Data Processing Agreement | Altair Partners LLC

DATA PROCESSING AGREEMENT
Altair Partners LLC
Effective Date: January 11, 2025

1. Definitions

Controller: The entity that determines the purposes and means of processing personal data.

Processor: Altair Partners LLC, which processes personal data on behalf of the Controller.

Data Subject: An identifiable natural person whose personal data is processed.

GDPR: General Data Protection Regulation (EU) 2016/679.

CCPA: California Consumer Privacy Act as amended.

2. Scope and Responsibilities

2.1 Processing Activities

Altair Partners LLC will process personal data only:

  • On documented instructions from the Controller
  • For the purposes defined in the service agreement
  • In compliance with applicable data protection laws

2.2 Processor Obligations

  • Implement appropriate technical and organizational measures
  • Ensure confidentiality of processing
  • Assist Controller in fulfilling data subject rights
  • Notify Controller without undue delay of data breaches

3. Data Security Measures

3.1 Technical Safeguards

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Multi-factor authentication for all systems
  • Regular vulnerability scanning and penetration testing

3.2 Organizational Safeguards

  • Staff training on data protection annually
  • Strict access controls (role-based permissions)
  • Data protection impact assessments for high-risk processing

4. Subprocessing

4.1 Authorized Subprocessors

Controller grants general authorization for these essential subprocessors:

  • Amazon Web Services (Cloud infrastructure)
  • Google Workspace (Business communications)
  • HubSpot (CRM platform)

4.2 Subprocessor Requirements

  • Processor will conduct due diligence on all subprocessors
  • Same data protection obligations imposed contractually
  • Controller will be notified of new subprocessors with 30-day objection period

5. International Data Transfers

  • Standard Contractual Clauses (SCCs) for EU-US transfers
  • Data localization where required by law
  • Additional safeguards for sensitive data transfers

6. Data Subject Rights

6.1 Assistance Obligations

Processor will assist Controller in fulfilling:

  • Right to access requests
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to data portability

6.2 Response Timeframes

  • Initial response within 5 business days
  • Full resolution within 30 calendar days
  • Extended timeframe for complex requests (not to exceed 60 days)

7. Data Breach Notification

7.1 Incident Response

  • Notification to Controller within 48 hours of confirmation
  • Detailed report including:
    • Nature of breach
    • Categories of data affected
    • Approximate number of data subjects

7.2 Remediation

  • Immediate action to contain breach
  • Cooperation with Controller's investigation
  • Implementation of corrective measures

8. Audit Rights

  • Controller may request audit once per calendar year
  • 30 days advance notice required
  • Conducted during normal business hours
  • Findings to be kept confidential

9. Termination & Data Return

9.1 Post-Termination Obligations

  • Return or deletion of all personal data at Controller's choice
  • Certification of deletion provided upon request
  • May retain archival copies where legally required

9.2 Survival Clauses

These provisions survive termination:

  • Confidentiality obligations
  • Audit rights for prior periods
  • Liability for breaches during term

10. Governing Law & Jurisdiction

  • Governing law: State of Oregon
  • Jurisdiction: Courts of Multnomah County
  • Alternative dispute resolution required before litigation

© 2025 Altair Partners LLC. All rights reserved.

Privacy Policy | Terms of Service | Data Processing Agreement