Data Processing Agreement
Last updated: May 31, 2026
Document owner: Data Protection Officer delegate and General Counsel
Review cadence: Quarterly; ad hoc upon legal, subprocessor, or security-control changes
Effective date: 2026-05-31
Processor legal entity: EthicPages, Inc.
Registered address: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
Primary contact: ethicpages+contact@invictosoft.com
1. Parties and purpose
This Data Processing Agreement ("DPA") forms part of the agreement between the customer entity identified in the applicable order, checkout confirmation, or master agreement ("Controller" or "Customer") and EthicPages, Inc. ("Processor" or "EthicPages") for the provision of services under the Terms of Service and related commercial documents (collectively, the "Agreement").
This DPA governs Processing of Personal Data by EthicPages on behalf of Customer in connection with the Service. This DPA is intended to satisfy Article 28 GDPR and corresponding requirements under UK GDPR and related data protection laws.
If there is a conflict between this DPA and other contractual terms regarding processing of personal data, this DPA prevails for those processing matters.
2. Definitions
Capitalized terms not defined in this DPA have the meanings in GDPR, UK GDPR, or the Agreement.
| Term | Meaning |
|---|---|
| Applicable Data Protection Law | GDPR, UK GDPR, and other binding privacy laws applicable to the Processing |
| Controller | The entity determining purposes and means of Processing |
| Processor | EthicPages, processing Personal Data on behalf of Controller |
| Subprocessor | Third party engaged by Processor to Process Personal Data |
| Data Subject | Identified or identifiable natural person to whom Personal Data relates |
| Personal Data Breach | Breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data |
| SCCs | Standard Contractual Clauses approved by the European Commission (and UK addendum where required) |
3. Scope and processing details
3.1 Subject matter, duration, and nature
EthicPages provides a platform for generating, managing, and publishing procurement-grade legal and compliance documentation. Processing includes collection, storage, organization, structuring, retrieval, consultation, transmission, and deletion of Personal Data submitted by or on behalf of Customer.
Processing duration is for the term of the Agreement plus any post-termination retention period required by law or documented backup cycles, after which deletion or anonymization applies as set out in this DPA.
3.2 Processing details table
| Category | Description |
|---|---|
| Subject matter | Processing of Personal Data included in Customer account data, workspace data, generated content, and support interactions |
| Nature of processing | Hosting, storage, analysis, transmission, rendering, support handling, security monitoring, backup, and deletion |
| Purpose(s) | Deliver contracted services, maintain security, provide support, and comply with documented Customer instructions |
| Duration | Term of Agreement plus limited post-termination retention and backup windows |
| Data subjects | Customer employees, contractors, authorized users, and end users represented in Customer documentation |
| Data categories | Identity/contact information, organization role metadata, usage metadata, support content, and any data Customer submits |
| Special categories | Not required for normal use; Customer must avoid unnecessary sensitive data unless explicitly permitted and legally justified |
4. Roles and instructions
Customer acts as Controller (or Processor with authority from its Controller) and appoints EthicPages as Processor. EthicPages will Process Personal Data only on documented instructions from Customer, including instructions in the Agreement, this DPA, Customer configuration settings, and support requests that are consistent with the Agreement.
4.1 Instruction management
| Instruction type | Accepted channel | Handling |
|---|---|---|
| Agreement-defined instructions | Terms, DPA, product configuration | Automatically applied |
| Case-specific support instruction | Authenticated support request from authorized admin | Logged and actioned if lawful and feasible |
| Deletion/export instruction | In-product admin action or authenticated written request | Performed within standard operational windows |
| Unclear/conflicting instruction | Written clarification request | Processing paused where needed pending clarification |
If EthicPages believes an instruction violates Applicable Data Protection Law, EthicPages will inform Customer without undue delay unless prohibited by law.
5. Confidentiality and personnel controls
EthicPages ensures that persons authorized to Process Personal Data:
- are bound by confidentiality obligations (contractual or statutory);
- receive appropriate security and privacy training;
- have access limited to what is necessary for service delivery and security;
- are subject to role-based access controls and monitoring.
