Data Processing Agreement
A downloadable PDF version of this DPA will be available soon. In the meantime, this web version constitutes the binding agreement.
To request a signed copy, contact dpa@seedgovernance.com.
1. Definitions
In this Data Processing Agreement ("DPA"), the following terms have the meanings set out below. Capitalized terms not defined herein have the meanings given to them in the SeedGovernance Terms of Service (the "Agreement").
- "Controller" means the Customer, the entity that determines the purposes and means of the Processing of Personal Data and on whose behalf SeedGovernance processes Tenant Data.
- "Processor" means SeedGovernance, which processes Personal Data on behalf of the Controller in connection with the provision of the Service.
- "Data Subject" means an identified or identifiable natural person to whom the Personal Data relates, including the Controller's employees, contractors, customers, and other individuals whose data is stored within the Service.
- "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service, including data contained within Tenant Data, account registration data, and usage data.
- "Sub-processor" means any third party engaged by the Processor (or by another Sub-processor of the Processor) to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by the Processor.
- "Applicable Data Protection Law" means all applicable laws and regulations relating to the processing of Personal Data, including but not limited to the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA/CPRA), Saudi Arabia Personal Data Protection Law (PDPL), and UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data.
2. Scope and Purpose
This DPA forms part of the Agreement between the Controller and the Processor and governs the Processing of Personal Data by the Processor on behalf of the Controller in connection with the SeedGovernance platform (the "Service").
SeedGovernance processes Tenant Data on behalf of the Customer to provide the Service as described in the Agreement. Tenant Data includes governance documentation, compliance assessments, policy content, control mappings, user information, and any other data that the Controller or its authorized Users store within the Service. The Processor processes this data solely for the purpose of delivering, maintaining, and improving the Service in accordance with the Controller's documented instructions.
This DPA applies to the extent that the Processor processes Personal Data on behalf of the Controller in the course of providing the Service. Where any conflict arises between this DPA and the Agreement with respect to data processing matters, the terms of this DPA shall prevail.
3. Customer Obligations
The Controller represents, warrants, and undertakes that:
- Lawful basis: The Controller has a valid legal basis for the collection and Processing of all Personal Data provided to the Processor, whether through consent, contractual necessity, legitimate interest, legal obligation, or another lawful basis recognized under Applicable Data Protection Law.
- Data accuracy: The Controller is responsible for ensuring the accuracy, quality, and legality of all Personal Data provided to the Processor. The Processor is not responsible for validating the lawfulness or accuracy of Personal Data uploaded by the Controller or its Users.
- Compliance with applicable law: The Controller shall comply with all Applicable Data Protection Law in relation to its use of the Service and the Processing of Personal Data, including providing required notices to Data Subjects and obtaining any necessary consents.
- Data Subject communications: The Controller is responsible for providing appropriate privacy notices to Data Subjects whose Personal Data is processed through the Service, informing them of the purposes of Processing, data retention periods, and their rights.
- Instructions: The Controller shall ensure that its Processing instructions to the Processor are lawful and comply with Applicable Data Protection Law. The Controller acknowledges that the Processor's compliance with the Controller's instructions may require additional fees if such instructions go beyond the scope of the Service.
- International transfers: Where the Controller transfers Personal Data from a jurisdiction with data transfer restrictions, the Controller is responsible for ensuring that an appropriate transfer mechanism is in place (such as Standard Contractual Clauses or adequacy decisions).
4. SeedGovernance Obligations
4.1 Processing on Documented Instructions
The Processor shall process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless the law prohibits such disclosure on important grounds of public interest.
4.2 Confidentiality
The Processor shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel who require such access to perform their duties in connection with the Service.
4.3 Security Measures
The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing, including:
- Encryption at rest: All Personal Data stored within the Service is encrypted at rest using AES-256 encryption.
- Encryption in transit: All data transmitted between the Controller's devices and the Service is encrypted using TLS 1.2 or higher.
- Access controls: Role-based access controls (RBAC) with the principle of least privilege are enforced for all Processor personnel. Multi-factor authentication (MFA) is required for all administrative access to systems containing Personal Data.
- Audit logging: Comprehensive audit logs are maintained for all access to and modifications of Personal Data, including administrative actions, data exports, and configuration changes.
- Vulnerability management: Regular security assessments, penetration testing, and automated vulnerability scanning are conducted to identify and remediate security risks.
- Backup and recovery: Automated backup procedures with encryption ensure data resilience. Disaster recovery plans are tested regularly.
