Data Processing Agreement

1. Introduction

This DPA sets out the terms that apply when personal data is processed by Never Expire Again on behalf of the Customer in connection with the Service. This DPA is designed to ensure compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Definitions

"Personal Data"

Any information relating to an identified or identifiable natural person.

"Processing"

Any operation performed on Personal Data, including collection, storage, use, and deletion.

"Controller"

The entity that determines the purposes and means of Processing Personal Data (you, the Customer).

"Processor"

The entity that Processes Personal Data on behalf of the Controller (Never Expire Again).

"Sub-processor"

Any third party engaged by the Processor to Process Personal Data.

"Data Subject"

The individual to whom Personal Data relates.

3. Scope of Processing

3.1 Subject Matter

The Processor will Process Personal Data as necessary to provide the expiration tracking and reminder Service.

3.2 Duration

Processing will continue for the duration of your use of the Service, plus any retention period required by law or as specified in our Privacy Policy.

3.3 Nature and Purpose

The nature and purpose of Processing includes:

• Storing and displaying expiration tracking data
• Sending reminder notifications
• Account management and authentication
• Customer support
• Service improvement and analytics

3.4 Types of Personal Data

• Account information (name, email address)
• Expiration item data entered by the Customer
• Usage data and logs
• Payment information (processed by third-party payment processor)

3.5 Categories of Data Subjects

• Customer's employees and authorized users
• Individuals whose information is included in expiration tracking items

4. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure persons authorized to Process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to Data Subject requests
• Assist the Controller in ensuring compliance with security, breach notification, and data protection impact assessment obligations
• Delete or return Personal Data upon termination (at Controller's choice)
• Make available information necessary to demonstrate compliance

5. Security Measures

The Processor implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

• Encryption of data in transit and at rest
• Access controls and authentication
• Regular security testing and assessment
• Employee security training
• Incident response procedures
• Business continuity and disaster recovery

For detailed information, see our Security page.

6. Sub-processors

6.1 Authorization

The Controller provides general authorization for the Processor to engage Sub-processors to Process Personal Data, subject to the requirements in this section.

6.2 Current Sub-processors

A list of current Sub-processors is available at /subprocessors.

6.3 Notification of Changes

The Processor will notify the Controller of any intended changes to Sub-processors at least 30 days before the change, providing an opportunity to object.

6.4 Objection

If the Controller objects to a new Sub-processor on reasonable data protection grounds and the parties cannot resolve the objection, the Controller may terminate the affected Service.

6.5 Sub-processor Obligations

The Processor ensures that Sub-processors are bound by data protection obligations no less protective than those in this DPA.

7. Data Subject Rights

The Processor will assist the Controller in responding to requests from Data Subjects to exercise their rights, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to data portability
• Right to restriction of processing
• Right to object

The Processor will notify the Controller without undue delay if it receives any request directly from a Data Subject.

8. Data Breach Notification

The Processor will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting the Controller's data.

The notification will include:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

9. Audit Rights

The Processor will make available to the Controller information necessary to demonstrate compliance with this DPA and allow for audits and inspections by the Controller or an auditor mandated by the Controller.

Audits shall be conducted:

• Upon reasonable notice (at least 30 days)
• During normal business hours
• In a manner that minimizes disruption to operations
• Subject to reasonable confidentiality obligations

10. International Data Transfers

The Processor may transfer Personal Data outside the European Economic Area (EEA) only:

• To countries with an adequacy decision from the European Commission
• Subject to appropriate safeguards such as Standard Contractual Clauses
• Pursuant to other lawful transfer mechanisms under GDPR

Our servers are located in [SERVER_LOCATION].

11. Termination and Data Return

Upon termination of the Service:

• The Controller may export their data using the Service's export functionality
• Upon request, the Processor will delete all Personal Data within 30 days
• The Processor may retain data as required by law, with appropriate safeguards

12. DPA Contact

For questions about this DPA or to exercise rights under it: