Skip to main content

Data Processing Agreement

Last updated: May 31, 2026

Document owner: Data Protection Officer delegate and General Counsel
Review cadence: Quarterly; ad hoc upon legal, subprocessor, or security-control changes
Effective date: 2026-05-31
Processor legal entity: EthicPages, Inc.
Registered address: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
Primary contact: ethicpages+contact@invictosoft.com

1. Parties and purpose

This Data Processing Agreement ("DPA") forms part of the agreement between the customer entity identified in the applicable order, checkout confirmation, or master agreement ("Controller" or "Customer") and EthicPages, Inc. ("Processor" or "EthicPages") for the provision of services under the Terms of Service and related commercial documents (collectively, the "Agreement").

This DPA governs Processing of Personal Data by EthicPages on behalf of Customer in connection with the Service. This DPA is intended to satisfy Article 28 GDPR and corresponding requirements under UK GDPR and related data protection laws.

If there is a conflict between this DPA and other contractual terms regarding processing of personal data, this DPA prevails for those processing matters.

2. Definitions

Capitalized terms not defined in this DPA have the meanings in GDPR, UK GDPR, or the Agreement.

TermMeaning
Applicable Data Protection LawGDPR, UK GDPR, and other binding privacy laws applicable to the Processing
ControllerThe entity determining purposes and means of Processing
ProcessorEthicPages, processing Personal Data on behalf of Controller
SubprocessorThird party engaged by Processor to Process Personal Data
Data SubjectIdentified or identifiable natural person to whom Personal Data relates
Personal Data BreachBreach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data
SCCsStandard Contractual Clauses approved by the European Commission (and UK addendum where required)

3. Scope and processing details

3.1 Subject matter, duration, and nature

EthicPages provides a platform for generating, managing, and publishing procurement-grade legal and compliance documentation. Processing includes collection, storage, organization, structuring, retrieval, consultation, transmission, and deletion of Personal Data submitted by or on behalf of Customer.

Processing duration is for the term of the Agreement plus any post-termination retention period required by law or documented backup cycles, after which deletion or anonymization applies as set out in this DPA.

3.2 Processing details table

CategoryDescription
Subject matterProcessing of Personal Data included in Customer account data, workspace data, generated content, and support interactions
Nature of processingHosting, storage, analysis, transmission, rendering, support handling, security monitoring, backup, and deletion
Purpose(s)Deliver contracted services, maintain security, provide support, and comply with documented Customer instructions
DurationTerm of Agreement plus limited post-termination retention and backup windows
Data subjectsCustomer employees, contractors, authorized users, and end users represented in Customer documentation
Data categoriesIdentity/contact information, organization role metadata, usage metadata, support content, and any data Customer submits
Special categoriesNot required for normal use; Customer must avoid unnecessary sensitive data unless explicitly permitted and legally justified

4. Roles and instructions

Customer acts as Controller (or Processor with authority from its Controller) and appoints EthicPages as Processor. EthicPages will Process Personal Data only on documented instructions from Customer, including instructions in the Agreement, this DPA, Customer configuration settings, and support requests that are consistent with the Agreement.

4.1 Instruction management

Instruction typeAccepted channelHandling
Agreement-defined instructionsTerms, DPA, product configurationAutomatically applied
Case-specific support instructionAuthenticated support request from authorized adminLogged and actioned if lawful and feasible
Deletion/export instructionIn-product admin action or authenticated written requestPerformed within standard operational windows
Unclear/conflicting instructionWritten clarification requestProcessing paused where needed pending clarification

If EthicPages believes an instruction violates Applicable Data Protection Law, EthicPages will inform Customer without undue delay unless prohibited by law.

5. Confidentiality and personnel controls

EthicPages ensures that persons authorized to Process Personal Data:

  1. are bound by confidentiality obligations (contractual or statutory);
  2. receive appropriate security and privacy training;
  3. have access limited to what is necessary for service delivery and security;
  4. are subject to role-based access controls and monitoring.

5.1 Access governance summary

Control areaImplementation principle
Least privilegeAccess rights granted only to required systems and scopes
AuthenticationStrong authentication and controlled session management
LoggingAccess and administrative actions logged for security review
OffboardingTimely revocation of access on role change or termination

6. Security of processing

EthicPages implements appropriate technical and organizational measures under Article 32 GDPR, considering the state of the art, costs, scope, context, and risk to rights and freedoms of natural persons.

6.1 Security measures matrix

DomainRepresentative controls
EncryptionEncryption in transit (TLS) and encryption at rest where supported
System integrityChange management, patching, vulnerability handling, and hardened deployment practices
AvailabilityBackups, operational monitoring, and incident response procedures
Access securityRole-based access control, audit logs, and privileged access restrictions
Application securitySecure development practices and abuse prevention safeguards
Organizational controlsPolicies, training, and vendor risk management

Customer acknowledges that no security system is infallible. EthicPages continuously improves controls based on risk, incidents, and technology evolution.

7. Subprocessing

Customer authorizes EthicPages to engage Subprocessors listed at Subprocessors, subject to safeguards in this DPA.

7.1 Subprocessor obligations

EthicPages will:

  1. enter into written agreements with Subprocessors imposing data protection obligations substantially equivalent to those in this DPA;
  2. conduct risk-based due diligence before onboarding;
  3. remain responsible for Subprocessor performance to the extent required by law and contract.

7.2 Subprocessor change notifications and objections

StepCommitment
Prior noticeMaterial Subprocessor additions/replacements notified through designated channels
Objection windowCustomer may raise reasonable data protection objections within 15 days of notice
Resolution pathParties cooperate in good faith; if unresolved, Customer may terminate affected service portion
Emergency onboardingAllowed when required for security/continuity, with prompt follow-up notice

8. International data transfers

Where Personal Data is transferred from the EEA, UK, or other restricted-transfer jurisdictions to countries without adequacy decisions, EthicPages will implement approved transfer mechanisms.

8.1 Transfer mechanisms

Transfer scenarioMechanism
EEA to non-adequate third countryEU SCCs (2021) with appropriate modules
UK to non-adequate third countryUK International Data Transfer Addendum to SCCs
Supplementary measuresTechnical and organizational safeguards, including encryption and access limitations

If a transfer mechanism becomes invalid or unlawful, parties will cooperate in good faith to implement a valid alternative mechanism.

9. Assistance with data subject rights

Taking into account the nature of Processing, EthicPages will assist Customer by appropriate technical and organizational measures, insofar as possible, for fulfillment of obligations to respond to Data Subject requests.

9.1 Rights request workflow

Request typeProcessor support
Access/exportProvide available tools or reasonable operational assistance
RectificationEnable updates to account/workspace data where feasible
ErasureApply deletion requests according to instruction and retention rules
Restriction/objectionSupport data handling changes where technically feasible

If EthicPages receives a request directly from a Data Subject related to Customer data, EthicPages will direct the requester to Customer unless legally required to respond differently.

10. Security incident and breach notification

EthicPages maintains incident detection and response procedures for security events affecting Personal Data.

In the event of a confirmed Personal Data Breach affecting Customer Personal Data, EthicPages will notify Customer without undue delay and, where feasible, within 72 hours after becoming aware of the breach.

10.1 Breach notice content

Information elementIncluded when available
Nature of breachCategories and approximate volume of affected records/data subjects
Likely consequencesKnown or reasonably suspected impact
Mitigation stepsMeasures taken or proposed to address and reduce adverse effects
Contact pointIncident response contact channel for follow-up

Notification timelines depend on availability of reliable facts; initial notices may be supplemented as investigation progresses.

11. DPIA and regulator cooperation

Upon reasonable request and taking into account the nature of Processing and information available to EthicPages, EthicPages will provide reasonable assistance to Customer with:

  • data protection impact assessments (DPIAs);
  • prior consultation with supervisory authorities, where required;
  • documented security and processing information necessary for compliance.

Such assistance is provided to the extent legally required and proportionate to risk, and may be subject to confidentiality safeguards.

12. Audit rights and information access

EthicPages will make available information reasonably necessary to demonstrate compliance with this DPA and Article 28 obligations.

