Data Processing Agreement | 360Onboard

This Data Processing Agreement ("DPA") forms part of the Terms of Service between DDS Media Marketing LLC ("360Onboard," "we," "us," or "Processor") and you ("Client" or "Controller") for the use of the 360Onboard platform.

1. DEFINITIONS

Personal Data: Any information relating to an identified or identifiable natural person that is processed through the 360Onboard platform.

Processing: Any operation performed on Personal Data, including collection, storage, organization, use, disclosure, or deletion.

Controller: The Client, who determines the purposes and means of processing Personal Data.

Processor: 360Onboard (DDS Media Marketing LLC), who processes Personal Data on behalf of the Controller.

Sub-processor: Any third-party service provider engaged by 360Onboard to process Personal Data.

Data Subject: The individual whose Personal Data is being processed (typically your clients/customers).

EU SCCs: The Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, completed as set forth in Schedule A below.

2. SCOPE OF PROCESSING

What data we process:

Names, email addresses, phone numbers, and business information submitted through onboarding flows
Files and documents uploaded by your clients
Form responses and questionnaire answers
E-signature data and signed documents
Any other data your clients submit through 360Onboard workflows

Why we process it:

To provide the 360Onboard service and automate your client onboarding workflows
To enable communication between you and your clients
To store and organize onboarding responses and documents
To facilitate e-signatures on uploaded documents

Duration:

While you maintain an active 360Onboard account
30 days after cancellation (for data export)
Permanent deletion from all systems after 30-day export period

3. OUR OBLIGATIONS AS PROCESSOR

We will:

Process data only per your instructions: We only process Personal Data as necessary to provide the 360Onboard service or as directed by you through the platform.
Maintain confidentiality: Only David De Souza (Founder/CEO) has access to client data. No team members, contractors, or third parties have access except our sub-processors listed below.
Implement security measures:
- Encryption in transit (TLS/SSL)
- Encryption at rest (AES-256)
- Secure authentication and access controls
- Regular security monitoring
- SOC2 Type II certified infrastructure (via Supabase)
Assist with data subject requests: We'll help you respond to requests from your clients' customers for data access, correction, deletion, or portability within 48 hours of your request.
Delete data when required: Upon account cancellation, you have 30 days to export all data. After 30 days, all Personal Data is permanently deleted from our servers with no backup retention.
Notify you of breaches: If we discover any security breach affecting your data, we'll notify you within 24 hours with details of what happened, what data was affected, and our remediation steps.

4. SUB-PROCESSORS

Default sub-processors: The following sub-processors are used by default to provide the 360Onboard service to all customers. These services automatically process Personal Data as part of the platform's core functionality:

Sub-processor	Service	Address	Location	Purpose	Certifications
Supabase Inc.	Database & Storage	970 Toa Payoh North #07-04, Singapore 318992	US East (AWS)	Data storage and database management	SOC2 Type II
Vercel Inc.	Hosting	440 N Barranca Ave #4133, Covina, CA 91723, United States	US	Application hosting and delivery	SOC2 Type II
FunFirst s.r.o. (EmailIt)	Email Delivery	Na louži 258/13, Vršovice, 101 00 Praha 10, Czech Republic	US (via FunFirst, Inc.)	Transactional emails (invitations, reminders)	GDPR Compliant

Sub-processor changes: We may add new default sub-processors as needed to improve the service. We will notify you via email at least 5 days before adding or replacing any default sub-processor. You may object to the appointment of a new sub-processor within this 5-day period by providing written notice to david@360onboard.com. If we cannot accommodate your objection, you may terminate your account.

Customer-selected integrations: Optional features or integrations that you choose to enable (such as connecting your own third-party services, APIs, or tools where you provide your own credentials) are not considered sub-processors under this DPA. These are your independent choices and you are responsible for reviewing the terms and privacy policies of any such third-party services you choose to connect.

An up-to-date list of default sub-processors is maintained at https://360onboard.com/legal/data-processing-agreement

5. DATA LOCATION & INTERNATIONAL TRANSFERS

Primary storage: US East (via Supabase and Vercel)

For EU/UK/Swiss clients: By using 360Onboard, you acknowledge that Personal Data will be transferred to and processed in the United States.

Standard Contractual Clauses: For transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland to the United States, the parties agree to be bound by the EU SCCs (Module 2: Controller to Processor) as set forth in Schedule A of this DPA. By accepting this DPA, both parties are deemed to have executed the EU SCCs.

