Data Processing Addendum (DPA)
This Data Processing Addendum (“DPA”) forms part of the Taptic Data Terms of Service and governs how Taptic Data, LLC (“Processor”) handles personal data on behalf of customers (“Controller”) when providing the Service. Capitalized terms have the meanings given in applicable data-protection laws (e.g., GDPR, CCPA).
1) Roles & Scope
The Controller determines the purposes and means of processing personal data. The Processor processes personal data only on documented instructions from the Controller and solely to provide, secure, and improve the Service, or as required by law.
2) Sub-Processors
The Controller authorizes Taptic Data to engage the following sub-processors:
- AWS – database, storage, hosting and SES transactional email delivery
- Firebase – authentication and identity management
- Stripe – billing and payments
Taptic Data will maintain a list of material sub-processor changes and ensure each is bound by written agreements imposing data-protection obligations no less protective than those in this DPA.
3) Security Measures
Taptic Data implements appropriate technical and organizational measures, including encryption in transit and at rest, access controls, audit logging, network isolation, and regular backups. Customer data is isolated per-company at the database schema level to prevent cross-tenant access.
4) Confidentiality
Personnel authorized to process personal data are bound by confidentiality obligations and receive training appropriate to their roles. Access is limited to least-privilege needs.
5) Assistance with Data Subject Requests
Where legally required, Taptic Data will assist the Controller in responding to data-subject requests (e.g., access, correction, deletion, portability) by providing available technical information or support relevant to the Service.
6) International Transfers
Data is stored and processed in the United States. If the Controller transfers personal data from other jurisdictions, appropriate safeguards (such as Standard Contractual Clauses or similar mechanisms) may apply to support lawful transfers.
7) Audits & Documentation
Upon written request, Taptic Data will provide information reasonably necessary to demonstrate compliance with this DPA. Independent audits may be arranged subject to reasonable notice, scope, and confidentiality obligations.
8) Personal Data Breach Notification
In the event of a confirmed personal data breach affecting the Controller’s data, Taptic Data will notify the Controller without undue delay and provide details on scope, impact, mitigation, and remediation steps as information becomes available.
9) Return or Deletion of Data
Upon termination of the Service or at the Controller’s documented request, Taptic Data will delete or return personal data within 30 days unless retention is required by law or for legitimate backup integrity. Backups are purged on a rolling schedule.
10) Liability & Duration
Each party’s liability under this DPA is subject to the limitations of liability in the Terms of Service. This DPA remains in effect for the duration of the Service and while Taptic Data retains personal data on behalf of the Controller.
Effective Date: November 2025