Data Processing Addendum (DPA)
Effective Date: September 15, 2025
Entity: PhronEdge, a Texas corporation (“PhronEdge,” “Processor”)
Contacts: privacy@phronedge.com | legal@phronedge.com | support@phronedge.com
This Data Processing Addendum (“DPA”) forms part of the PhronEdge Terms of Service (“Agreement”) between PhronEdge and the Customer (“Controller”). Capitalized terms not defined here have the meanings given in the Agreement.
Precedence. If this DPA conflicts with the Agreement, this DPA controls to the extent of the conflict for processing of Personal Data.
1. Definitions
Applicable Data Protection Laws means all laws relating to privacy, data protection, and data security applicable to a party’s processing of Personal Data, including the GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, and similar U.S. state laws.
Personal Data has the meaning given in Applicable Data Protection Laws and includes “personal information” under CCPA/CPRA.
Personal Data Breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
SCCs means the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), including Modules 2 and/or 3 as applicable.
UK Addendum means the UK ICO’s International Data Transfer Addendum to the SCCs.
Service Provider and Contractor have the meanings under CCPA/CPRA.
2. Roles of the Parties
Customer acts as Controller.
PhronEdge acts as Processor.
Subprocessors act as additional processors as described in Section 6
3. Processing Instructions and Processor Obligations
PhronEdge will process Personal Data only on documented instructions from Customer, including those in the Agreement, this DPA, and Customer’s configuration of the Service. If PhronEdge believes an instruction infringes Applicable Data Protection Laws, it will notify Customer.
PhronEdge ensures persons authorized to process Personal Data are bound by confidentiality.
PhronEdge will make available information reasonably necessary to demonstrate compliance with this DPA and will allow and contribute to audits as set out in Section 11.
PhronEdge will assist Customer, taking into account the nature of processing and information available, with:
Responding to data subject rights requests,
Ensuring security of processing,
Supporting Customer’s notifications to supervisory authorities and affected data subjects,
Conducting Data Protection Impact Assessments (DPIAs) and consultations with supervisory authorities.
4. Categories of Data and Subjects
Data Subjects: Authorized Users, Customer’s employees, contractors, collaborators.
Data Categories: identifiers (name, email, SSO ID), organizational metadata (role, team), service metadata (logs, usage), integration metadata, and Customer-submitted content.
Sensitive Data: Not required; processed only if expressly agreed (BAA/DPA + Order).
5. Security Measures
PhronEdge implements industry-standard technical and organizational measures, including those in Annex B:
Encryption at rest (AES-256) and in transit (TLS 1.2+),
Multi-tenant isolation, least-privilege access,
Secrets management (AWS KMS/Parameter Store),
Logging, monitoring, anomaly detection,
Secure SDLC, vulnerability management, patching,
Incident response, disaster recovery, and continuity planning.
6. Subprocessors
PhronEdge may use Subprocessors to provide the Service. Current list: https://phronedge.com/legal/subprocessors.
PhronEdge will provide 30 days’ advance notice of new Subprocessors via website and email.
Customer may object on reasonable data protection grounds; parties will negotiate in good faith. If unresolved, Customer may suspend the affected processing or terminate the impacted Service (pro-rata refund).
PhronEdge will flow down equivalent obligations to all Subprocessors.
7. International Transfers
PhronEdge may transfer Personal Data internationally where required to deliver the Service.
Transfers will be governed by:
EU/EEA: SCCs (Module 2 and/or 3) (see Annex C).
UK: UK Addendum to the SCCs.
Switzerland: SCCs with FDPIC adaptations.
PhronEdge will reasonably assist with transfer impact assessments (TIAs).
If the SCCs, UK Addendum, or Swiss adaptations are invalidated or replaced, the parties will promptly implement an alternative lawful transfer mechanism.
8. Government and Law-Enforcement Requests
PhronEdge will promptly notify Customer of any legally binding request for disclosure of Personal Data by a public authority, unless legally prohibited. PhronEdge will challenge unlawful or overbroad requests where reasonable and disclose only the minimum required.
