Data Processing Agreement

1. Definitions

• "Controller" means your organization that determines the purposes and means of processing Personal Data.
• "Processor" means Cirrus Inc., which processes Personal Data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data (collection, storage, use, disclosure, deletion).
• "Data Subject" means the individual to whom Personal Data relates.
• "Sub-processor" means a third party engaged by Cirrus to process Personal Data.
• "SCCs" means the EU Standard Contractual Clauses for data transfers.

2. Scope and Roles

2.1 Processing Relationship

For the purpose of this DPA, your organization ("Customer") acts as the Controller and Cirrus acts as the Processor with respect to Personal Data processed through the Platform.

2.2 Categories of Personal Data

• User account information (name, email, role)
• Authentication data (encrypted credentials, MFA tokens)
• Video and audio content containing individuals
• Usage data and activity logs
• IP addresses and device information

2.3 Categories of Data Subjects

• Customer employees and contractors
• Individuals appearing in uploaded content
• End users of translated content

2.4 Processing Purpose

Personal Data is processed solely to provide the ASL translation services described in the Terms of Service, including video processing, storage, and delivery.

3. Processor Obligations

Cirrus shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to Data Subject requests
• Assist with data protection impact assessments when required
• Delete or return Personal Data upon termination (at Controller's choice)
• Make available information necessary to demonstrate compliance
• Allow and contribute to audits conducted by the Controller

4. Security Measures

Cirrus implements and maintains the following security measures (SOC 2 Type II compliant):

4.1 Technical Measures

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication for all users
• Role-based access control (RBAC)
• Network segmentation and firewalls
• Intrusion detection and prevention systems
• Regular vulnerability scanning and penetration testing
• Automated backup with encryption

4.2 Organizational Measures

• Security awareness training for all personnel
• Background checks for employees with data access
• Incident response procedures and breach notification
• Regular security audits and assessments
• Documented security policies and procedures

5. Sub-processors

5.1 Authorization

The Controller provides general authorization for Cirrus to engage sub-processors. Cirrus maintains contracts with sub-processors that impose equivalent data protection obligations.

5.2 Current Sub-processors

5.3 Changes to Sub-processors

Cirrus will notify the Controller of any intended changes to sub-processors at least 30 days in advance. The Controller may object to the change within 14 days.

6. International Data Transfers

6.1 Transfer Mechanisms

For transfers of Personal Data from the EEA, UK, or Switzerland to the United States, Cirrus relies on:

• EU Standard Contractual Clauses (Module 2: Controller to Processor)
• UK International Data Transfer Agreement (IDTA)
• Swiss-US Data Privacy Framework (where applicable)

6.2 Supplementary Measures

Cirrus implements the following supplementary measures:

• Encryption of data in transit and at rest
• Pseudonymization where feasible
• Transparency reports on government requests
• Challenge of overbroad access requests

7. Data Subject Rights

Cirrus will assist the Controller in responding to Data Subject requests including:

• Access to Personal Data
• Rectification of inaccurate data
• Erasure ("right to be forgotten")
• Restriction of processing
• Data portability
• Objection to processing

Requests should be directed to [email protected]. Response time: 30 days.

8. Data Breach Notification

8.1 Notification Timeline

Cirrus will notify the Controller of any Personal Data breach without undue delay, and in any event within 72 hours of becoming aware of the breach.

8.2 Notification Content

Breach notifications will include:

• Nature of the breach and categories of data affected
• Approximate number of Data Subjects affected
• Contact information for the Data Protection Officer
• Likely consequences of the breach
• Measures taken or proposed to address the breach

9. Data Retention and Deletion

9.1 Retention Periods

• Active project data: Duration of project plus 30 days
• Audit logs: 90 days (standard) or as required by compliance
• Account data: Duration of account plus 30 days after deletion
• Backups: 30 days rolling retention

9.2 Deletion Upon Termination

Upon termination of the service agreement, Cirrus will, at the Controller's choice:

• Return Personal Data in a standard format, or
• Delete Personal Data and certify deletion

Data export/deletion must be requested within 30 days of termination.

10. Audit Rights

The Controller may audit Cirrus's compliance with this DPA:

• Upon reasonable notice (minimum 30 days)
• During normal business hours
• At the Controller's expense
• Subject to confidentiality obligations

Alternatively, Cirrus will provide SOC 2 Type II reports and other relevant compliance documentation upon request.

11. Liability

Liability under this DPA is subject to the limitations in the Terms of Service. Each party is liable for damages caused by its breach of applicable data protection laws.

12. Term and Termination

This DPA remains in effect for the duration of the service agreement between Cirrus and the Controller. Provisions relating to confidentiality, data deletion, and audit rights survive termination.

13. Contact Information

Data Protection Officer:

• Email: [email protected]

Legal Department:

• Email: [email protected]

Privacy Inquiries:

• Email: [email protected]