Data Processing Agreement

1. Definitions

For the purposes of this Data Processing Agreement ("DPA"):

• "Controller" means the entity that determines the purposes and means of the processing of Personal Data
• "Processor" means TIN Validator, which processes Personal Data on behalf of the Controller
• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data
• "Sub-processor" means any third party appointed by the Processor to process Personal Data
• "Data Subject" means the individual to whom Personal Data relates

2. Scope and Applicability

This DPA applies to the processing of Personal Data by TIN Validator on behalf of the Controller in connection with the provision of TIN validation services. This DPA supplements our Terms of Service and Privacy Policy.

3. Roles and Responsibilities

3.1 Controller Responsibilities

The Controller shall:

• Ensure that processing instructions comply with applicable data protection laws
• Obtain necessary consents and provide required notices to Data Subjects
• Ensure the lawfulness of the transfer of Personal Data to the Processor
• Respond to Data Subject requests unless the Processor is required to do so

3.2 Processor Responsibilities

TIN Validator (Processor) shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorized to process Personal Data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to Data Subject requests
• Notify the Controller of any Personal Data breaches without undue delay
• Delete or return Personal Data at the end of the services, unless required to retain it by law

4. Nature and Purpose of Processing

Subject Matter

The subject matter of processing is the validation of Tax Identification Numbers (TINs) against regulatory rules.

Duration

Processing will occur for the duration of the service agreement between the parties.

Purpose

The purpose of processing is to validate TINs for compliance and verification purposes.

Type of Personal Data

• Tax Identification Numbers
• Country codes
• Entity type information
• Associated metadata (timestamps, validation results)

Categories of Data Subjects

Individuals and legal entities whose TINs are submitted for validation by the Controller.

5. Security Measures

TIN Validator implements the following security measures:

• Encryption of data in transit using TLS 1.3
• Encryption of sensitive data at rest
• Regular security audits and penetration testing
• Access control mechanisms with multi-factor authentication
• Logging and monitoring of system access
• Employee security training and background checks
• Incident response procedures and breach notification protocols
• Regular backups and disaster recovery procedures

6. Sub-processors

The Controller provides general authorization for TIN Validator to engage Sub-processors. Current Sub-processors include:

• Cloud infrastructure providers (hosting and storage)
• Payment processors (billing and subscription management)
• Analytics providers (service monitoring and improvement)

TIN Validator will notify the Controller of any changes to Sub-processors with at least 30 days' notice. The Controller may object to a new Sub-processor on reasonable grounds.

7. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), TIN Validator ensures appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Other legally recognized transfer mechanisms

8. Data Subject Rights

TIN Validator will assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:

• Right of access to Personal Data
• Right to rectification of inaccurate Personal Data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing

9. Data Breach Notification

In the event of a Personal Data breach, TIN Validator will:

• Notify the Controller without undue delay and no later than 72 hours after becoming aware
• Provide information about the nature of the breach
• Describe the likely consequences and measures taken to address the breach
• Cooperate with the Controller to mitigate the effects of the breach

10. Audits and Compliance

TIN Validator will make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits with reasonable notice, or engage a third-party auditor to do so, subject to confidentiality obligations.

11. Data Deletion

Upon termination of services, TIN Validator will, at the Controller's choice, delete or return all Personal Data unless required to retain it by applicable law. Deletion will be completed within 90 days of termination.

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. The parties agree that TIN Validator's liability for data processing under this DPA shall not exceed the limits specified in the Terms of Service.

13. Term and Termination

This DPA will remain in effect for as long as TIN Validator processes Personal Data on behalf of the Controller. Upon termination, the provisions relating to data deletion, confidentiality, and audit rights will survive.

14. Contact Information

For questions about this Data Processing Agreement, please contact: