Data Processing Agreement

This Data Processing Agreement (“DPA”) applies when CCCM Consulting LLC DBA SignalEDI (“Processor”) processes personal data on behalf of Client (“Controller”) as a data processor under the General Data Protection Regulation (GDPR), UK GDPR, or the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA). This DPA supplements the Terms of Service.

• Personal Data: Any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1).
• Processing: Any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
• Data Controller: The entity that determines the purposes and means of processing personal data (Client).
• Data Processor: The entity that processes personal data on behalf of the Controller (SignalEDI).
• Data Subject: An identified or identifiable natural person whose personal data is processed.
• Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller.
• Supervisory Authority: An independent public authority established by an EU Member State pursuant to GDPR Article 51.
• Consumer/Business/Service Provider: As defined by the California Consumer Privacy Act (CCPA) §1798.140.

Client is the Data Controller (or “Business” under CCPA). SignalEDI is the Data Processor (or “Service Provider” under CCPA). SignalEDI processes personal data only to the extent necessary to provide the Service as described in the Terms of Service.

• SignalEDI processes personal data only on documented instructions from the Client.
• Processing is limited to what is necessary to provide the Service as described in the Terms of Service.
• SignalEDI will not sell personal data.
• If SignalEDI is required by law to process personal data beyond the Client’s instructions, SignalEDI will inform the Client before such processing, unless prohibited by law.

SignalEDI implements the following technical and organizational measures to protect personal data:

• Encryption: AES-256 at rest, TLS 1.3 in transit.
• Access Controls: Role-based access control (RBAC); multi-factor authentication (MFA) required for all administrative access.
• Data Isolation: Logical tenant separation ensures client data is isolated.
• Monitoring: 24/7 automated security monitoring and alerting.
• Personnel: Background checks, confidentiality agreements, and regular security training for all staff with data access.
• Incident Response: Documented incident response plan with defined escalation procedures.

SignalEDI uses the following sub-processors to provide the Service:

Each sub-processor is bound by a data processing agreement. SignalEDI will notify Client of new sub-processors with 30 days advance notice. Client may object in writing within 14 days of notification.

SignalEDI will assist Client in responding to data subject requests, including:

• Right of access;
• Right to rectification;
• Right to erasure (“right to be forgotten”);
• Right to data portability;
• Right to restriction of processing;
• Right to object to processing.

SignalEDI will respond to Client requests related to data subject rights within 30 days. Technical measures are in place to support data export and deletion.

Data is primarily processed in the United States. For EU, UK, and Swiss data subjects, international transfers of personal data are governed by Standard Contractual Clauses (EU Commission Decision 2021/914). Client may request execution of Standard Contractual Clauses by contacting support@signaledi.com.

Upon termination of the service agreement, SignalEDI will delete or return all personal data within 90 days, per Client’s written instructions. Where personal data includes Protected Health Information governed by a Business Associate Agreement, the more stringent 60-day return / destruction window in the BAA applies. Anonymized and aggregated data that can no longer be associated with an individual may be retained for analytics and service improvement purposes.

• SignalEDI is a “Service Provider” as defined under the California Consumer Privacy Act (CCPA).
• SignalEDI does not sell or share personal information as defined under CCPA/CPRA.
• SignalEDI processes personal data only for the business purposes specified in the Terms of Service and this DPA.
• SignalEDI will not combine personal data received from or on behalf of Client with personal data received from other sources, except as permitted by CCPA.

• Client may request audit reports or security certifications on an annual basis.
• SignalEDI will provide documentation of security measures upon reasonable written request.
• On-site audits may be conducted upon 30 days advance written notice, at Client’s expense.

This DPA is incorporated by reference into the Terms of Service. For enterprise clients requiring a separately executed DPA, contact support@signaledi.com.