Data Processing Addendum (DPA)

Green Dolphin Software LLC
Version 1.0 — May 2026

⚠️ DRAFT TEMPLATE. This is Green Dolphin's standard DPA, structured for
GDPR (EU/UK), CCPA/CPRA (California), and HIPAA-aware engagements. Run by
attorney before first signing. Substitute square-bracket placeholders.
NOT legal advice.

This Data Processing Addendum ("DPA") forms part of the Master Services Agreement dated [MSA Effective Date] ("Agreement") between Green Dolphin Software LLC ("Processor") and [Client Legal Name] ("Controller"). Capitalized terms not defined here have the meaning given in the Agreement.

1. Definitions

1.1 "Personal Data" means any information relating to an identified or identifiable natural person that Controller or its end users provide to Processor or is otherwise Processed by Processor on Controller's behalf in connection with the Services.

1.2 "Process", "Processor", "Controller", "Data Subject", "Personal Data Breach", "Sub-processor", and "Supervisory Authority" have the meanings given in the GDPR.

1.3 "Data Protection Laws" means all applicable data protection and privacy laws, including (a) the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK Data Protection Act 2018 / UK GDPR, (b) the California Consumer Privacy Act of 2018 as amended by the CPRA ("CCPA"), and (c) any other privacy laws applicable to Processor's processing of Personal Data on Controller's behalf.

1.4 "Standard Contractual Clauses" or "SCCs" means the EU Commission's standard contractual clauses for transfers of personal data to third countries, as approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2. Scope and Roles

2.1 Roles. For the purposes of Data Protection Laws, Controller is the Controller (or, where applicable, Processor of a third-party Controller) of Personal Data, and Processor is the Processor.

2.2 Subject matter and duration. The subject matter of the Processing is the provision of integration consulting and implementation Services under the Agreement. The duration is the term of any active SOW, plus any retention required by Section 9.

2.3 Nature and purpose. Processor will Process Personal Data only as necessary to perform the Services described in the applicable SOW.

2.4 Categories of Data Subjects. As specified in the SOW. Typically: Controller's employees, customers, prospects, end users, and any other natural persons whose data flows through the integrations being built.

2.5 Categories of Personal Data. As specified in the SOW. Typically: identifiers (name, email, phone), professional information (employer, role), customer record data (account, order, invoice), and integration-flow metadata. Special category data (health, financial, biometric, etc.) only where explicitly identified in the SOW.

3. Processor Obligations

3.1 Documented instructions. Processor will Process Personal Data only on Controller's documented instructions, including with regard to transfers of Personal Data outside the EEA, UK, or Switzerland, as set out in the Agreement, the applicable SOW, and this DPA, unless required to do so by Union or Member State law to which Processor is subject. In such case, Processor will, where lawful, inform Controller of that legal requirement before Processing.

3.2 Confidentiality. Processor ensures that personnel authorized to Process Personal Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

3.3 Security. Processor will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the nature, scope, context, and purposes of Processing. Processor's current measures are described in Annex 2.

3.4 Sub-processors. Processor may engage Sub-processors only as set forth in Annex 1. Processor will:

(a) impose data protection terms on Sub-processors no less protective than this DPA;
(b) remain liable to Controller for any failure by a Sub-processor to fulfill its data protection obligations;
(c) provide written notice (which may be email) of any intended addition or replacement of Sub-processors at least thirty (30) days in advance, allowing Controller to object on reasonable data-protection grounds.

3.5 Assistance. Taking into account the nature of Processing and the information available to Processor, Processor will assist Controller, by appropriate technical and organizational measures and insofar as possible, in fulfilling Controller's obligations to:

(a) respond to requests from Data Subjects exercising rights under Data Protection Laws (access, rectification, erasure, restriction, portability, objection);
(b) maintain the security of Processing under Article 32 GDPR;
(c) carry out data protection impact assessments under Article 35 GDPR and prior consultations with Supervisory Authorities under Article 36 GDPR.

3.6 Personal Data Breach. Processor will notify Controller without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting Controller's Personal Data. Notification will include all information then available about the breach, including (where known) categories and approximate number of Data Subjects and records affected, likely consequences, and remediation measures.

3.7 Audits. Once per twelve (12) month period, Controller (or a third-party auditor bound by confidentiality and reasonable to Processor) may audit Processor's compliance with this DPA on thirty (30) days written notice, during business hours, in a manner not unreasonably disruptive to Processor's business. In lieu of an on-site audit, Processor may satisfy this obligation by providing relevant SOC 2 reports, ISO 27001 certifications, or comparable third-party attestations covering the in-scope Services.

4. International Transfers

4.1 Adequacy or SCCs. If Processor Processes Personal Data outside a jurisdiction recognized as providing adequate protection under Data Protection Laws, the transfer is subject to (a) the SCCs (Module 2 — Controller-to-Processor — for direct transfers, or Module 3 — Processor-to-Processor — for transfers from Controller's processor to Processor as sub-processor), incorporated into this DPA by reference, or (b) another lawful transfer mechanism agreed in writing.

4.2 UK. For Personal Data subject to UK Data Protection Laws, the SCCs are supplemented by the UK International Data Transfer Addendum (Version B1.0) issued by the UK Information Commissioner's Office.

4.3 Switzerland. For Personal Data subject to Swiss Data Protection Laws, references in the SCCs to "Member State law" or "EU Member State law" are read as references to Swiss law where applicable.

4.4 Annex IV (SCC docking). Annex 1 (List of Parties), Annex 2 (Description of Processing), and Annex 3 (Technical and Organizational Measures) of this DPA serve as the corresponding annexes to the SCCs.

5. Return or Deletion of Personal Data

5.1 End of Services. On termination of an SOW or earlier on Controller's written request, Processor will, at Controller's choice, return all Personal Data to Controller (in a commonly used machine-readable format) or delete it from all systems within thirty (30) days, except for copies required to be retained by law or for backup-and-restore purposes for a maximum of ninety (90) days, after which they are deleted in the ordinary course.

5.2 Certification. On Controller's written request, Processor will certify in writing that it has complied with this Section 5.

6. CCPA-Specific Terms

6.1 Service Provider status. With respect to Personal Data of California residents, Processor is a "Service Provider" or "Contractor" under the CCPA, not a "Third Party."

6.2 Restrictions. Processor will not (a) sell, share, or otherwise disclose Personal Data for any purpose outside the direct business purpose of providing the Services; (b) retain, use, or disclose Personal Data outside the direct business relationship with Controller; (c) combine Personal Data received from Controller with Personal Data received from any other source, except as permitted by the CCPA for service providers.

6.3 Right to take steps. Processor will provide reasonable assistance to Controller in addressing CCPA consumer rights requests routed through Controller.

7. Liability

The liability provisions of the Agreement (including Section 10 — Limitation of Liability — of the MSA) apply to the obligations under this DPA. In the event of any conflict between this DPA and the MSA, this DPA controls with respect to the Processing of Personal Data.

8. Order of Precedence

In the event of conflict between (a) this DPA, (b) the SCCs, and (c) the MSA, the order of precedence is: SCCs (as required by EU law), then this DPA, then the MSA.

9. Term

This DPA is effective on the Effective Date of the MSA and remains in effect for as long as Processor Processes Personal Data on Controller's behalf, plus any retention period under Section 5.

Annex 1 — List of Parties and Sub-processors

Parties

Authorized Sub-processors (as of [Effective Date])

Additional Sub-processors specific to a given SOW will be listed in that SOW.

Annex 2 — Description of Processing

Annex 3 — Technical and Organizational Measures

Processor maintains the following technical and organizational measures, reviewed and updated periodically:

Access control

• Single-sign-on (SSO) with multi-factor authentication on all administrative systems (GitHub, Vercel, Google Workspace, Slack, Anthropic Console)
• Principle of least privilege; access reviews quarterly
• Hardware security keys (FIDO2) for admin accounts
• Automatic session timeouts; encrypted laptops with full-disk encryption

Network security

• All Processor-managed systems are accessed over HTTPS / TLS 1.2+
• API keys and secrets stored in encrypted secret managers (Google Secrets Manager, Vercel encrypted env vars, GitHub Encrypted Secrets); never committed to repositories
• Periodic credential rotation; immediate rotation on personnel change

Data security

• Personal Data transmitted between systems uses TLS 1.2+ in transit
• Data at rest in Processor's systems (GitHub repos, Slack messages, Google Workspace) uses provider-managed encryption at rest
• Production credentials separated from development; tested with non-production data wherever possible

Application security

• Source code reviewed before deployment; no direct-to-prod commits
• Static analysis and dependency scanning on every build
• Open-source components license-vetted; CVE alerts monitored
• Penetration testing on Controller-facing deliverables on Controller's written request and agreed scope

Personnel

• Background checks for Processor personnel handling Controller's Personal Data
• Annual security awareness training
• Confidentiality agreements signed before any Controller data access

Incident response

• Documented incident response process with 48-hour notification SLA per Section 3.6 of this DPA
• Post-incident root-cause analysis shared with Controller within 30 days

Backup and recovery

• Source code in GitHub: continuous off-site backup via GitHub's redundancy
• Documents in Google Workspace: provider-managed redundancy
• No long-term retention of Controller's Personal Data on Processor systems beyond what's needed for the active SOW (per Section 5)

Sub-processor management

• All Sub-processors listed in Annex 1 sign their own DPAs with Processor (or are bound by their published DPAs covering Processor as a customer)
• New Sub-processors notified to Controller per Section 3.4 of this DPA

Physical security

• Processor operates in a home-office environment in San Ramon, California
• No physical retention of paper records containing Personal Data
• Devices accessed only by Processor personnel; physical theft response protocol in place

EXECUTED AS OF THE EFFECTIVE DATE OF THE MSA.