Our infrastructure providers (Supabase and Vercel) maintain appropriate data protection safeguards including Standard Contractual Clauses and compliance certifications required for international data transfers.

6. YOUR RIGHTS & RESPONSIBILITIES

You are responsible for:

Ensuring you have legal basis to collect and process your clients' Personal Data
Providing appropriate privacy notices to your clients
Obtaining necessary consents from your clients
Responding to data subject requests from your clients' customers
Using 360Onboard in compliance with applicable data protection laws

You have the right to:

Export all your data at any time
Request deletion of specific data
Request our security documentation
Object to new default sub-processors within the 5-day notification period
Terminate the agreement if you object to sub-processor changes

7. DATA DELETION & RETENTION

During active use: Data is retained as long as you maintain an active account
After cancellation: 30-day grace period for data export
Permanent deletion: After 30 days, all data is permanently deleted from our servers
No backups: We do not retain data in backup systems after deletion

Self-service deletion: You can delete all your account data, including all associated client data, directly through your account settings in the 360Onboard application at any time. This action is immediate and irreversible.

To request immediate deletion via support (right to be forgotten), email us at david@360onboard.com. We'll delete all data within 24 hours.

8. SECURITY MEASURES

We implement appropriate technical and organizational measures including:

Technical measures:

TLS/SSL encryption for all data in transit
AES-256 encryption for data at rest
Secure authentication and password requirements
Regular security monitoring and logging
Infrastructure provided by SOC2 Type II certified providers

Organizational measures:

Access limited to founder only (David De Souza)
Confidentiality obligations for any future authorized personnel
Regular security reviews and updates
Incident response procedures

9. AUDITS & COMPLIANCE

Upon reasonable request, we will provide:

This Data Processing Agreement
Links to our sub-processors' security documentation and compliance certifications
General information about our security practices

Available documentation:

Supabase SOC2 Report: https://supabase.com/docs/guides/security/soc-2-compliance
Supabase DPA: https://supabase.com/legal/dpa
Vercel DPA: https://vercel.com/legal/dpa
EmailIt Terms: https://emailit.com/terms-of-service
EmailIt Privacy Policy: https://emailit.com/privacy-policy

Contact david@360onboard.com for any compliance inquiries.

10. LIABILITY & INDEMNIFICATION

Each party's liability under this DPA is subject to the limitations of liability set forth in the 360Onboard Terms of Service.

We will indemnify you against claims arising from our breach of this DPA, except where such breach results from your instructions or misuse of the service.

11. TERM & TERMINATION

This DPA remains in effect for as long as we process Personal Data on your behalf.

Upon termination:

You have 30 days to export all data
We permanently delete all data after the 30-day period
Our obligations regarding confidentiality survive termination

12. CONTACT INFORMATION

DDS Media Marketing LLC (360Onboard)
8 The Greene, Suite B
Dover, DE 19901
United States

Email: david@360onboard.com

SCHEDULE A

STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

This Schedule A incorporates the Standard Contractual Clauses (Module 2: Controller to Processor) issued by the European Commission pursuant to Decision 2021/914. The EU SCCs are deemed completed as follows:

Clause 7 (Docking clause): Included

Clause 9 (Use of sub-processors): Option 2 (General written authorization) applies. See Section 4 of this DPA for sub-processor notification requirements. A 5-day advance notice period applies to changes in default sub-processors.

Clause 11 (Redress): The optional independent dispute resolution body language does not apply.

Clause 17 (Governing law): The laws of Ireland apply.

Clause 18 (Choice of forum and jurisdiction): The courts of Ireland have jurisdiction.

ANNEX I

A. LIST OF PARTIES

Data exporter (Controller):

Name: Client (as identified in the 360Onboard Terms of Service)
Address: As provided in Client's account registration
Contact: Account owner email address
Role: Controller

Data importer (Processor):

Name: DDS Media Marketing LLC
Address: 8 The Greene, Suite B, Dover, DE 19901, United States
Contact: david@360onboard.com
Role: Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

Client's customers and end-users who submit information through 360Onboard onboarding flows, including individuals providing contact information, form responses, uploaded documents, and e-signatures.

Categories of personal data transferred:

Contact information: names, email addresses, phone numbers, business information
Form data: questionnaire responses, survey answers, text inputs
Documents: uploaded files and attachments
E-signature data: signature images, timestamps, IP addresses
Metadata: submission timestamps, user agent information

Sensitive data transferred (if applicable):

None, unless Client specifically collects such data through their onboarding flows. Client is responsible for ensuring appropriate legal basis for any sensitive data collection.

