Data Processing Agreement
This Data Processing Agreement ("DPA") is between the customer (the "Controller") and Carbynix, LLC ("Carbynix," the "Processor"). It forms part of the Master Services Agreement (the "Agreement"). If the Agreement and this DPA conflict on the processing of personal data, this DPA controls.
1. Roles and scope
For the personal data contained in Customer Data that Carbynix processes to provide the Services, the Controller determines the purposes and means and Carbynix acts as Processor on the Controller's documented instructions. The Agreement, this DPA, and the Controller's use and configuration of the Services are the Controller's complete and final instructions. Carbynix will tell the Controller if, in its reasonable opinion, an instruction violates applicable data-protection law.
2. Details of processing (Exhibit A)
The nature, purpose, types of data, categories of data subjects, and duration of processing are set out in Exhibit A.
3. Processor obligations
Carbynix will:
- Process personal data only on the Controller's documented instructions, including for transfers, unless required by law (and then will inform the Controller unless the law prohibits it).
- Ensure that personnel authorized to process personal data are bound by a duty of confidentiality.
- Implement and maintain appropriate technical and organizational security measures, described in Exhibit B.
- Engage sub-processors only under a written contract imposing data-protection obligations no less protective than those in this DPA, and remain responsible for their performance. The current sub-processors are listed in the Carbynix sub-processor list, incorporated by reference. Carbynix will give the Controller notice of any intended addition or replacement and an opportunity to object.
- Taking into account the nature of processing, assist the Controller, by appropriate measures, in responding to data-subject rights requests and in meeting the Controller's obligations for security, breach notification, and data-protection assessments.
- At the Controller's direction, delete or return all personal data at the end of the provision of the Services, and delete existing copies unless retention is required by law.
- Make available to the Controller information reasonably necessary to demonstrate compliance with this DPA and applicable law, and cooperate with audits and inspections.
4. Security incidents
Carbynix will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting Customer Data, provide the information reasonably available to help the Controller meet its own notification obligations, and cooperate in the investigation and remediation. Carbynix's notice is not an admission of fault. Notification obligations to regulators and individuals remain the Controller's, except where a HIPAA Business Associate Agreement or other addendum allocates them otherwise.
5. CCPA / service-provider terms
Where the Controller is subject to the California Consumer Privacy Act, Carbynix is a "service provider." Carbynix will not sell or share personal data, will not retain, use, or disclose it except as necessary to perform the Services or as permitted by the CCPA, and will not combine it with data from other sources except as the CCPA allows.
6. Health information
If the Controller is a HIPAA covered entity or business associate and Carbynix will create, receive, maintain, or transmit protected health information, the parties will execute the Carbynix HIPAA Business Associate Agreement, which governs that PHI and prevails over this DPA to the extent of any conflict for PHI.
7. International transfers
The Services and sub-processors are US-based, as listed in the sub-processor list. If any processing or sub-processor is later located outside the US, Carbynix will apply an appropriate transfer mechanism (such as the EU Standard Contractual Clauses) and notify the Controller before that change takes effect.
8. Liability and relationship to the Agreement
Each party's liability under this DPA is subject to the limitations of liability in the Agreement. Except as modified here, the Agreement remains in full force.
Exhibit A: details of processing
- Subject matter and nature: provision of Managed Detection and Response, including ingestion and analysis of security telemetry, detection of suspicious activity, alerting, and response support.
- Purpose: to provide, secure, maintain, and support the Services and to meet legal obligations.
- Categories of data subjects: the Controller's employees, contractors, administrators, and the end users of the monitored systems.
- Types of personal data: identifiers such as usernames and account IDs, device and host identifiers, IP addresses, network and endpoint telemetry, process and authentication events, and any personal data incidentally present in logs. Special-category data is not intentionally processed.
- Duration: for the term of the Agreement plus the retention period stated in the Order or Documentation, after which data is deleted or returned per section 3.6.
Exhibit B: security measures
Carbynix maintains administrative, technical, and physical safeguards including access controls and least privilege, encryption in transit and at rest, logging and monitoring, logical separation of each tenant's data with per-tenant access controls, secret management in AWS Secrets Manager, vulnerability management, and incident response. Current certification posture: aligning to SOC 2, NIST 800-53, and ISO 27001, not yet certified.