequences of the breach
• Measures taken to address the breach
• Measures recommended to mitigate potential adverse effects
• Contact person for further information

7.3 Investigation & Remediation

Following a breach, we will:

• Conduct immediate investigation to determine scope and impact
• Take steps to contain and remediate the breach
• Preserve evidence for regulatory reporting if required
• Provide regular updates until resolution
• Cooperate with any regulatory investigations

8. International Data Transfers

8.1 Data Location

Personal Data is primarily stored and processed in:

• United States data centers
• Infrastructure located in regions where you operate

8.2 International Transfers

If Personal Data is transferred outside the EEA or UK, we ensure appropriate safeguards:

• Standard Contractual Clauses (SCCs) approved by EU Commission
• Adequacy decisions where applicable
• Other legally approved transfer mechanisms

8.3 UK & EEA Clients

For clients subject to GDPR:

• We can provide EU Standard Contractual Clauses upon request
• UK International Data Transfer Addendum available when required
• Contact us at (603) 285-9680 x5050 to request transfer documentation

9. Audit & Compliance

9.1 Audit Rights

You have the right to audit our compliance with this DPA:

• Request audit information up to once per year
• We will provide compliance documentation within 30 days
• On-site audits may be conducted with 60 days notice
• Costs of audits borne by requesting party unless non-compliance found

9.2 Compliance Documentation

We will provide upon request:

• Security policies and procedures summaries
• Third-party audit reports (SOC 2, ISO 27001 when available)
• Certifications and compliance attestations
• Sub-Processor information

9.3 Regulatory Inquiries

If a regulatory authority contacts us regarding your Personal Data:

• We will notify you immediately
• We will cooperate with investigations as legally required
• We will not disclose Personal Data without legal obligation

10. Term & Termination

10.1 Term

This DPA remains in effect for the duration of your service agreement with us, and for as long as we process Personal Data on your behalf.

10.2 Data Return or Deletion

Upon termination of services, we will:

• Return all Personal Data to you in a commonly used format, or
• Securely delete all Personal Data per your instruction
• Provide certification of deletion upon request
• Complete within 30 days of termination

10.3 Retention Exceptions

We may retain Personal Data to the extent required by:

• Applicable laws and regulations
• Legal holds or litigation requirements
• Legitimate business purposes (e.g., backup systems with automated deletion)

Retained data remains subject to confidentiality and security obligations.

10.4 Survival

The following sections survive termination:

• Confidentiality obligations
• Security requirements for retained data
• Audit rights for prior processing activities
• Liability and indemnification provisions