Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between:

and

This DPA supplements the Terms of Service and Privacy Policy and governs the processing of personal data by ArgumenTroupe on behalf of the Customer in accordance with the EU General Data Protection Regulation (GDPR) and German Federal Data Protection Act (BDSG).

1.1 Purpose of this DPA: This DPA establishes the obligations of both parties with respect to the processing of Customer Personal Data in connection with the Service, ensuring compliance with Article 28 of the GDPR.

1.2 Precedence: In case of conflict between this DPA and the Terms of Service regarding data protection matters, this DPA shall prevail.

For the purposes of this DPA, the following terms have the meanings set forth below:

"Customer Personal Data"

means any personal data that is processed by ArgumenTroupe on behalf of Customer in connection with the Service, as described in Annex A.

"Data Protection Laws"

means the GDPR (Regulation (EU) 2016/679), the German Federal Data Protection Act (BDSG), and any other applicable data protection legislation.

"Data Subject"

means an identified or identifiable natural person whose personal data is processed.

"Personal Data Breach"

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

"Processing"

means any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.

"Sub-processor"

means any third party engaged by ArgumenTroupe to process Customer Personal Data on behalf of the Customer.

"Standard Contractual Clauses" or "SCCs"

means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission (Decision 2021/914).

3.1 Scope: This DPA applies to all processing of Customer Personal Data by ArgumenTroupe in connection with the provision of the Service.

3.2 Purpose: ArgumenTroupe processes Customer Personal Data solely for the following purposes:

• Providing and maintaining the ArgumenTroupe Service
• Enabling collaborative argumentation and discussion features
• Providing AI-powered translation and analysis
• Sending email notifications related to the Service
• Complying with Customer's documented instructions
• Fulfilling legal obligations applicable to the Processor

3.3 Duration: Processing will continue for the duration of the Service Agreement plus any retention period required by applicable law or as specified in the Terms of Service (30-day data retention after termination).

3.4 Nature of Processing: The processing includes:

• Storage of Customer Data in secure cloud databases
• Transmission of data for AI translation services
• Email delivery for notifications
• Backup and disaster recovery operations
• Security monitoring and incident response

4.1 Categories of Data Subjects:

• Customer's employees, contractors, and agents (Authorized Users)
• Individuals whose data is included in Customer Content (discussions, arguments)
• External participants invited to Customer's organization

4.2 Categories of Personal Data:

ArgumenTroupe agrees to:

5.1 Process Only on Documented Instructions: Process Customer Personal Data only on documented instructions from the Customer (including those in the Terms of Service and through use of Service features), unless required by EU or Member State law to which the Processor is subject.

5.2 Confidentiality: Ensure that persons authorized to process Customer Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security Measures: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 9 and Annex B.

5.4 Sub-processor Engagement: Not engage another processor (sub-processor) without prior specific or general written authorization from the Controller, as detailed in Section 7.

5.5 Data Subject Rights: Assist the Controller in responding to requests from data subjects exercising their rights under the GDPR, as detailed in Section 8.

5.6 Breach Notification: Notify the Controller without undue delay after becoming aware of a Personal Data Breach, as detailed in Section 10.

5.7 Compliance Assistance: Assist the Controller in ensuring compliance with obligations under Articles 32-36 GDPR (security, breach notification, data protection impact assessments, prior consultation).

5.8 Deletion or Return: At the choice of the Controller, delete or return all Customer Personal Data after the end of the provision of services, as detailed in Section 13.

5.9 Audit Cooperation: Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, as detailed in Section 11.

Customer agrees to:

6.1 Lawful Instructions: Ensure that instructions given to ArgumenTroupe regarding the processing of Customer Personal Data comply with all applicable Data Protection Laws.

6.2 Legal Basis: Have a valid legal basis for the processing of Customer Personal Data, including obtaining any necessary consents from data subjects.

6.3 Privacy Notices: Provide appropriate privacy notices to data subjects informing them of the processing of their personal data through the Service.

6.4 Data Subject Requests: Be responsible for responding to data subject requests and direct data subjects to use Customer's internal processes for such requests.

6.5 Data Accuracy: Ensure that Customer Personal Data is accurate, relevant, and limited to what is necessary for the purposes of processing.

6.6 Compliance: Comply with all applicable Data Protection Laws in connection with the use of the Service.

7.1 General Authorization: Customer hereby grants general authorization for ArgumenTroupe to engage sub-processors to process Customer Personal Data, subject to the requirements in this Section 7.

7.2 Current Sub-processors: The list of current sub-processors is available at ArgumenTroupe.com/subprocessors. Customer agrees to the use of the sub-processors listed as of the effective date of this DPA.

7.3 Notice of New Sub-processors: ArgumenTroupe will notify Customer at least 30 days before adding or replacing any sub-processor. Notification will be sent to the Customer's registered administrator email address.

7.4 Objection Right: Customer may object to a new sub-processor by notifying ArgumenTroupe in writing within 14 days of receiving notice. The objection must be based on reasonable data protection grounds. If the parties cannot resolve the objection, Customer may terminate the affected Service by providing written notice within 30 days.

7.5 Sub-processor Agreements: ArgumenTroupe will:

• Enter into a written agreement with each sub-processor imposing data protection obligations equivalent to those in this DPA
• Remain fully liable for the acts and omissions of its sub-processors
• Ensure sub-processors provide sufficient guarantees regarding security measures

8.1 Assistance: ArgumenTroupe will assist Customer in responding to requests from data subjects exercising their rights under GDPR Articles 15-22, including:

• Right to access (Article 15)
• Right to rectification (Article 16)
• Right to erasure / "right to be forgotten" (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

8.2 Service Features: ArgumenTroupe provides the following self-service features to facilitate data subject rights:

8.3 Direct Requests: If ArgumenTroupe receives a request directly from a data subject regarding Customer Personal Data, ArgumenTroupe will promptly redirect the data subject to Customer unless otherwise instructed by Customer.