5.1 Access governance summary
| Control area | Implementation principle |
|---|---|
| Least privilege | Access rights granted only to required systems and scopes |
| Authentication | Strong authentication and controlled session management |
| Logging | Access and administrative actions logged for security review |
| Offboarding | Timely revocation of access on role change or termination |
6. Security of processing
EthicPages implements appropriate technical and organizational measures under Article 32 GDPR, considering the state of the art, costs, scope, context, and risk to rights and freedoms of natural persons.
6.1 Security measures matrix
| Domain | Representative controls |
|---|---|
| Encryption | Encryption in transit (TLS) and encryption at rest where supported |
| System integrity | Change management, patching, vulnerability handling, and hardened deployment practices |
| Availability | Backups, operational monitoring, and incident response procedures |
| Access security | Role-based access control, audit logs, and privileged access restrictions |
| Application security | Secure development practices and abuse prevention safeguards |
| Organizational controls | Policies, training, and vendor risk management |
Customer acknowledges that no security system is infallible. EthicPages continuously improves controls based on risk, incidents, and technology evolution.
7. Subprocessing
Customer authorizes EthicPages to engage Subprocessors listed at Subprocessors, subject to safeguards in this DPA.
7.1 Subprocessor obligations
EthicPages will:
- enter into written agreements with Subprocessors imposing data protection obligations substantially equivalent to those in this DPA;
- conduct risk-based due diligence before onboarding;
- remain responsible for Subprocessor performance to the extent required by law and contract.
7.2 Subprocessor change notifications and objections
| Step | Commitment |
|---|---|
| Prior notice | Material Subprocessor additions/replacements notified through designated channels |
| Objection window | Customer may raise reasonable data protection objections within 15 days of notice |
| Resolution path | Parties cooperate in good faith; if unresolved, Customer may terminate affected service portion |
| Emergency onboarding | Allowed when required for security/continuity, with prompt follow-up notice |
8. International data transfers
Where Personal Data is transferred from the EEA, UK, or other restricted-transfer jurisdictions to countries without adequacy decisions, EthicPages will implement approved transfer mechanisms.
8.1 Transfer mechanisms
| Transfer scenario | Mechanism |
|---|---|
| EEA to non-adequate third country | EU SCCs (2021) with appropriate modules |
| UK to non-adequate third country | UK International Data Transfer Addendum to SCCs |
| Supplementary measures | Technical and organizational safeguards, including encryption and access limitations |
If a transfer mechanism becomes invalid or unlawful, parties will cooperate in good faith to implement a valid alternative mechanism.
9. Assistance with data subject rights
Taking into account the nature of Processing, EthicPages will assist Customer by appropriate technical and organizational measures, insofar as possible, for fulfillment of obligations to respond to Data Subject requests.
9.1 Rights request workflow
| Request type | Processor support |
|---|---|
| Access/export | Provide available tools or reasonable operational assistance |
| Rectification | Enable updates to account/workspace data where feasible |
| Erasure | Apply deletion requests according to instruction and retention rules |
| Restriction/objection | Support data handling changes where technically feasible |
If EthicPages receives a request directly from a Data Subject related to Customer data, EthicPages will direct the requester to Customer unless legally required to respond differently.
10. Security incident and breach notification
EthicPages maintains incident detection and response procedures for security events affecting Personal Data.
In the event of a confirmed Personal Data Breach affecting Customer Personal Data, EthicPages will notify Customer without undue delay and, where feasible, within 72 hours after becoming aware of the breach.
10.1 Breach notice content
| Information element | Included when available |
|---|---|
| Nature of breach | Categories and approximate volume of affected records/data subjects |
| Likely consequences | Known or reasonably suspected impact |
| Mitigation steps | Measures taken or proposed to address and reduce adverse effects |
| Contact point | Incident response contact channel for follow-up |
Notification timelines depend on availability of reliable facts; initial notices may be supplemented as investigation progresses.
11. DPIA and regulator cooperation
Upon reasonable request and taking into account the nature of Processing and information available to EthicPages, EthicPages will provide reasonable assistance to Customer with:
- data protection impact assessments (DPIAs);
- prior consultation with supervisory authorities, where required;
- documented security and processing information necessary for compliance.
Such assistance is provided to the extent legally required and proportionate to risk, and may be subject to confidentiality safeguards.
12. Audit rights and information access
EthicPages will make available information reasonably necessary to demonstrate compliance with this DPA and Article 28 obligations.