- Employee training: All Processor personnel with access to Personal Data receive regular security awareness and data protection training.
A more detailed description of our security posture is available on our Security page.
4.4 Sub-processor Management
The Processor shall not engage a new Sub-processor without providing the Controller with at least 30 days' prior written notice, including the identity, location, and intended Processing activities of the proposed Sub-processor. The Controller may object to the engagement of a new Sub-processor within 14 days of receiving notice. If the Controller objects and the Processor cannot reasonably provide the Service without the proposed Sub-processor, either party may terminate the affected portion of the Service.
The Processor shall impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor's data protection obligations.
4.5 Assistance with Data Subject Rights
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction of Processing, data portability, and objection. If the Processor receives a Data Subject request directly, it shall promptly notify the Controller and shall not respond to the request without the Controller's instructions, unless required to do so by applicable law.
4.6 Further Assistance
The Processor shall assist the Controller, taking into account the nature of Processing and the information available to the Processor, in fulfilling the Controller's obligations under Applicable Data Protection Law, including obligations relating to:
- Data protection impact assessments (DPIAs)
- Prior consultation with supervisory authorities
- Notifications to supervisory authorities and Data Subjects in the event of a Data Breach
- Compliance with security obligations under applicable law
5. Data Residency
The Controller selects a data residency region during Account creation. This selection is immutable and cannot be changed after the Account is provisioned. All Tenant Data (including Personal Data contained therein) is stored and processed exclusively within the selected region.
The following data residency regions are available:
| Region | Azure Region | Location |
|---|---|---|
| EU (Europe) | West Europe | Netherlands |
| ME (Middle East) | UAE North | Dubai, United Arab Emirates |
| US (United States) | East US | Virginia, United States |
Account metadata (such as name, email address, and subscription details) may be processed in the United States by our payment processor and email provider. This processing is necessary to provide billing and communication services and is covered by appropriate safeguards, including Standard Contractual Clauses (SCCs) where applicable.
6. Sub-processors
The Controller authorizes the Processor to engage the following Sub-processors as of the effective date of this DPA:
| Sub-processor | Purpose | Data Location | Safeguards |
|---|---|---|---|
| Microsoft Azure | Cloud infrastructure: compute, storage, database hosting, networking, and managed services | Controller's selected region (EU, ME, or US) | Microsoft DPA, SCCs, ISO 27001, SOC 2 |
| Stripe, Inc. | Payment processing, subscription billing, and invoicing | United States | Stripe DPA, SCCs, PCI DSS Level 1 |
| Resend, Inc. | Transactional email delivery (account confirmations, password resets, notifications) and marketing email delivery | United States | Resend DPA, SCCs |
The Processor will maintain an up-to-date list of Sub-processors and notify the Controller of any changes in accordance with Section 4.4.
7. Security Measures
The following technical and organizational measures are implemented by the Processor to protect Personal Data. These measures are subject to continuous improvement and may be updated as technology and best practices evolve, provided that the overall level of protection is not materially diminished.
| Category | Measure |
|---|---|
| Encryption at rest | AES-256 encryption for all stored Personal Data, including databases, file storage, and backups |
| Encryption in transit | TLS 1.2 or higher for all data transmitted between clients and servers; internal service-to-service communication is also encrypted |
| Access controls | Role-based access control (RBAC) with principle of least privilege; multi-factor authentication (MFA) for all administrative access; regular access reviews |
| Audit logging | Comprehensive, tamper-resistant audit logs capturing all data access, modifications, authentication events, and administrative actions |
| Network security | Firewalls, network segmentation, DDoS protection, and intrusion detection/prevention systems |
| Vulnerability management | Regular automated vulnerability scans, penetration testing, and dependency scanning with timely remediation |
| Data isolation | Multi-tenant architecture with strict logical isolation of Tenant Data; row-level security policies enforced at the database level |
| Backup and recovery | Automated encrypted backups with tested disaster recovery procedures; backups stored within the Controller's selected region |
| Personnel security | Background checks for employees with access to production systems; mandatory security awareness and data protection training |
8. Data Breach Notification
The Processor shall notify the Controller of any Data Breach without undue delay, and in any event within 72 hours of becoming aware of the breach. The notification shall be sent to the email address associated with the Controller's Account and shall include, to the extent available:
- A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data records affected
- The name and contact details of the Processor's data protection contact from whom further information may be obtained
- A description of the likely consequences of the Data Breach
- A description of the measures taken or proposed to be taken by the Processor to address the Data Breach, including measures to mitigate its possible adverse effects
Where it is not possible to provide all information at the time of initial notification, the Processor shall provide information in phases as it becomes available, without further undue delay. The Processor shall cooperate with the Controller and take all reasonable steps to assist the Controller in investigating and remediating the Data Breach and in meeting the Controller's obligations to notify supervisory authorities and Data Subjects under Applicable Data Protection Law.