12.1 Audit model

Audit methodAvailability
Documentation reviewAvailable upon request under confidentiality terms
Questionnaire-based reviewAvailable for risk-appropriate due diligence
Independent report reviewProvided where available and appropriate
On-site/remote auditBy exception where legally required and justified by material risk

Audit rights must be exercised with reasonable advance notice, during normal business hours, and in a manner that minimizes operational disruption. Customer bears its own audit costs unless otherwise agreed.

13. Deletion or return of personal data

Upon termination or expiration of the Agreement, and at Customer's election where technically feasible, EthicPages will delete or return Personal Data, unless retention is required by applicable law.

13.1 Post-termination handling

Data classHandling approach
Active workspace dataDeleted or made unavailable within standard deprovisioning window
BackupsRemoved through scheduled overwrite/deletion cycles
Billing/legal recordsRetained only as required by law or legitimate claim defense
Security logsRetained for limited periods tied to incident and abuse management obligations

After deletion, recovery may not be possible. Customer is responsible for exporting required data before termination.

14. Liability

Each party's liability under this DPA is subject to the liability limitations and exclusions in the Agreement, except to the extent prohibited by Applicable Data Protection Law.

Where GDPR Article 82 applies, responsibility allocation will reflect each party's role and actual responsibility for the damage-causing event.

15. Term and termination

This DPA remains in effect for as long as EthicPages Processes Personal Data on behalf of Customer under the Agreement. Termination of the Agreement triggers post-termination obligations described in this DPA.

16. Priority and amendments

This DPA supersedes prior processing addenda between parties for the same service scope unless explicitly preserved in writing. EthicPages may update this DPA where necessary to reflect legal developments, transfer-mechanism requirements, or product architecture changes, provided updates do not materially reduce Customer's data protection rights without notice.

17. Miscellaneous

17.1 Severability and interpretation

If any part of this DPA is held invalid, the remaining provisions remain in force. Terms are interpreted to achieve lawful processing and regulatory compliance to the fullest extent possible.

17.2 Governing law for DPA disputes

Unless Applicable Data Protection Law requires otherwise, governing law and venue follow the primary Agreement, including Delaware governing law terms in Terms of Service, without limiting mandatory rights under data protection law.

Annex I - Processing particulars

A. List of parties

RolePartyContact
ControllerCustomer entity identified in order/checkout recordsCustomer-admin designated contact
ProcessorEthicPages, Inc., 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQethicpages+contact@invictosoft.com

B. Description of transfer (where applicable)

FieldDescription
Data subjectsCustomer employees, contractors, and data subjects represented in Customer content
Data categoriesIdentity/contact details, usage and account metadata, support records, customer-submitted content
Sensitive dataNot intended; if submitted, Customer is responsible for lawful basis and minimization
FrequencyContinuous during active use
NatureHosting, storage, organization, retrieval, transmission, deletion
PurposeService delivery, support, reliability, and security
RetentionAs defined in Agreement and this DPA

C. Competent supervisory authority

The competent supervisory authority is determined under GDPR/UK GDPR rules based on Controller establishment and processing context.

Annex II - Technical and organizational measures (summary)

Measure familyExample implementation
Information security governancePolicies, assigned accountability, periodic review
Risk managementSecurity risk identification and treatment process
Logical accessAuthentication controls and role-based authorizations
Data protection by designControlled defaults, access scoping, and minimization practices
Incident responseDetection, triage, containment, investigation, and notification workflows
Resilience and continuityBackups, availability monitoring, and recovery procedures
Vendor managementDue diligence, contractual controls, and periodic reassessment

This annex provides a high-level summary and is not a complete security specification.

Annex III - Subprocessors

Current subprocessors and processing roles are maintained at Subprocessors. EthicPages will maintain this list and notify Customer of material changes as described in Section 7.

Contact for DPA matters

For DPA execution, SCC requests, transfer mechanism documentation, or data processing inquiries, contact ethicpages+contact@invictosoft.com with subject "DPA Request."

Related documents: Privacy Policy · Terms of Service · Subprocessors · Cookie Policy · Acceptable Use Policy

Template for operational transparency; not legal advice. Consult qualified counsel for your jurisdiction.