This Data Processing Addendum ("DPA") is entered into by and between Goliath Dynamics, Inc. ("GDI", "Processor"), the provider of the Diplomat technology platform (the "Platform"), and the customer identified in the Order ("Customer", "Controller"). It forms part of and is incorporated into the Master Services Agreement, Terms of Service, or other written or electronic agreement between the parties governing Customer's use of the Platform (the "Agreement"). In the event of any conflict between this DPA and the Agreement with respect to the processing of Personal Data, the Agreement controls.
1. Definitions
Capitalized terms not defined here have the meaning given in the Agreement or in applicable Data Protection Laws.
- "Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including: (a) the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK GDPR; (b) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"); (c) the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations ("HIPAA"), where applicable; and (d) other U.S. state privacy laws (including but not limited to those of Virginia, Colorado, Connecticut, Utah, and Texas) to the extent applicable.
- "BAA" means a Business Associate Agreement under HIPAA.
- "Customer Data" means electronic data, documents, content, and information submitted to or generated by the Platform by or on behalf of Customer or Customer's authorized users, including any Personal Data contained therein.
- "Data Subject", "Controller", "Processor", "Sub-processor", "Processing", "Personal Data", and "Personal Data Breach" have the meanings given in the GDPR. "Sell", "Share", "Service Provider", and "Business Purpose" have the meanings given under the CCPA/CPRA.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission in Decision 2021/914 of 4 June 2021.
- "Sub-processor" means any third party engaged by GDI to process Customer Personal Data on GDI's behalf in connection with the Services.
2. Scope and Roles
2.1 Roles. With respect to Customer Personal Data processed under the Agreement, Customer is the Controller (or, where Customer is itself a Processor, the Processor) and GDI is the Processor (or Sub-processor) acting on Customer's documented instructions.
2.2 CCPA Status. With respect to Customer Personal Data subject to the CCPA/CPRA, GDI is a Service Provider and processes such Personal Data only for the Business Purposes specified in the Agreement and this DPA.
2.3 HIPAA. Where Customer Data includes Protected Health Information ("PHI") as defined under HIPAA, the parties will execute GDI's standard Business Associate Agreement, which is incorporated by reference upon execution. In the event of conflict between the BAA and this DPA with respect to PHI, the BAA controls.
2.4 Description of Processing. The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects are described in Annex A.
3. Customer Instructions and Obligations
3.1 Documented Instructions. GDI will process Customer Personal Data only (a) to provide, secure, and support the Services in accordance with the Agreement and this DPA; (b) on Customer's documented written instructions, including those provided through Customer's configuration and use of the Platform; and (c) as required by applicable law, in which case GDI will (unless prohibited by law) notify Customer before processing.
3.2 No Secondary Use. GDI will not:
(a) Sell or Share Personal Data, or otherwise disclose Personal Data to any third party for monetary or other valuable consideration or for cross-context behavioral advertising; (b) process Personal Data outside of the direct business relationship with Customer or for any purpose other than performing the Services; (c) combine Personal Data received from Customer with personal information that GDI receives from, or on behalf of, any other person, or collects from its own interaction with any Data Subject, except as permitted by law or regulation; (d) use Customer Personal Data to train, fine-tune, develop, or improve any generally available machine learning, large language, or artificial intelligence model, whether GDI's own or a third party's. Service-specific models or features that operate solely within Customer's tenancy and only on Customer's behalf are not "generally available" for purposes of this clause; (e) disclose Customer Personal Data to any third party, except (i) to Sub-processors as permitted in Section 6, (ii) as instructed by Customer, or (iii) as required by law subject to Section 3.1(c).
3.3 Customer Compliance. Customer represents and warrants that (a) it has provided all required notices and obtained all necessary consents, authorizations, and rights to permit GDI to process Customer Personal Data as contemplated by the Agreement; and (b) its instructions to GDI comply with Applicable Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which it acquired such data.
3.4 Unlawful Instructions. GDI will notify Customer if, in its opinion, an instruction from Customer infringes Applicable Data Protection Laws. GDI may suspend execution of the instruction until Customer confirms or modifies it.
