Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Millimetric, Inc. ("Processor") and the customer who has accepted those Terms ("Controller"). It governs Processor's processing of Personal Data on behalf of Controller in connection with the Service. By using the Service in a way that involves Personal Data of EU, UK or Swiss data subjects, Controller is deemed to have entered into this DPA.

1. Definitions

Terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679) and, where applicable, the UK GDPR and the Swiss FADP. "Personal Data" means personal data within the meaning of those laws that Processor processes on behalf of Controller.

2. Subject matter and details of processing

3. Roles

Controller is the controller of Personal Data described in Section 2. Processor processes that Personal Data on Controller's behalf as processor. Each party will comply with its respective obligations under Data Protection Laws.

4. Processor obligations

• Process Personal Data only on Controller's documented instructions, including those given via the Service configuration. The Terms, this DPA, and Controller's use of the Service constitute documented instructions.
• Ensure that personnel authorised to process Personal Data have committed themselves to confidentiality.
• Implement appropriate technical and organisational measures (see Annex II).
• Only engage sub-processors in accordance with Section 6.
• Taking into account the nature of processing, assist Controller in responding to data subject requests by appropriate technical and organisational measures.
• Assist Controller with data protection impact assessments, prior consultations with supervisory authorities, and breach notification.
• Notify Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data breach affecting Controller's data.
• At Controller's choice, delete or return all Personal Data after the end of the provision of the Service, except where applicable law requires storage.
• Make available to Controller information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections (see Section 8).

5. Controller obligations

• Ensure that there is a valid legal basis for the processing of Personal Data through the Service.
• Provide a privacy notice to Visitors as required by law.
• Not send Personal Data via custom event properties beyond what is necessary, and never send special-category data without an appropriate legal basis.
• Configure retention windows and access permissions appropriately for Controller's use case.

6. Sub-processors

Controller provides Processor with general written authorisation to engage sub-processors, provided that Processor:

• Maintains an up-to-date list of sub-processors at /legal/subprocessors.
• Notifies Controller at least 30 days before adding or replacing a sub-processor.
• Imposes obligations on each sub-processor that are no less protective than those in this DPA.
• Remains liable for the acts and omissions of its sub-processors.

Controller may object to a new sub-processor on reasonable grounds within the 30-day notice period. If the parties cannot agree a resolution, Controller may terminate the Service for the affected processing without penalty.

7. International transfers

Where Personal Data is transferred outside the EEA, UK or Switzerland to a country that is not subject to an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Commission Decision 2021/914), the UK International Data Transfer Addendum, and the Swiss-equivalent SCCs are incorporated by reference and apply to the transfer. The relevant Module is Module Two (controller-to-processor).

8. Audits

Processor will provide, upon Controller's reasonable request and no more than once per year (unless required more frequently by a supervisory authority), responses to a reasonable security questionnaire and copies of relevant third-party audit reports (e.g. SOC 2, ISO 27001) under NDA. Where this is insufficient, Controller may conduct an on-site audit at Controller's expense and on at least 30 days' written notice, subject to mutually agreed scope, timing and confidentiality.

9. Liability

Each party's liability under or in connection with this DPA is subject to the limitations of liability set out in the Terms.

Annex I — Parties, processing description, transfer details

The parties are as identified in the Terms. The processing description is as set out in Section 2. Transfer mechanism is as set out in Section 7. Competent supervisory authority is determined under Clause 13 of the SCCs.

Annex II — Technical and organisational measures

• Encryption: TLS 1.2+ in transit; AES-256 at rest.
• Access control: SSO + MFA for staff; least-privilege IAM; quarterly access reviews.
• Network: Cloudflare edge with rate-limiting and WAF; principal services in a private network.
• Logging: Audit logs for admin actions and data exports, retained 90 days.
• Backups: Daily encrypted backups, point-in-time recovery, tested quarterly.
• Data minimisation: IP addresses discarded within seconds of ingestion; no cookies; no fingerprinting.
• Personnel: Background checks, confidentiality agreements, annual security training.
• Incident response: Documented plan, on-call rotation, customer notification within 48 hours of confirmed breach.
• Vendor management: Annual review of subprocessors against current obligations.
• Secure development: Code review, dependency scanning, secret scanning, automated tests in CI.

Annex III — Sub-processors

The current list is at /legal/subprocessors.

Signing

This DPA is effective upon Controller's acceptance of the Terms and use of the Service. If your procurement process requires a countersigned version, email privacy@millimetric.ai and we'll sign one over.