Parties
This Data Processing Addendum ("DPA") is entered into between TheSHFTApp LLC, a Florida limited liability company ("TheSHFTApp" or "Processor"), and the Business Customer identified in the applicable Enterprise Agreement, order form, or account registration ("Controller").
This DPA is incorporated into and forms part of the Enterprise Terms, Terms of Use, and any applicable agreement between the parties. In the event of a conflict, this DPA governs with respect to data processing matters.
1. Definitions
In addition to the definitions in the Master Definitions:
"Controller" means the Business Customer that determines the purposes and means of processing Personal Data.
"Data Protection Laws" means all applicable privacy and data protection laws, including the GDPR, UK GDPR, CCPA/CPRA, Florida Digital Bill of Rights, and any successor legislation.
"Personal Data" has the meaning given to "Personal Information" in the Master Definitions, and includes "personal data" as defined under GDPR.
"Processing" has the meaning given to "Data Processing" in the Master Definitions.
"Sub-processor" has the meaning given to "Subprocessor" in the Master Definitions.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries as approved by the European Commission.
2. Scope and Purpose
2.1 Processing on Behalf of Controller. TheSHFTApp processes Personal Data on behalf of the Controller in connection with the Services specified in the applicable Enterprise Agreement or order form.
2.2 Instructions. TheSHFTApp processes Personal Data only in accordance with the Controller's documented instructions, as set forth in the applicable agreement and this DPA. TheSHFTApp will promptly notify Controller if it believes an instruction violates applicable Data Protection Laws.
2.3 Purpose Limitation. TheSHFTApp will not use Personal Data processed under this DPA for any purpose other than providing the Services, including TheSHFTApp's own commercial purposes.
3. TheSHFTApp's Obligations
3.1 Confidentiality. TheSHFTApp ensures that authorized personnel processing Personal Data are subject to confidentiality obligations.
3.2 Security. TheSHFTApp implements appropriate technical and organizational measures to protect Personal Data as described in the Security Overview. Specific security measures are described in Annex II.
3.3 Sub-processors. TheSHFTApp uses Sub-processors as described in the Subprocessor Policy. TheSHFTApp will inform the Controller of intended additions or replacements of Sub-processors in advance as specified herein.
3.4 Data Subject Rights. TheSHFTApp will provide reasonable assistance to the Controller in responding to data subject requests under applicable Data Protection Laws.
3.5 Data Protection Impact Assessments. TheSHFTApp will provide reasonable assistance where the Controller must conduct data protection impact assessments or prior consultations.
3.6 Deletion and Return. Upon termination of the applicable agreement, TheSHFTApp will delete or return all Personal Data as described in the Data Retention and Deletion Policy, unless retention is required by law.
3.7 Incident Notification. TheSHFTApp will notify the Controller without undue delay (and in any event within 72 hours where feasible) upon becoming aware of a Security Incident affecting Personal Data processed under this DPA.
4. Controller's Obligations
4.1 Lawful Basis. Controller represents and warrants that it has a lawful basis for processing Personal Data and for instructing TheSHFTApp to process Personal Data under this DPA.
4.2 Accuracy. Controller is responsible for the accuracy and lawfulness of Personal Data provided to TheSHFTApp.
4.3 Data Subject Notices. Controller is responsible for providing appropriate privacy notices to data subjects whose data is processed under this DPA.
5. Sub-processors
5.1 General Authorization. Controller provides general authorization for TheSHFTApp to engage Sub-processors as listed in the current Subprocessor Policy.
5.2 Notification of Changes. TheSHFTApp will provide at least thirty (30) days' advance notice before adding or replacing Sub-processors, via update to the Subprocessor Policy.
5.3 Objections. If Controller objects to a new Sub-processor on reasonable data protection grounds, Controller must notify TheSHFTApp in writing within fourteen (14) days of notice. The parties will work in good faith to resolve the objection. If unresolved, Controller may terminate the affected Services without penalty.
5.4 Contractual Requirements. TheSHFTApp imposes data protection obligations on Sub-processors equivalent to those in this DPA.
6. International Data Transfers
6.1 Transfer Mechanisms. Where Personal Data is transferred from the EEA, UK, or Switzerland to a third country, TheSHFTApp ensures appropriate safeguards are in place, including Standard Contractual Clauses (Module 2: Controller to Processor) as approved by the European Commission, or the UK International Data Transfer Agreement (IDTA), as applicable.
6.2 CCPA Compliance. Where applicable, TheSHFTApp acts as a "Service Provider" under the CCPA and processes Personal Data only as permitted.
7. Security Measures (Annex II Summary)
TheSHFTApp implements security measures including:
- Encryption of Personal Data in transit (TLS) and at rest (AES-256 or equivalent)
- Access controls and role-based access management
- Security logging and monitoring
- Regular security assessments
- Incident response procedures
- Employee security training
See the Security Overview for additional detail.
8. Audit Rights
Upon reasonable request and at Controller's expense, TheSHFTApp will provide information necessary to demonstrate compliance with this DPA, including through completion of security questionnaires or, no more than once per year, facilitation of an audit by a mutually agreed-upon independent auditor.
9. Contact
Data protection inquiries: privacy@theshftapp.com Security matters: security@theshftapp.com