4. Confidentiality
4.1 Personnel. GDI will ensure that personnel authorized to process Customer Personal Data are (a) bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality; (b) trained on data protection and information security; and (c) granted access on a need-to-know basis.
5. Security
5.1 Security Measures. GDI will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing. A description of the current security measures is set forth in Annex B.
5.2 Updates. GDI may update its security measures from time to time, provided that such updates do not materially diminish the overall level of protection afforded to Customer Personal Data.
5.3 Encryption. Customer Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 or equivalent.
6. Sub-processors
6.1 General Authorization. Customer provides general authorization for GDI to engage Sub-processors to process Customer Personal Data, subject to the requirements of this Section 6.
6.2 Current Sub-processors. As of the Effective Date of this DPA, GDI engages the following Sub-processor(s) only:
| Sub-processor | Entity / Location | Purpose | Safeguards |
|---|---|---|---|
| Google Cloud Platform (Google LLC) | United States (multi-region as configured) | Cloud infrastructure hosting (compute, storage, networking) for the Platform | Google Cloud Data Processing and Security Terms; HIPAA Business Associate Agreement executed with Google Cloud; ISO 27001, 27017, 27018, SOC 1/2/3 certifications; EU SCCs incorporated into Google Cloud terms for international transfers |
GDI does not currently engage any other Sub-processor, including: no third-party analytics, no third-party AI/LLM providers, no third-party customer support platforms that access Customer Personal Data, no third-party email or marketing platforms that receive Customer Personal Data, and no third-party data enrichment or advertising vendors.
6.3 Sub-processor Obligations. GDI will (a) enter into a written agreement with each Sub-processor imposing data protection obligations that are no less protective than those in this DPA, to the extent applicable to the nature of the Sub-processor's services; and (b) remain liable to Customer for the acts and omissions of its Sub-processors to the same extent as if performed by GDI.
6.4 Notice of New Sub-processors. GDI will provide Customer with at least thirty (30) days' prior written notice (which may be by email or through the Platform trust center or product UI) before engaging any new Sub-processor that will process Customer Personal Data. Customer may object to the engagement of a new Sub-processor on reasonable data protection grounds by written notice to GDI within fifteen (15) days of GDI's notice. If the parties cannot resolve the objection in good faith, Customer may, as its sole and exclusive remedy, terminate the affected Services with prorated refund of prepaid, unused fees.
7. Assistance with Data Subject Rights
7.1 GDI will provide reasonable assistance, by appropriate technical and organizational measures and insofar as possible, to enable Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).
7.2 If GDI receives a request directly from a Data Subject relating to Customer Personal Data, GDI will promptly forward the request to Customer and will not respond except on Customer's instructions or as required by law.
8. Personal Data Breach Notification
8.1 Notification. GDI will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data.
8.2 Contents. Notifications will include, to the extent then known: (a) the nature of the Personal Data Breach; (b) the categories and approximate number of Data Subjects and records concerned; (c) the likely consequences; (d) measures taken or proposed to address the breach and mitigate its effects; and (e) the contact point for further information.
8.3 Cooperation. GDI will reasonably cooperate with Customer in Customer's investigation, mitigation, and notification obligations under Applicable Data Protection Laws. GDI's notification of or response to a Personal Data Breach is not an acknowledgment of fault or liability.
9. Data Protection Impact Assessments and Prior Consultation
GDI will provide Customer with reasonable assistance, taking into account the nature of the processing and information available to GDI, with any data protection impact assessments and prior consultations with supervisory authorities that Customer is required to carry out under Applicable Data Protection Laws.
10. International Data Transfers
10.1 Primary Processing Location. Customer Personal Data is processed and stored on Google Cloud Platform infrastructure in the United States (or such other region as Customer configures within the Platform where available).