12.1 Audit model
| Audit method | Availability |
|---|---|
| Documentation review | Available upon request under confidentiality terms |
| Questionnaire-based review | Available for risk-appropriate due diligence |
| Independent report review | Provided where available and appropriate |
| On-site/remote audit | By exception where legally required and justified by material risk |
Audit rights must be exercised with reasonable advance notice, during normal business hours, and in a manner that minimizes operational disruption. Customer bears its own audit costs unless otherwise agreed.
13. Deletion or return of personal data
Upon termination or expiration of the Agreement, and at Customer's election where technically feasible, EthicPages will delete or return Personal Data, unless retention is required by applicable law.
13.1 Post-termination handling
| Data class | Handling approach |
|---|---|
| Active workspace data | Deleted or made unavailable within standard deprovisioning window |
| Backups | Removed through scheduled overwrite/deletion cycles |
| Billing/legal records | Retained only as required by law or legitimate claim defense |
| Security logs | Retained for limited periods tied to incident and abuse management obligations |
After deletion, recovery may not be possible. Customer is responsible for exporting required data before termination.
14. Liability
Each party's liability under this DPA is subject to the liability limitations and exclusions in the Agreement, except to the extent prohibited by Applicable Data Protection Law.
Where GDPR Article 82 applies, responsibility allocation will reflect each party's role and actual responsibility for the damage-causing event.
15. Term and termination
This DPA remains in effect for as long as EthicPages Processes Personal Data on behalf of Customer under the Agreement. Termination of the Agreement triggers post-termination obligations described in this DPA.
16. Priority and amendments
This DPA supersedes prior processing addenda between parties for the same service scope unless explicitly preserved in writing. EthicPages may update this DPA where necessary to reflect legal developments, transfer-mechanism requirements, or product architecture changes, provided updates do not materially reduce Customer's data protection rights without notice.
17. Miscellaneous
17.1 Severability and interpretation
If any part of this DPA is held invalid, the remaining provisions remain in force. Terms are interpreted to achieve lawful processing and regulatory compliance to the fullest extent possible.
17.2 Governing law for DPA disputes
Unless Applicable Data Protection Law requires otherwise, governing law and venue follow the primary Agreement, including Delaware governing law terms in Terms of Service, without limiting mandatory rights under data protection law.
Annex I - Processing particulars
A. List of parties
| Role | Party | Contact |
|---|---|---|
| Controller | Customer entity identified in order/checkout records | Customer-admin designated contact |
| Processor | EthicPages, Inc., 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ | ethicpages+contact@invictosoft.com |
B. Description of transfer (where applicable)
| Field | Description |
|---|---|
| Data subjects | Customer employees, contractors, and data subjects represented in Customer content |
| Data categories | Identity/contact details, usage and account metadata, support records, customer-submitted content |
| Sensitive data | Not intended; if submitted, Customer is responsible for lawful basis and minimization |
| Frequency | Continuous during active use |
| Nature | Hosting, storage, organization, retrieval, transmission, deletion |
| Purpose | Service delivery, support, reliability, and security |
| Retention | As defined in Agreement and this DPA |
C. Competent supervisory authority
The competent supervisory authority is determined under GDPR/UK GDPR rules based on Controller establishment and processing context.
Annex II - Technical and organizational measures (summary)
| Measure family | Example implementation |
|---|---|
| Information security governance | Policies, assigned accountability, periodic review |
| Risk management | Security risk identification and treatment process |
| Logical access | Authentication controls and role-based authorizations |
| Data protection by design | Controlled defaults, access scoping, and minimization practices |
| Incident response | Detection, triage, containment, investigation, and notification workflows |
| Resilience and continuity | Backups, availability monitoring, and recovery procedures |
| Vendor management | Due diligence, contractual controls, and periodic reassessment |
This annex provides a high-level summary and is not a complete security specification.
Annex III - Subprocessors
Current subprocessors and processing roles are maintained at Subprocessors. EthicPages will maintain this list and notify Customer of material changes as described in Section 7.
Contact for DPA matters
For DPA execution, SCC requests, transfer mechanism documentation, or data processing inquiries, contact ethicpages+contact@invictosoft.com with subject "DPA Request."
Related documents: Privacy Policy · Terms of Service · Subprocessors · Cookie Policy · Acceptable Use Policy