Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the service agreement between Floodlight, Inc. ("Processor", "Floodlight", "we", "us", or "our") and the customer ("Controller", "you", or "your") governing the processing of personal data on behalf of the Controller.

This DPA applies when Floodlight processes personal data on behalf of the Controller as part of providing climate intelligence and emissions monitoring services. It ensures compliance with the EU General Data Protection Regulation (GDPR), specifically Article 28, and other applicable data protection laws.

2. Definitions

Controller: The entity that determines the purposes and means of processing personal data
Processor: The entity that processes personal data on behalf of the Controller
Personal Data: Any information relating to an identified or identifiable natural person
Processing: Any operation performed on personal data (collection, storage, analysis, disclosure, deletion, etc.)
Data Subject: An identified or identifiable natural person whose personal data is processed
Sub-processor: Any third party engaged by the Processor to process personal data
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council
Supervisory Authority: An independent public authority established by an EU Member State

3. Roles and Responsibilities

3.1 Controller Responsibilities

The Controller:

Determines the purposes and means of processing personal data
Ensures that it has a lawful basis for processing
Provides clear instructions to the Processor regarding data processing
Ensures compliance with applicable data protection laws
Handles data subject requests and complaints
Maintains records of processing activities

3.2 Processor Responsibilities

The Processor:

Processes personal data only on documented instructions from the Controller
Ensures that persons authorized to process personal data are bound by confidentiality
Implements appropriate technical and organizational measures
Assists the Controller in responding to data subject requests
Assists the Controller with data protection impact assessments
Notifies the Controller of any personal data breaches
Deletes or returns personal data upon termination of services

4. Processing Instructions

4.1 Nature and Purpose of Processing

Floodlight will process personal data for the following purposes:

Providing climate intelligence and emissions monitoring services
Analyzing satellite data and generating environmental insights
Delivering reports, dashboards, and analytics
Providing customer support and account management
Maintaining and improving the platform

4.2 Duration of Processing

Processing will continue for the duration of the service agreement and for a reasonable period thereafter to fulfill legal obligations, unless earlier deletion is requested by the Controller.

4.3 Types of Personal Data

The following categories of personal data may be processed:

Contact Information: Names, email addresses, phone numbers, job titles
Account Data: Usernames, login credentials, user roles
Business Data: Company names, addresses, industry information
Usage Data: Activity logs, IP addresses, device information
Communication Data: Support tickets, correspondence, feedback
Location Data: Facility addresses, geographic coordinates for asset monitoring

4.4 Categories of Data Subjects

Employees and contractors of the Controller
Authorized users of the Floodlight platform
Business contacts and representatives

5. Security Measures

5.1 Technical and Organizational Measures

Floodlight implements the following security measures to protect personal data:

5.2 Technical Measures

Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
Access Controls: Role-based access control (RBAC) and multi-factor authentication (MFA)
Network Security: Firewalls, intrusion detection/prevention systems, DDoS protection
Secure Infrastructure: Google Cloud Platform with ISO 27001, SOC 2, and GDPR compliance
Vulnerability Management: Regular security assessments, penetration testing, and patching
Logging and Monitoring: Comprehensive audit logs and security event monitoring

5.3 Organizational Measures

Data Protection Officer: Designated DPO responsible for data protection compliance
Security Policies: Documented information security and data protection policies
Employee Training: Regular security and privacy training for all personnel
Background Checks: Screening of employees with access to personal data
Incident Response: Documented procedures for detecting, reporting, and responding to breaches
Business Continuity: Disaster recovery and backup procedures

6. Sub-processors

6.1 Authorization to Use Sub-processors

The Controller authorizes Floodlight to engage sub-processors to fulfill its obligations under this DPA. Floodlight will ensure that sub-processors are bound by data protection obligations equivalent to those in this DPA.

6.2 Current Sub-processors

Floodlight currently engages the following sub-processors:

Google Cloud Platform (Google LLC): Cloud hosting and infrastructure (USA, EU regions)
HubSpot, Inc.: Customer relationship management and marketing (USA)
Stripe, Inc.: Payment processing (USA)
SendGrid, Inc.: Email delivery services (USA)
Zendesk, Inc.: Customer support platform (USA)

6.3 Notification of Changes

Floodlight will notify the Controller at least 30 days in advance of any intended changes concerning the addition or replacement of sub-processors. The Controller may object to such changes on reasonable grounds.