10.2 EU/UK/Swiss Transfers. To the extent GDI processes Personal Data subject to the GDPR, UK GDPR, or Swiss FADP outside the European Economic Area, the United Kingdom, or Switzerland to a jurisdiction not subject to an adequacy decision, the SCCs are hereby incorporated by reference and apply as follows:
(a) Module Two (Controller to Processor) applies where Customer is a Controller and GDI is a Processor; (b) Module Three (Processor to Processor) applies where Customer is a Processor and GDI is a Sub-processor; (c) In Clause 7, the optional docking clause is incorporated; (d) In Clause 9, Option 2 (general written authorisation) applies, with the notice period set forth in Section 6.4; (e) In Clause 11, the optional language regarding independent dispute resolution is not incorporated; (f) In Clauses 17 and 18, the governing law and forum are those of Ireland; (g) Annex I is populated by Annex A of this DPA; Annex II is populated by Annex B of this DPA; Annex III lists Sub-processors as set forth in Section 6.2.
10.3 UK Addendum. The UK International Data Transfer Addendum to the EU SCCs (Version B1.0), issued by the UK Information Commissioner, is incorporated by reference for transfers subject to UK GDPR.
10.4 Swiss Adaptations. For transfers subject to the Swiss FADP, references in the SCCs to GDPR are deemed to include the FADP, references to Member States include Switzerland, and the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
11. Audits
11.1 Audit Reports. Upon written request no more than once per calendar year (or more frequently if required by a supervisory authority or following a Personal Data Breach), GDI will provide Customer with copies of relevant third-party audit reports, certifications, and summaries of penetration tests covering the Services (collectively, "Audit Materials") to demonstrate compliance with this DPA. Audit Materials are GDI's Confidential Information.
11.2 On-Site Audits. If Audit Materials are insufficient to demonstrate compliance, Customer (or an independent auditor mutually agreed upon by the parties, who is not a competitor of GDI and is bound by confidentiality obligations) may, on at least thirty (30) days' prior written notice and no more than once per calendar year, conduct an audit of GDI's relevant facilities and records during normal business hours. Audits will be conducted in a manner that does not unreasonably interfere with GDI's operations and will not access (a) data of any other customer, (b) GDI's internal accounting or financial information, (c) any trade secret, or (d) information that, in GDI's reasonable opinion, would compromise the security of GDI's systems or breach GDI's obligations of confidentiality to other customers. Each party bears its own costs.
12. Return or Deletion of Customer Personal Data
12.1 Upon termination or expiration of the Agreement, or upon Customer's earlier written request, GDI will, at Customer's election, return or delete all Customer Personal Data in its possession or control, except to the extent that applicable law requires retention. Deletion will be completed within ninety (90) days of termination or request, subject to retention in routine backup media that is overwritten in the ordinary course (with such backup copies remaining subject to this DPA until overwritten).
13. Liability
The parties' liability under this DPA is subject to the limitations of liability set forth in the Agreement. For the avoidance of doubt, this DPA, the Standard Contractual Clauses, and any BAA are treated together with the Agreement as a single agreement for purposes of any liability cap.
14. Term, Order of Precedence, and Miscellaneous
14.1 Term. This DPA is effective on the later of the Effective Date of the Agreement or the date last signed below, and continues for as long as GDI processes Customer Personal Data under the Agreement.
14.2 Order of Precedence. With respect to Personal Data, in case of any conflict: (a) the BAA (where applicable to PHI) controls; (b) then the SCCs (where applicable to in-scope transfers); (c) then this DPA; (d) then the Agreement.
14.3 Governing Law. Except as otherwise required by the SCCs, this DPA is governed by the governing law of the Agreement.
14.4 Severability; Updates. If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect. GDI may update this DPA from time to time to reflect changes in Applicable Data Protection Laws or industry practice, provided no update materially reduces the protections afforded to Customer Personal Data.
Annex A — Description of Processing
Subject matter: Provision of the Platform and related services, in each case as configured and used by Customer.
Duration: For the term of the Agreement, plus any period required to return or delete Customer Personal Data under Section 12.
Nature and purpose of processing: Hosting, storing, indexing, transmitting, displaying, generating, signing, executing, and otherwise processing Customer's documents and related metadata so that Customer and Customer's authorized users (and, where applicable, Customer's attorney of record or counterparties invited by Customer) can use the Services.