8.4 Response Time: ArgumenTroupe will respond to Customer's reasonable requests for assistance within 10 business days, or sooner if required by applicable law.

9.1 Appropriate Measures: ArgumenTroupe implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing.

9.2 Technical Measures:

9.3 Organizational Measures:

9.4 Detailed Measures: See Annex B for a comprehensive list of technical and organizational measures.

10.1 Notification Timing: ArgumenTroupe will notify Customer without undue delay and no later than 72 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data.

10.2 Notification Content: The notification will include, to the extent available:

• Description of the nature of the breach, including categories and approximate number of data subjects and records concerned
• Name and contact details of the data protection officer or other contact point
• Description of likely consequences of the breach
• Description of measures taken or proposed to address the breach and mitigate its effects

10.3 Cooperation: ArgumenTroupe will cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

10.4 Customer Notification: Customer remains responsible for determining whether to notify supervisory authorities and/or affected data subjects in accordance with GDPR Articles 33 and 34.

11.1 Information Availability: ArgumenTroupe will make available to Customer all information reasonably necessary to demonstrate compliance with Article 28 GDPR obligations.

11.2 Audit Process: Customer (or an independent third-party auditor appointed by Customer) may conduct an audit, subject to:

• Providing at least 30 days' advance written notice
• Conducting the audit during normal business hours
• Ensuring auditors are bound by appropriate confidentiality obligations
• Not unreasonably interfering with ArgumenTroupe's business operations
• Limiting audits to once per 12-month period

11.3 Certifications: To satisfy audit requirements, ArgumenTroupe may provide:

• Relevant certifications (e.g., ISO 27001 from Azure)
• Third-party security audit reports
• Penetration testing results (summary)
• Compliance attestations

11.4 Costs: Customer bears the costs of any audit, except where the audit reveals a material breach by ArgumenTroupe of this DPA.

12.1 Primary Location: Customer Personal Data is primarily stored in the European Union (Microsoft Azure, Germany West region).

12.2 Transfer Mechanisms: Where Customer Personal Data is transferred outside the EU/EEA, ArgumenTroupe ensures appropriate safeguards through:

• EU-US Data Privacy Framework: For US service providers certified under the DPF
• Standard Contractual Clauses (SCCs): European Commission Decision 2021/914
• Adequacy Decisions: Transfers to countries with adequate protection

12.3 SCCs Incorporation: To the extent Customer Personal Data is transferred to countries without adequacy decisions, the EU Standard Contractual Clauses (Module Two: Controller to Processor) are hereby incorporated by reference as Annex C.

12.4 Transfer Details: See the Sub-processors page for specific transfer locations and safeguards for each sub-processor.

13.1 Upon Termination: Upon termination of the Service Agreement, at Customer's choice, ArgumenTroupe will:

• Return: Make Customer Personal Data available for export in machine-readable format (JSON/CSV) via the data export feature
• Delete: Delete all Customer Personal Data after the 30-day retention period following termination

13.2 Deletion Process:

• Production Systems: Data deleted within 7 days after retention period
• Backup Systems: Data purged within 60 days (normal backup rotation)
• Logs: Relevant logs deleted per retention schedule

13.3 User-Initiated Deletion: When individual users delete their accounts:

• Personal data (email, username, profile) is permanently deleted
• User-generated content (arguments, discussions) is anonymized and attributed to "[Deleted User]"
• This preserves discussion integrity while protecting privacy

13.4 Legal Retention: ArgumenTroupe may retain Customer Personal Data to the extent required by applicable law (e.g., tax records for 10 years under German law).

13.5 Certification: Upon request, ArgumenTroupe will provide written certification of data deletion.

13.6 Data Processing Upon Refund: If Customer exercises the 30-Day Money-Back Guarantee or receives any other refund:

• Service Termination: The subscription terminates immediately upon refund processing. ArgumenTroupe continues as data processor only during the 30-day data preservation period.
• Data Preservation: Customer Personal Data is preserved for 30 days following the refund to allow for data export. During this period, Section 13.1 (Return) remains available.
• Automatic Deletion: After the 30-day preservation period, standard deletion procedures (Section 13.2) apply automatically unless Customer requests earlier deletion.
• Billing Data: Billing records related to the refund (transaction IDs, refund amounts, processing dates) are retained as required by applicable tax and financial regulations, separate from Customer Personal Data.
• Re-subscription: If Customer re-subscribes within the 30-day period, a new DPA relationship commences and all preserved data becomes subject to the new agreement terms.

14.1 GDPR Liability: Each party's liability under GDPR shall be governed by GDPR Article 82.

14.2 Indemnification:

• ArgumenTroupe will indemnify Customer for damages arising from ArgumenTroupe's breach of this DPA or Data Protection Laws, to the extent ArgumenTroupe is responsible
• Customer will indemnify ArgumenTroupe for damages arising from Customer's instructions that violate Data Protection Laws

14.3 Limitations: Liability under this DPA is subject to the limitations set forth in the Terms of Service, except that nothing in this DPA limits either party's liability under GDPR Article 82.

15.1 Term: This DPA commences on the effective date of the Terms of Service and continues until the Terms of Service are terminated.

15.2 Survival: Sections 8 (Data Subject Rights), 10 (Breach Notification), 11 (Audit), 13 (Deletion), and 14 (Liability) survive termination.

15.3 Amendment: This DPA may be amended by ArgumenTroupe with 30 days' notice. Continued use of the Service after the effective date of amendments constitutes acceptance.