RESPONDR DATA PRIVACY AGREEMENT

 

(Last Updated: 11/6/25)

 

This Data Privacy Agreement (“DPA”) supplements the Terms of Service between Respondr (“Company”) and Customer.

 

It governs Company’s handling of Customer Data in connection with the Service.

 

1. Definitions

 

• “Customer Data” means all data, information, or content uploaded or submitted to the Service by or on behalf of     Customer.

• “Applicable Laws” means all privacy and data-protection laws applicable to the processing of Customer Data, including FERPA, COPPA, CCPA/CPRA, and, if applicable, GDPR.

• “Processing,” “Controller,” and “Processor” have the meanings given in GDPR Article 4.

 

2. Roles of the Parties

 

Customer acts as the Controller of Customer Data.

Company acts as the Processor (or “Service Provider” under CCPA), processing Customer Data solely to provide and improve the Service as described in the Terms.

 

3. Processing Instructions

 

Company will process Customer Data only on documented instructions from Customer and only for Service operation, support, analytics, and security.

 

Company will not:

• Sell or share Customer Data for marketing.

• Combine Customer Data with other data except for aggregated, anonymized analytics.

 

4. Security Measures

 

Company will maintain industry-standard technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include:

• Encryption of data in transit and at rest;

• Role-based access controls;

• Regular vulnerability testing;

• Incident response procedures and staff training.

 

5. Subprocessors

 

Company may engage trusted subprocessors (e.g., cloud hosting or communications providers) under written agreements requiring equivalent data-protection obligations.

 

A current list of subprocessors is available at [yourdomain.com/subprocessors]. Customer may request notice of material changes.

 

6. Data Retention and Deletion

 

Customer Data will be retained only for the duration of the Service and deleted or returned to Customer within 30 days after termination, unless retention is required by law or for security and backup integrity.

 

7. Data Breach Notification

 

If Company becomes aware of unauthorized access to Customer Data, it will notify Customer without undue delay and provide information about the nature of the incident, the affected data, and remedial measures taken.

 

8. Compliance and Assistance

 

Company will:

• Cooperate reasonably with Customer to respond to lawful requests from data subjects, regulators, or educational authorities.

• Notify Customer if a legal demand (e.g., subpoena) requires disclosure of Customer Data unless prohibited by law.

 

9. International Transfers

 

If Customer Data is transferred outside the originating jurisdiction, Company will ensure adequate protections consistent with Applicable Laws (e.g., Standard Contractual Clauses where applicable).

 

10. Indemnification and Liability

 

Customer will defend, indemnify, and hold harmless Company against any claims, damages, or expenses arising from Customer’s violation of this DPA, misuse of the Service, or failure to comply with privacy obligations.

 

Company’s total liability under this DPA will not exceed the total fees paid by Customer during the twelve (12) months preceding the event giving rise to the claim.

 

11. Governing Law

 

This DPA is governed by and construed in accordance with the laws of the State of Delaware, without regard to conflict-of-laws principles.

 

12. Entire Agreement

 

This DPA and the Terms of Service constitute the entire agreement on data privacy between the parties and supersede all prior discussions.

 

IN WITNESS WHEREOF, the parties have agreed to this Data Privacy Agreement, effective as of the date the Customer first used the Service or executed an Order Form incorporating it.