Data Processing Agreement

1. Definitions

• "Controller" means the Customer who determines the purposes and means of processing personal data.
• "Processor" means IdeaDunes, which processes personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Sub-processor" means any third party engaged by IdeaDunes to process Personal Data.
• "Data Subject" means the individual whose Personal Data is processed.

2. Scope & Purpose

This DPA applies to all Personal Data processed by IdeaDunes on behalf of the Customer through the use of the IdeaDunes platform. Processing activities include:

• Storing and managing customer contact records (CRM)
• Processing user account information for authentication
• Managing communication logs (email, chat, calls)
• Processing invoicing and payment data
• Analytics and reporting on business operations

3. Data Processing Obligations

3.1. IdeaDunes (Processor) shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure all personnel processing data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Controller with Data Subject rights requests (access, rectification, erasure, portability)
• Notify the Controller of any data breach within 72 hours of becoming aware
• Delete or return all Personal Data upon termination of the agreement
• Make available all information necessary to demonstrate compliance with GDPR Article 28

3.2. Security Measures

IdeaDunes implements the following measures:

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Role-based access control (RBAC) with least-privilege principle
• Two-factor authentication for all admin access
• Regular security assessments and penetration testing
• Automated backup with 30-day retention
• Audit logging of all data access and modifications
• Input validation and sanitization (XSS, SQL injection prevention)
• Rate limiting and DDoS protection

4. Sub-processors

IdeaDunes uses the following categories of sub-processors:

• Cloud infrastructure providers (hosting, CDN, storage)
• Email delivery services
• Payment processing platforms
• Analytics and monitoring services

A complete list of current sub-processors is maintained at our Sub-processors page. The Controller will be notified 30 days before any new sub-processor is engaged.

5. Data Transfers

If Personal Data is transferred outside the European Economic Area (EEA), IdeaDunes ensures appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Transfer impact assessments for high-risk jurisdictions

6. Data Subject Rights

IdeaDunes provides tools for the Controller to fulfill Data Subject rights requests:

• Access: Export personal data via dashboard or API
• Rectification: Edit records directly in the platform
• Erasure: Delete individual records or request full account deletion
• Portability: Export data in standard formats (CSV, JSON)
• Restriction: Archive or restrict processing of specific records

7. Data Breach Notification

In the event of a Personal Data breach, IdeaDunes will:

• Notify the Controller within 72 hours of becoming aware
• Provide details of the nature, scope, and impact of the breach
• Describe measures taken or proposed to address the breach
• Cooperate with the Controller's notification obligations to supervisory authorities

8. Duration & Termination

This DPA remains in effect for the duration of the service agreement. Upon termination:

• IdeaDunes will delete all Personal Data within 90 days
• Controller may request data export before deletion
• A certificate of deletion is available upon request

9. Governing Law

This DPA is governed by the same laws as the main service agreement, with GDPR provisions taking precedence for EEA data subjects.