Preamble
This Personal Data Processing Agreement (hereinafter "DPA") is entered into between 785 Media LLC trading as Topa.io (hereinafter "Topa.io") and the Client, as defined in the Terms and Conditions. This DPA incorporates by reference the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914, which automatically apply to international transfers of personal data.
Terms beginning with a capital letter have the same definition as given in the Terms and Conditions.
The DPA applies to the processing of personal data carried out by Topa.io for the Client, in the context of the Client's use of the Software accessible from Topa.io's website (https://topa.io and https://app.topa.io) and the Topa.io API.
The purpose of this DPA is to ensure compliance of personal data processing carried out by Topa.io for the Client with paragraphs 3 and 4 of Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter "GDPR").
It is understood that Topa.io acts on behalf of the Client and on documented instructions from the latter. The Client acts either on its own behalf and for its own purposes as a data controller or on behalf and for the purposes of its own clients as a data processor.
The processing activities carried out by Topa.io for the Client have the following characteristics:
Topa.io processes personal data only for the purposes of the processing.
Topa.io processes personal data only on documented instructions from the Client, unless required to do so by Union or Member State law. In such cases, Topa.io shall inform the Client of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
Topa.io shall inform the Client if, in its opinion, an instruction given by the Client infringes the GDPR or applicable data protection regulations.
Topa.io implements the technical and organizational measures specified in Appendix 1 to ensure the security of personal data. These measures include, in particular, protection against any security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of personal data, or unauthorized access to such data.
When assessing the appropriate level of security, Topa.io takes into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the risks to data subjects.
Topa.io grants its personnel access to personal data being processed only to the extent strictly necessary for the execution, management, and monitoring of processing. Topa.io ensures that they commit to maintaining confidentiality.
Topa.io makes available to the Client all information necessary to demonstrate compliance with the obligations set forth in this DPA.
At the Client's request and in the presence of indications of non-compliance, Topa.io also allows for audits of processing activities covered by this DPA. This audit may be carried out by the Client itself or by an independent auditor it mandates. The audit is conducted with 30 days' notice sent by the Client to Topa.io.
Topa.io makes available to the competent supervisory authority, upon request, the information set out in this article, including the results of any audit.
Topa.io has the Client's general authorization regarding the recruitment of sub-processors based on the agreed list present in Appendix 2. Topa.io specifically informs the Client by any means of any planned changes to this list through the addition or replacement of sub-processors at least eight (8) days in advance, thus allowing the Client to object to these changes before the recruitment of the concerned sub-processor(s).
When Topa.io engages a sub-processor to carry out specific processing activities, it ensures that the sub-processor has similar data obligations to those imposed on Topa.io by this DPA.
Topa.io remains fully responsible to the Client for the performance of the sub-processor's obligations under the contract concluded with the latter.
Any transfer of personal data to a third country or international organization by Topa.io is only carried out based on documented instructions from the Client or to meet a specific requirement of Union or Member State law and is conducted in accordance with Chapter V of the GDPR.
When the Client's use of Topa.io services involves transfers of personal data outside the European Economic Area, such transfers shall be governed by the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), which are hereby incorporated by reference and form an integral part of this DPA ("SCC").
By accepting this DPA, the Client automatically becomes a party to the SCC as a data exporter, with Topa.io acting as data importer. The Client's specific details (name, address, contact information) are those provided in their Topa.io account and are incorporated into the SCC by reference. The SCC shall apply automatically to any such international transfers without requiring separate execution.
The Client agrees that when Topa.io engages a sub-processor in accordance with Article 6 and the processing activities involve a transfer of personal data within the meaning of Chapter V of the GDPR, Topa.io and the sub-processor may frame this transfer using the same standard contractual clauses.
Topa.io shall promptly inform the Client when it receives a request to exercise rights from a data subject. Topa.io assists the Client in responding to requests from data subjects to exercise their rights, taking into account the nature of the processing. Topa.io complies with the Client's instructions.