9. Data Retention and Deletion
9.1 During the Agreement
The Processor shall retain Personal Data for as long as necessary to provide the Service in accordance with the Agreement and the Controller's documented instructions. The Controller may delete specific Personal Data at any time through the Service's administrative interface.
9.2 Upon Termination
Upon termination or expiration of the Agreement, the Processor shall:
- Provide the Controller with the ability to export all Tenant Data (including Personal Data) in structured, machine-readable formats (JSON, CSV) for a period of 30 days following the effective date of termination
- Permanently delete all Personal Data from primary storage systems (databases, file storage, and caches) within 30 days after the end of the export period
- Permanently delete all Personal Data from backup systems within 90 days after the end of the export period
- Provide written confirmation of deletion to the Controller upon request
The Processor may retain Personal Data beyond these periods only to the extent required by applicable law (such as financial record-keeping requirements). Any such retained data shall continue to be protected in accordance with this DPA and shall not be processed for any other purpose.
10. Data Subject Rights
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law. These rights may include, depending on the Data Subject's jurisdiction:
- Right of access: The right to obtain confirmation of whether Personal Data is being processed and to receive a copy of such data
- Right to rectification: The right to request correction of inaccurate Personal Data
- Right to erasure: The right to request deletion of Personal Data (subject to legal retention obligations)
- Right to restriction: The right to request limitation of Processing in certain circumstances
- Right to data portability: The right to receive Personal Data in a structured, commonly used, machine-readable format
- Right to object: The right to object to Processing based on legitimate interests or for direct marketing purposes
The Processor shall promptly forward any Data Subject request it receives directly to the Controller. The Processor shall provide the Controller with the technical capabilities to fulfill Data Subject requests through the Service's administrative interface, including data export and deletion functionality. Where requests cannot be fulfilled through the Service interface, the Processor shall provide reasonable manual assistance.
11. Audits
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including on-site inspections, conducted by the Controller or a qualified, independent third-party auditor appointed by the Controller.
Audits are subject to the following conditions:
- The Controller may conduct one audit per calendar year, unless a Data Breach or material compliance concern justifies an additional audit
- The Controller shall provide the Processor with at least 30 days' prior written notice of any planned audit
- Audits shall be conducted during normal business hours and in a manner that does not unreasonably disrupt the Processor's operations
- The Controller shall bear the costs of any audit it initiates, including auditor fees, travel, and accommodation
- Any third-party auditor must enter into a confidentiality agreement acceptable to the Processor before commencing the audit
- The Processor may satisfy audit requests by providing relevant third-party certifications and audit reports (such as SOC 2 Type II or ISO 27001 certificates) in lieu of on-site inspections, where such reports reasonably address the Controller's audit objectives
12. Term and Termination
This DPA is co-terminous with the Agreement. It shall take effect on the date the Controller accepts the Agreement (or begins using the Service, whichever is earlier) and shall remain in force for as long as the Processor processes Personal Data on behalf of the Controller.
Upon termination or expiration of the Agreement, the Processor's obligations under this DPA shall continue with respect to any Personal Data retained in accordance with Section 9 until all such data has been deleted.
The following sections of this DPA shall survive termination: Section 1 (Definitions), Section 4.2 (Confidentiality), Section 7 (Security Measures), Section 8 (Data Breach Notification), Section 9 (Data Retention and Deletion), Section 10 (Data Subject Rights), Section 11 (Audits), and Section 13 (Liability and Governing Law).
13. Liability and Governing Law
Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA shall limit either party's liability for violations of Applicable Data Protection Law to the extent that such limitations are prohibited by law.
This DPA shall be governed by the same law that governs the Agreement. To the extent that Applicable Data Protection Law requires a specific governing law for data processing agreements (for example, the GDPR requires that Standard Contractual Clauses be governed by the law of an EU Member State), that law shall apply to the relevant provisions of this DPA.
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that achieves the intended purpose as closely as possible.
14. Contact
For questions about this DPA, to request a signed copy, or to exercise rights under this agreement, contact:
- DPA inquiries: dpa@seedgovernance.com
- Data protection: privacy@seedgovernance.com
- Legal: legal@seedgovernance.com
- Contact form: seedgovernance.com/contact