Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Simply Asking and Customer for the use of our services. This DPA reflects our agreement regarding the Processing of Personal Data in accordance with GDPR, CCPA, and other applicable privacy laws.

Last updated: March 16, 2026 | Version 1.2

1. Definitions

• "Controller" means the entity that determines the purposes and means of Processing Personal Data (you, the Customer).
• "Processor" means the entity that Processes Personal Data on behalf of the Controller (Simply Asking).
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or destruction.
• "Security Incident" means any unauthorized access to, or destruction, loss, or alteration of Personal Data.
• "Sub-processor" means any third party engaged by Simply Asking to Process Personal Data on your behalf.

2. Scope and Roles

This DPA applies to all Processing of Personal Data by Simply Asking on your behalf.

• You (Controller): Determine what Personal Data is uploaded and how it should be processed
• Simply Asking (Processor): Process Personal Data only according to your documented instructions

3. Our Security Commitments

We implement comprehensive technical and organizational measures to protect your data:

Technical Measures

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for data at rest
• Multi-factor authentication for administrative access
• Regular security testing and vulnerability assessments
• Intrusion detection and prevention systems

Organizational Measures

• Role-based access control (principle of least privilege)
• Security awareness training for all personnel
• Documented incident response procedures
• Regular security audits and assessments
• Vendor security evaluation for all Sub-processors

4. Sub-processors

We use carefully vetted Sub-processors to provide our services. You can:

• View our current Sub-processor list at Subprocessor Registry
• Receive 30-day advance notice of any Sub-processor changes
• Object to new Sub-processors within 14 days of notification

We impose data protection obligations on all Sub-processors that are no less protective than this DPA.

5. Data Subject Rights

We assist you in fulfilling Data Subject requests, including:

• Right of access to Personal Data
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restrict Processing
• Right to data portability
• Right to object to Processing

You can use our built-in data management tools to respond to many requests directly, or contact us for assistance with complex requests.

6. Security Incident Response

Our notification will include:

• Description of the incident
• Categories and approximate number of affected records
• Likely consequences
• Measures taken to address and mitigate the incident

7. International Transfers

For transfers of Personal Data outside the EEA, UK, or Switzerland, we ensure appropriate safeguards:

• EU Standard Contractual Clauses (SCCs) for EU data transfers
• UK International Data Transfer Addendum for UK data
• Additional technical safeguards including encryption and access controls

8. Data Retention and Deletion

• We retain Personal Data only as long as necessary to provide the Services
• You can export your data at any time using our built-in export tools
• Upon termination, we delete or return all Personal Data within 30 days, with complete removal from all systems (including backups) within 60 days
• We provide written certification of deletion upon request

9. Audits

We support your compliance verification through:

• Security certifications and audit reports (available upon request)
• Documentation of our security measures
• Cooperation with Controller-initiated audits (with reasonable notice)

Contact Information

Related Policies