The frequency of the transfer:

Continuous, as data is submitted by end-users through Client's onboarding flows for the duration of the service agreement.

Nature of the processing:

Collection, storage, organization, structuring, retrieval, consultation, use, disclosure by transmission, and deletion of Personal Data to provide client onboarding automation services.

Purpose(s) of the data transfer and further processing:

To provide the 360Onboard service as described in the Terms of Service
To enable Client to collect, organize, and manage information from their customers
To facilitate e-signatures on uploaded documents
To enable communication between Client and their customers
To provide Client with access to collected data and analytics

The period for which the personal data will be retained:

For the duration of Client's active account
30 days after account cancellation for data export purposes
Permanent deletion after 30-day export period, with no backup retention
Client may delete all data immediately through account settings at any time

For transfers to sub-processors:

Subject matter: Database hosting, application hosting, and transactional email delivery
Nature: Storage, processing, and transmission of Personal Data
Duration: For the duration of the service agreement
See Section 4 of this DPA for complete sub-processor list

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority will be determined in accordance with Clause 13 of the EU SCCs and applicable data protection law. Where possible and legally permissible, the Irish Data Protection Commission will be the designated supervisory authority.

For Clients based in other EU member states, the competent supervisory authority will be the authority of the Client's jurisdiction.

ANNEX II - TECHNICAL AND ORGANIZATIONAL MEASURES

Description of the technical and organizational measures implemented by the data importer to ensure an appropriate level of security:

Technical Measures:

Encryption:

Data encrypted in transit using TLS/SSL protocols
Data encrypted at rest using AES-256 encryption
Secure key management through infrastructure providers

Access Controls:

Authentication required for all platform access
Secure password requirements enforced
Role-based access control for Client users
Founder-only access to underlying data infrastructure
Self-service deletion capability for Clients through account settings

Infrastructure Security:

SOC2 Type II certified infrastructure (Supabase)
Multi-region redundancy for high availability
Regular security monitoring and logging
Automated backup systems (deleted upon account termination)

Network Security:

Firewalls and network segmentation
DDoS protection
Intrusion detection systems
Regular security scanning and vulnerability assessments

Organizational Measures:

Access Management:

Strict limitation of personnel access
Currently: Only founder (David De Souza) has access to client data
Future personnel will be bound by confidentiality obligations
Background checks for any personnel with data access

Policies and Procedures:

Data protection and privacy policies
Incident response procedures
Regular security reviews and updates
Employee training on data protection (when applicable)

Data Processing:

Processing limited to documented instructions
Purpose limitation enforced
Data minimization principles applied
Regular review of data retention practices
Client self-service data deletion available

Incident Response:

24-hour breach notification commitment
Documented incident response procedures
Regular testing of response capabilities
Coordination with Clients on breach communications

Vendor Management:

Due diligence on sub-processors
Contractual obligations for sub-processors
Regular review of sub-processor compliance
SOC2 Type II certification requirement for infrastructure providers
GDPR compliance verification for EU-based sub-processors

Audit and Compliance:

Compliance documentation available upon request
Links to sub-processor certifications provided
Regular security assessments
Cooperation with regulatory inquiries

ANNEX III - LIST OF SUB-PROCESSORS

The list of approved default sub-processors is set forth in Section 4 of this DPA, including:

Supabase Inc.

Service: Database & Storage
Location: US East (AWS)
Address: 970 Toa Payoh North #07-04, Singapore 318992
Certification: SOC2 Type II

Vercel Inc.

Service: Hosting
Location: US
Address: 440 N Barranca Ave #4133, Covina, CA 91723, United States
Certification: SOC2 Type II

FunFirst s.r.o. (EmailIt)

Service: Email Delivery
Location: US (operating via FunFirst, Inc.)
Address: Na louži 258/13, Vršovice, 101 00 Praha 10, Czech Republic
Compliance: GDPR Compliant, operates under Czech and EU data protection laws

General authorization is granted for the use of default sub-processors listed in Section 4, subject to the 5-day notification and objection procedures described in Section 4 of this DPA.

Note: Customer-selected integrations (where Customer provides their own credentials to connect third-party services) are not listed as sub-processors, as these are independent choices made by the Customer and fall outside the scope of this DPA.

ACCEPTANCE

By using 360Onboard, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement, including the EU Standard Contractual Clauses incorporated in Schedule A.