9. Data Subject Rights
PhronEdge will support Customer in responding to data subject rights requests under GDPR, CCPA, and similar laws. Requests may be submitted to privacy@phronedge.com.
PhronEdge may charge reasonable fees for assistance with requests that are excessive, repetitive, or manifestly unfounded.
10. Retention and Deletion
Default retention: 30 days.
Enterprise retention extensions per Order/DPA.
Upon termination or written request, PhronEdge will return or delete Customer Personal Data. Deletion will be completed within 30 days, with archives/backups cleared within standard cycles not to exceed 90 days.
Upon completion of deletion, PhronEdge will provide Customer with a written deletion certificate upon request.
11. Audit and Assessments
Once per 12 months (and after a material incident), Customer or an independent auditor (not a competitor) may audit PhronEdge’s compliance.
Audits may include review of PhronEdge-provided documentation, security questionnaires, and third-party reports (e.g., SOC 2). On-site or remote assessments may be conducted with 30 days’ notice.
Audits must minimize disruption, protect confidentiality, and are at Customer’s expense unless a material breach is found.
PhronEdge may charge reasonable fees for excessive or duplicative audit requests.
12. Breach Notification
PhronEdge will notify Customer without undue delay and no later than 72 hours after confirmation of a Personal Data Breach affecting Customer Data. The notice will include:
Nature of the breach,
Categories and approximate number of affected data subjects and records,
Likely consequences,
Mitigation measures taken or proposed,
Contact information for follow-up.
13. CCPA and U.S. State Laws
For CCPA/CPRA and similar laws, PhronEdge acts as a Service Provider/Processor. PhronEdge shall not:
Sell or share Personal Data,
Retain, use, or disclose Personal Data for any purpose other than providing the Service,
Combine Personal Data with other data except as permitted to perform the Service, detect security incidents, or comply with law.
PhronEdge certifies it understands and will comply with these restrictions.
14. Liability
Liability under this DPA is subject to the limitations of liability in the Agreement.
15. Term
This DPA remains in force as long as PhronEdge processes Customer Personal Data. Where required by law, PhronEdge will appoint an EU and/or UK representative and provide contact details to Customer.
Annex A - Details of Processing
Subject matter: Provision and support of the Service.
Nature: Hosting, storage, transmission, indexing, analytics, logging.
Purpose: Deliver features, ensure security, provide support, and improve service.
Duration: Subscription Term + retention/deletion timelines.
Data subjects: Authorized Users, Customer personnel, collaborators.
Categories of Personal Data: identifiers, org/team metadata, logs, integration data, Customer-submitted content.
Sensitive data: Not required; only if expressly agreed.
Processing locations: Primarily U.S. (with subprocessors as listed).
Retention: 30 days default; enterprise extensions per Order/DPA.
Annex B - Technical and Organizational Measures (TOMs)
Access controls: RBAC, SSO/OAuth, least privilege.
Authentication/session management: Token expiry, refresh, revocation.
Encryption: AES-256 at rest; TLS 1.2+ in transit.
Key management: AWS KMS/Parameter Store.
Logging/monitoring: Centralized logs, anomaly detection, SIEM integration.
Secure SDLC: Code reviews, static/dynamic analysis, CI/CD checks.
Vulnerability management: regular scans, patch SLAs.
Incident response: Documented runbooks, 24/7 escalation, comms protocols.
BCP/DR: Tested recovery plans, defined RTO/RPO.
Vendor risk management: Assessments of subprocessors.
Employee security training and background checks.
Annex C - Transfer Mechanisms
EU SCCs (2021/914): Modules 2 and 3 apply; Annex I/II/III completed by Annex A and B + Subprocessor list. Clause 9(a) “general authorization” with 30-day notice.
UK Addendum: Attached to SCCs; tables populated by Annex A/B.
Swiss FDPIC Addendum: SCCs adapted per FDPIC guidance.