However, when it comes to an opt-out request made through Topa.io's website via the "Do not sell my information" module (if applicable), the request is deemed to be directly addressed to Topa.io. In this case, Topa.io grants the data subject's request without having to notify the Client.
Topa.io assists the Client in ensuring compliance with the following obligations, taking into account the nature of the processing and the information available to Topa.io:
In case of a personal data breach related to data processed by Topa.io, it shall inform the Client without undue delay after becoming aware of it.
This notification shall contain:
When it is not possible to provide all information at the same time, the initial notification shall contain the information available at that time, and further information shall be provided subsequently as it becomes available without undue delay.
Following the termination of the Terms and Conditions or the DPA, the Contract ends. Following the end of the Contract, Topa.io deletes all personal data processed on behalf of the Client, unless Union or Member State law requires longer retention.
In the event of Topa.io's breach of obligations under this DPA, the Client may instruct Topa.io to suspend the processing of personal data until the latter complies with these clauses or until the Contract is terminated in accordance with the Terms and Conditions. Topa.io shall promptly inform the Client if it is unable to comply with these clauses for any reason.
The Client may terminate this DPA if processing has been suspended and compliance is not restored within two months of suspension.
Topa.io may terminate the DPA when, after informing the Client that its instructions violate the GDPR and data protection regulations, the Client insists that its instructions be followed.
To ensure data security in accordance with Article 32 of the GDPR, Topa.io implements technical and organizational measures. These measures are designed to protect personal data against any unauthorized or unlawful processing, accidental loss, destruction, or damage.
Topa.io uses robust encryption methods, such as bcrypt with a cost of 14 rounds, for password encryption to ensure the security of user credentials. Additionally, Topa.io uses pseudonymization techniques, such as anonymized logging with user identifiers, to enhance data protection and minimize risks to data subjects' privacy.
Topa.io ensures processing system resilience through secured databases connected to a virtual private cloud (VPC). This approach protects against unauthorized access and ensures data availability and integrity.
The security framework includes regular unit and integration testing, as well as continuous evaluation of our technical measures. This proactive approach ensures the ongoing effectiveness of security practices in protecting data during processing.
We implement secure user identification and authorization mechanisms, including session cookies (JWT) signed with HMAC using the SHA256 algorithm. Role-based access control (RBAC) is strictly enforced for each user action, ensuring access rights are properly managed and restricted.
All data transmissions are secured via HTTPS/SSL tunnels, extending robust encryption from the user endpoint to our databases. This ensures data confidentiality and integrity in transit.
Data at rest is protected by AES encryption, a widely recognized standard that provides a high level of security for stored data.
Our primary data hosting providers (see Appendix 2) are compliant with SOC 2 and/or ISO 27001 standards, ensuring physical security measures are in place to protect against unauthorized data access.
We maintain comprehensive access logs, including IP addresses, user IDs, actions taken, and roles. These logs are encrypted at rest and retained for one year, supporting both security monitoring and compliance requirements.
Adherence to data minimization principles is ensured through a rigorous data registry, which justifies the collection and processing of each data element, in alignment with the "data minimization" principle.
Data retention policies are strictly enforced, with each dataset being assigned a creation and expiration date. This approach is balanced against legitimate interests to ensure compliance with applicable legal and regulatory requirements.
For transfers to sub-processors, we require the implementation of specific technical and organizational measures enabling the sub-processor to effectively assist the data controller. These measures include, among others, encryption of personal data, ensuring confidentiality, integrity, availability, and resilience of processing systems and services, as well as compliance with data minimization and retention policies.
The Client authorizes Topa.io to use the following sub-processors for the processing of personal data:
| Sub-processor | Role / Activity | Location of Processing |
|---|---|---|
| Twilio | Cloud communications platform for sending SMS, making calls, and AI Voicemails. | USA / Global |
| Supabase | Backend-as-a-Service (BaaS) provider for database hosting, authentication, and real-time data storage. | USA / Global |
| Netlify | Web hosting platform for deploying and managing the frontend application and serverless functions. | Global (CDN) |
If you have questions or comments about this Data Processing Agreement, please contact us at:
.png)
