Data Processing Agreement (DPA)

Last updated: June 25, 2025

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the agreement between Elevate Technologies Inc. (“Processor”) and the Customer (“Controller”) and reflects the parties' agreement with regard to the processing of personal data.

2. Definitions

The terms used in this DPA shall have the meanings set forth in this DPA. Terms not defined shall have the meaning given to them in the GDPR:

  • “GDPR” means the General Data Protection Regulation (EU) 2016/679
  • “Personal Data” means any information relating to an identified or identifiable natural person
  • “Processing” means any operation performed on Personal Data
  • “Data Subject” means the identified or identifiable natural person to whom Personal Data relates

3. Processing of Personal Data

3.1 Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality
  • Implement appropriate technical and organizational measures to ensure security of processing
  • Assist the Controller in responding to requests from Data Subjects

4. Sub-processors

The Processor shall not engage another processor without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors.

5. Data Security

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • The pseudonymization and encryption of Personal Data
  • The ability to ensure ongoing confidentiality, integrity, availability, and resilience
  • The ability to restore availability and access to Personal Data
  • A process for regularly testing, assessing, and evaluating effectiveness of security measures

6. Data Breach Notification

In the case of a personal data breach, the Processor shall notify the Controller without undue delay and, where feasible, not later than 72 hours after having become aware of it.

7. Contact Information

For any questions about this DPA, please contact us at [email protected]