Data Processing Agreement

1.Definitions

Capitalized terms not defined here have the meanings given in the Agreement or in applicable Data Protection Laws.

• "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable, the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, and the California Consumer Privacy Act as amended by the CPRA ("CCPA").
• "Personal Data," "Processing," "Controller," "Processor," "Data Subject," and "Personal Data Breach" have the meanings given in the GDPR (or the functional equivalents under other Data Protection Laws).
• "Sub-processor" means any third party engaged by WalkerNash to Process Personal Data in connection with the Service.
• "Tokenized Content" means content from which direct and indirect identifiers have been removed and replaced with non-identifying tokens by Customer before transmission to the Service.
• "Audit Capsule" means the signed, hash-chained verdict record the Service emits, which contains content hashes and opaque document identifiers and is designed to contain no Personal Data.

2.Roles and scope of Processing

As between the parties, Customer is the Controller (or a Processor acting on behalf of its own clients) and WalkerNash is the Processor (or, under the CCPA, a Service Provider). The subject matter, duration, nature and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I. By design, no category of Personal Data is intended to be Processed by WalkerNash.

3.Customer instructions and the tokenization condition

WalkerNash will Process Personal Data only on Customer's documented instructions, including as set out in this DPA and the Agreement. Customer's configuration and use of the Service constitute its instructions.

Customer is responsible for stripping and tokenizing Personal Data before transmission and for confirming each outbound payload at the local egress gate. The Service is offered on the condition that Customer does so. Tokenizing content after it has already been disclosed to an upstream tool does not cure that earlier disclosure, and Customer remains the party responsible for the protection of its client information. Customer will not instruct WalkerNash to Process Personal Data in a manner that violates Data Protection Laws.

4.WalkerNash obligations

• Process Personal Data only on documented instructions, including for international transfers, unless required by law (in which case WalkerNash will inform Customer unless legally prohibited);
• ensure that personnel authorized to Process Personal Data are bound by confidentiality;
• implement the technical and organizational measures described in Annex II;
• respect the conditions for engaging Sub-processors in Section 7;
• taking into account the nature of the Processing, assist Customer with Sections 8–10 by appropriate technical and organizational measures, insofar as possible; and
• make available information reasonably necessary to demonstrate compliance with this DPA, as described in Section 13.

5.No Personal Data at rest

The Service is designed so that no Customer Personal Data is stored in the cloud. A tenant is an authentication identity and a usage counter. The only durable record WalkerNash retains for a Customer is the Audit Capsule chain, which is designed to contain content hashes and opaque document identifiers and no Personal Data. The ingress firewall is default-deny: a submission in which structured identifiers are detected is rejected, returning the categories and positions of the detected items without echoing or logging the underlying text.

6.Security

WalkerNash will implement and maintain the technical and organizational measures set out in Annex II to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, appropriate to the risk and to the design of the Service.

7.Sub-processors

Customer grants WalkerNash general authorization to engage the Sub-processors listed in Annex III. WalkerNash will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains responsible for each Sub-processor's performance. WalkerNash will give Customer [notice period — e.g., 30 days] prior notice of any intended addition or replacement of a Sub-processor, during which Customer may object on reasonable data protection grounds.

8.Data Subject rights

Taking into account the nature of the Processing, WalkerNash will assist Customer by appropriate technical and organizational measures, insofar as possible, in responding to requests from Data Subjects exercising their rights under Data Protection Laws. Because the Service is designed not to receive or store Personal Data, WalkerNash will in most cases have no Personal Data on which to act and will direct any request it receives back to Customer.

9.Personal Data Breach

WalkerNash will notify Customer without undue delay, and in any event within [72 hours], after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to assist Customer in meeting its own notification obligations. Given the design described in Section 5, WalkerNash holds no Customer Personal Data at rest to be subject to such a breach.

10.Data protection impact assessments

WalkerNash will provide reasonable assistance to Customer with any data protection impact assessment and any prior consultation with a supervisory authority, in each case solely in relation to the Service and taking into account the nature of the Processing and the information available to WalkerNash.

11.International transfers

The Service is hosted in [hosting location/region]. Where Customer's use of the Service would involve a transfer of Personal Data subject to GDPR or UK GDPR outside the EEA or the UK, the parties will give effect to an appropriate transfer mechanism, including the [EU Standard Contractual Clauses / UK Addendum], which are incorporated by reference where applicable. Given the design in Section 5, the parties intend that no Personal Data is transferred.

12.Return and deletion

On termination of the Agreement, WalkerNash will, at Customer's choice, delete or return any Customer Personal Data and delete existing copies, unless retention is required by law. Because the Service holds no Customer Personal Data at rest, the practical effect is limited to the deactivation of Customer's tenant identity and usage records. The PII-free Audit Capsule chain is handled as described in the Agreement.

13.Audit and information

WalkerNash will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including a description of the Service's architecture and security measures, and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor it mandates, on reasonable prior notice, no more than [once per year] except as required by a supervisory authority or following a Personal Data Breach, subject to confidentiality and to not compromising the security of other customers.

14.CCPA service provider terms

To the extent the CCPA applies, WalkerNash acts as a Service Provider. WalkerNash will not sell or share Personal Data, will not retain, use, or disclose it for any purpose other than the business purpose of providing the Service (or as otherwise permitted by the CCPA), and will not combine it with Personal Data from other sources except as the CCPA permits. WalkerNash certifies that it understands and will comply with these restrictions.

15.General

This DPA forms part of the Agreement. In the event of a conflict between this DPA and the Agreement regarding the Processing of Personal Data, this DPA controls. This DPA is governed by the law specified in the Agreement, or, absent that, the laws of [State of Colorado, USA]. This DPA takes effect on the effective date of the Agreement and continues until the Agreement terminates and WalkerNash ceases all Processing.