Data Processing Agreement

1. Definitions

2. Categories of Data Processed

3. Processing Obligations

EchelonGraph shall: (a) process personal data only on documented instructions from the Controller; (b) ensure that persons authorized to process personal data have committed themselves to confidentiality; (c) implement appropriate technical and organizational security measures; (d) respect the conditions for engaging sub-processors; (e) assist the Controller in responding to data subject requests; (f) assist the Controller in ensuring compliance with GDPR Articles 32-36; (g) delete or return all personal data upon termination; (h) make available to the Controller all information necessary to demonstrate compliance.

4. Sub-Processors

We use the following sub-processors. You will be notified 30 days before adding new sub-processors.

5. Technical & Organizational Measures

6. Data Subject Rights

EchelonGraph will assist the Controller in fulfilling its obligations to respond to data subject requests under GDPR Articles 15-22 (access, rectification, erasure, restriction, portability, objection). Requests should be directed to dpo@echelongraph.io and will be processed within 30 days.

7. International Transfers

When personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) as a legal transfer mechanism. We also implement supplementary measures including encryption, access controls, and pseudonymization to ensure adequate protection.

8. Data Breach Notification

EchelonGraph will notify the Controller without undue delay (within 72 hours) after becoming aware of a personal data breach. The notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach.

9. Audit Rights

To demonstrate compliance with Article 28 GDPR, EchelonGraph will make available to the Controller, on reasonable written request, the information necessary to evidence its data-protection obligations — including current security documentation, certifications, and third-party assessment reports as they become available. Where the Controller reasonably requires a further audit, it may — no more than once per twelve months (unless required by a supervisory authority or following a personal-data breach) — conduct an audit on at least 30 days' written notice, during business hours, subject to confidentiality, in a manner that does not access other customers' data or compromise platform security, and at the Controller's expense. EchelonGraph will provide reasonable cooperation.

10. Term, Return & Deletion

This DPA takes effect when you accept the Terms of Service or first use the Service, and remains in force for as long as EchelonGraph processes personal data on your behalf. To the extent of any conflict regarding the processing of personal data, this DPA prevails over the Terms of Service. On termination, EchelonGraph will, at the Controller's choice, return or delete all personal data within 30 days, except where retention is required by applicable law; residual copies in encrypted backups are purged on their normal 30-day rotation.

11. California Consumer Privacy (CCPA / CPRA)

Where EchelonGraph processes the personal information of California residents on the Controller's behalf, it acts as a Service Provider under the CCPA/CPRA. EchelonGraph does not sell or share personal information; does not retain, use, or disclose it for any purpose other than performing the Service (or as otherwise permitted by the CCPA); and does not combine it with personal information from other sources except as permitted. EchelonGraph certifies that it understands and will comply with these restrictions.