Categories of Data Subjects (illustrative; varies with Customer's use):
- Customer's authorized users (employees, contractors, in-house counsel, attorneys of record)
- Customer's contractual counterparties (signers, reviewers, recipients)
- Individuals identified within documents Customer uploads or generates (e.g., parties, beneficiaries, witnesses, employees, clients of Customer)
Categories of Personal Data (illustrative; varies with Customer's use):
- Account and identity data: name, business email, business phone, job title, employer, user credentials, IP address, device and log data
- Contact and transactional data: signature, signature image, signing-event metadata, audit trail
- Content data: any Personal Data contained in documents Customer uploads, generates, sends, or stores via the Services
- Billing data (where Customer uses Platform billing facilitation): account holder name, billing contacts, payment method tokens (full card data is handled by Customer's payment processor and is not stored by GDI)
Special categories of Personal Data: Customer determines whether any special categories of data (Article 9 GDPR), PHI under HIPAA, or other sensitive data (e.g., children's data, government identifiers, financial account data) are submitted via the Services. Where PHI is involved, the BAA applies. Customer remains responsible for ensuring an appropriate legal basis for processing such data.
Frequency: Continuous, for the duration of the Agreement.
Retention: For the term of the Agreement and as set forth in Section 12.
Recipients: GDI personnel on a need-to-know basis; the Sub-processor identified in Section 6.2 (Google Cloud Platform); and recipients designated by Customer (e.g., counterparties or signers invited by Customer through the Platform).
Annex B — Technical and Organizational Security Measures
GDI implements the following measures, which may be updated in accordance with Section 5.2:
1. Hosting and infrastructure.
- Production environment hosted exclusively on Google Cloud Platform under a fully executed HIPAA Business Associate Agreement with Google.
- Infrastructure inherits GCP's underlying compliance posture (ISO 27001, 27017, 27018; SOC 1/2/3; HIPAA; PCI-DSS where applicable to underlying services).
- Logical isolation of Customer environments via tenant-scoped identifiers; no co-mingling of Customer Data across tenants in application logic.
2. Encryption.
- In transit: TLS 1.2 or higher for all client-to-service and service-to-service communications carrying Customer Personal Data.
- At rest: AES-256 (or equivalent) encryption for primary storage and backups.
3. Access controls.
- Role-based access control with least-privilege defaults.
- Multi-factor authentication required for all GDI personnel access to production systems.
- SSO and SCIM available for Customer administrators on eligible plans.
- Just-in-time, audited access for production debugging; no standing production database access for engineers.
4. Network security.
- Private networking between application tiers; databases not exposed to the public internet.
- Web application firewall and DDoS protection at the edge.
- Centralized logging and monitoring of network and application events.
5. Application security.
- Secure-SDLC: peer code review, dependency scanning, static analysis, and secret-scanning in CI.
- Annual penetration testing of the production application.
- Vulnerability management with documented severity-based remediation SLAs.
6. Personnel.
- Background checks for personnel with production access, where permitted by law.
- Confidentiality agreements with all personnel.
- Mandatory annual security and privacy training; HIPAA training for personnel handling PHI.
7. Business continuity and disaster recovery.
- Automated, encrypted backups with documented RPO/RTO targets.
- Multi-zone redundancy within the configured GCP region.
- Documented incident response and disaster recovery plans, tested at least annually.
8. Incident response.
- 24/7 on-call coverage for security incidents.
- Documented Personal Data Breach detection, escalation, and notification procedures aligned with Section 8.
9. Data minimization and retention.
- Customer Data retained only as needed to provide the Services or as required by law.
- Customer-controlled deletion of documents and accounts, subject to ordinary backup overwrite cycles.
10. No-secondary-use controls.
- Technical and policy controls to prevent use of Customer Personal Data for AI/ML model training (see Section 3.2(d)).
- No third-party analytics, advertising, or data-enrichment SDKs in production paths that handle Customer Personal Data.
Annex C — Sub-processors
| # | Sub-processor | Entity | Location | Purpose | Safeguards |
|---|---|---|---|---|---|
| 1 | Google Cloud Platform | Google LLC | United States | Cloud infrastructure (compute, storage, networking) for the Platform | Google Cloud Data Processing and Security Terms; HIPAA BAA; ISO 27001/27017/27018, SOC 1/2/3; EU SCCs for international transfers |
GDI does not currently engage any other Sub-processor for the processing of Customer Personal Data.