Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") forms part of the agreements between CyberITEX ("Processor", "we", "us", or "our") and our clients ("Controller", "you", or "your") for the provision of managed security and IT services.

This DPA reflects our commitment to data protection and details how we process personal data on your behalf in accordance with applicable data protection laws, including but not limited to the General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA"), and other relevant regulations.

This policy was last updated on March 14, 2025.

Definitions

The terms used in this DPA shall have the same meaning as in the applicable data protection laws. For clarity:

• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on Personal Data, including collection, storage, use, or disclosure.
• Controller: The entity that determines the purposes and means of processing Personal Data (you, our client).
• Processor: The entity that processes Personal Data on behalf of the Controller (we, CyberITEX).
• Sub-processor: Any processor engaged by CyberITEX to process Personal Data.
• Data Subject: An identified or identifiable natural person to whom the Personal Data relates.
• Data Protection Laws: All applicable laws relating to data protection and privacy.

Scope and Application

This DPA applies to all processing of Personal Data performed by CyberITEX on behalf of our clients in connection with the services we provide, including cybersecurity, IT management, web hosting, email services, and other related services.

The types of Personal Data processed may include:

• Contact information (names, email addresses, phone numbers, etc.)
• Account credentials (usernames, encrypted passwords)
• IP addresses and device information
• System logs and activity records
• Communication content and metadata
• Website user data when providing web hosting services
• Other data as specified in service agreements with individual clients

Roles and Responsibilities

Client (Controller) Responsibilities

As the Controller, you are responsible for:

• Ensuring you have the legal basis for collecting and processing the Personal Data
• Providing clear instructions to CyberITEX regarding the processing of Personal Data
• Responding to Data Subject requests with our assistance
• Conducting Data Protection Impact Assessments where required
• Obtaining consent from Data Subjects where necessary
• Notifying relevant authorities of any Personal Data breaches as required by law

CyberITEX (Processor) Responsibilities

As the Processor, we are responsible for:

• Processing Personal Data only as instructed by you
• Implementing appropriate technical and organizational security measures
• Assisting you in responding to Data Subject requests
• Notifying you of any Personal Data breaches without undue delay
• Assisting with Data Protection Impact Assessments when requested
• Maintaining records of processing activities
• Ensuring Sub-processors comply with equivalent data protection obligations
• Deleting or returning Personal Data at the end of the service provision

Security Measures

CyberITEX implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit and at rest
• Regular testing and evaluation of security measures
• Access controls and authentication mechanisms
• Regular backups and data recovery procedures
• Network security controls including firewalls and intrusion detection
• Employee training on data protection and security practices
• Physical security measures for our facilities
• Incident response procedures

We continuously review and update our security measures to address evolving threats and to maintain compliance with industry standards and best practices.

Sub-processors

CyberITEX may engage Sub-processors to assist in providing our services. When we do so:

• We will maintain a list of current Sub-processors and provide it upon request
• We will inform you of any intended changes concerning the addition or replacement of Sub-processors
• We will ensure that any Sub-processor is bound by data protection terms no less protective than those in this DPA
• We remain fully liable for the performance of our Sub-processors

Our current Sub-processors may include providers of cloud infrastructure, monitoring tools, communication platforms, and other technical service providers necessary for delivering our services.

Data Transfers

CyberITEX primarily processes data within the United States. If we transfer Personal Data to countries outside the jurisdiction where it was collected, we will ensure that:

• The transfer is to a country recognized as providing adequate protection
• Appropriate safeguards are in place, such as Standard Contractual Clauses
• The transfer is necessary for the performance of a contract with you or for your benefit
• You have been informed of the transfer and the safeguards in place

Data Subject Rights

CyberITEX will assist you in fulfilling your obligation to respond to Data Subject requests for exercising their rights, including:

• The right to access their Personal Data
• The right to rectification of inaccurate Personal Data
• The right to erasure ("right to be forgotten")
• The right to restriction of processing
• The right to data portability
• The right to object to processing
• Rights related to automated decision making and profiling

If we receive a request directly from a Data Subject, we will promptly forward it to you unless prohibited by law.

Data Breach Notification

In the event of a Personal Data breach, CyberITEX will:

• Notify you without undue delay after becoming aware of the breach
• Provide you with sufficient information to allow you to meet any obligations to report the breach to supervisory authorities
• Assist you in investigating, mitigating, and remediating the breach
• Document the breach and the response actions taken

Our notification will include:

• The nature of the breach including the categories and approximate number of Data Subjects concerned
• The likely consequences of the breach
• The measures taken or proposed to address the breach
• Contact details for our data protection team

Audit Rights

To verify our compliance with this DPA, you have the right to:

• Request information on our data processing practices
• Receive copies of our relevant certifications and audit reports
• Conduct reasonable audits with at least 30 days' prior notice

Any audits must be conducted during regular business hours, without disrupting our operations, and subject to reasonable confidentiality procedures.

Termination and Data Deletion

Upon termination of services or upon your request, CyberITEX will:

• Delete or return all Personal Data to you, as you choose
• Delete existing copies unless storage is required by law
• Provide a certificate of deletion if requested

We maintain a structured data deletion process to ensure that data is securely and completely removed from all systems.

Changes to This DPA

We may update this DPA from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes and provide an opportunity for you to review and accept the revised terms.

The most current version of this DPA will always be available on our website.

Contact Us

If you have any questions about this Data Processing Agreement, please contact our Data Protection Officer: