This Data Processing Addendum ("DPA") supplements the Terms of Service between BirdenMedia LLC ("Processor") and the Agency ("Controller") for the CommandVault Service. In the event of a conflict between the Terms and this DPA on matters relating to personal-data processing, this DPA controls.
1. Definitions
Capitalized terms not defined here have the meaning given in the Terms. "Personal Data", "Processing", and "Data Subject" have the meanings given in applicable data-protection laws.
2. Roles & scope
Controller determines the purposes of Processing. Processor processes Personal Data only on documented instructions from Controller, which are: (a) to provide the Service, (b) to generate reports Controller requests, and (c) as otherwise required by law.
3. Categories of Data Subjects
- Controller's employees and authorized contractors (officers, supervisors, administrators);
- Controller's authorized vendors and inspectors.
4. Categories of Personal Data
- Identifiers: name, email, badge number, phone number;
- Employment data: rank, unit, squad assignment, date of hire;
- Authentication data: password hashes, session tokens, access logs;
- Operational data tied to a user: asset assignments, inspection responses, fuel and maintenance entries.
5. Sub-processors
Controller authorizes Processor to engage sub-processors. Processor will (i) maintain a current list, available on request, (ii) require sub-processors to meet data-protection obligations at least as protective as this DPA, and (iii) remain liable for sub-processor performance.
6. Security
Processor implements appropriate technical and organizational measures, including: encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access control, audit logging, intrusion detection, regular vulnerability scanning, background checks on personnel with production access, and a documented incident-response plan.
7. Personal Data Breach
Processor will notify Controller without undue delay and in no event later than 72 hours after becoming aware of a Personal Data breach affecting Controller's data, and will cooperate in any investigation and notification Controller is required to make.
8. Data Subject Rights
Processor will, to the extent technically feasible, assist Controller in responding to Data Subject requests (access, rectification, erasure, portability, objection).
9. International transfers
Personal Data is processed in the United States. Where transfers out of a data-subject's home jurisdiction are required, Processor will rely on an appropriate transfer mechanism (e.g. Standard Contractual Clauses).
10. Return or deletion
On termination Processor will, at Controller's option, return or irrevocably delete all Personal Data within 30 days, unless retention is required by law.
11. Audit
Upon reasonable written notice Controller may, no more than once per year, audit Processor's compliance with this DPA. Processor may satisfy audit obligations by providing current independent third-party attestation reports.
12. Contact
Processor's data-protection contact: privacy@commandvault.app.