7. Data Subject Rights

7.1 Assistance with Data Subject Requests

Floodlight will assist the Controller in responding to requests from data subjects exercising their rights under the GDPR, including:

Right of Access: Providing copies of personal data
Right to Rectification: Correcting inaccurate personal data
Right to Erasure: Deleting personal data (right to be forgotten)
Right to Restriction: Restricting processing of personal data
Right to Data Portability: Exporting personal data in a structured format
Right to Object: Objecting to processing

7.2 Response Time

Floodlight will respond to Controller requests regarding data subject rights within 10 business days, unless a different timeframe is specified by law or agreed upon by the parties.

8. Personal Data Breaches

8.1 Notification Obligation

Floodlight will notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a personal data breach affecting the Controller's data.

8.2 Breach Information

The notification will include, to the extent possible:

Nature of the breach, including categories and approximate numbers of data subjects and records
Name and contact details of Floodlight's data protection officer
Likely consequences of the breach
Measures taken or proposed to address the breach and mitigate its adverse effects

8.3 Cooperation

Floodlight will cooperate with the Controller and provide reasonable assistance in investigating and remediating the breach, including notification to supervisory authorities and affected data subjects.

9. Data Protection Impact Assessments and Prior Consultation

Floodlight will provide reasonable assistance to the Controller in conducting data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, where required by Article 35 and 36 of the GDPR.

10. Data Transfers

10.1 International Data Transfers

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. Such transfers will be governed by appropriate safeguards, including:

Standard Contractual Clauses: EU Commission-approved Standard Contractual Clauses (SCCs)
Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
Binding Corporate Rules: Where applicable for sub-processors

10.2 Standard Contractual Clauses

Upon request, Floodlight will execute Standard Contractual Clauses with the Controller to govern international data transfers. The current version of the SCCs adopted by the EU Commission on June 4, 2021 (Commission Implementing Decision 2021/914) will apply.

11. Audit Rights

11.1 Audit and Inspection

The Controller has the right to audit Floodlight's compliance with this DPA. Audits may be conducted:

Once per year during normal business hours
With at least 30 days' prior written notice
Through independent third-party auditors bound by confidentiality
At the Controller's expense, unless the audit reveals material non-compliance

11.2 Certifications and Reports

In lieu of on-site audits, Floodlight may provide:

SOC 2 Type II audit reports
ISO 27001 certification
Completed security questionnaires
Other relevant compliance documentation

12. Data Retention and Deletion

12.1 Retention Period

Floodlight will retain personal data only for as long as necessary to fulfill the purposes of processing or as required by applicable law. Upon termination of services, personal data will be deleted within 90 days unless:

The Controller requests an extension
Legal obligations require longer retention
Data is required for ongoing legal claims or disputes

12.2 Data Return or Deletion

Upon termination, the Controller may request:

Data Return: Receive a copy of all personal data in a structured, commonly used format
Data Deletion: Secure deletion of all personal data and existing copies

12.3 Certification of Deletion

Upon request, Floodlight will provide written certification that personal data has been deleted in accordance with this DPA.

13. Liability and Indemnification

13.1 GDPR Liability

Each party's liability under this DPA is subject to the limitations set forth in the GDPR, particularly Article 82. Each party is liable only for damage caused by processing that violates the GDPR or fails to comply with lawful instructions.

13.2 Limitation of Liability

Subject to applicable law, the total liability of Floodlight arising out of or related to this DPA shall not exceed the amount paid by the Controller to Floodlight in the 12 months preceding the claim.

14. Confidentiality

Floodlight will ensure that all personnel authorized to process personal data are bound by obligations of confidentiality. These obligations will survive termination of employment or engagement.

15. Term and Termination

15.1 Term

This DPA will commence on the effective date of the service agreement and will remain in effect for the duration of the processing activities, including any post-termination obligations.

15.2 Survival

The provisions of this DPA that by their nature should survive termination (including data deletion, confidentiality, and liability) will survive termination of the service agreement.

16. Governing Law and Jurisdiction

This DPA is governed by the laws of the State of California, United States, except where the GDPR or other mandatory data protection laws require application of EU Member State law. Disputes will be resolved in accordance with the dispute resolution provisions of the service agreement.

17. Amendments

This DPA may be amended by Floodlight to reflect changes in data protection laws, regulatory guidance, or industry best practices. Material changes will be communicated to the Controller with at least 30 days' notice.

18. Order of Precedence

In the event of any conflict between this DPA and the service agreement, this DPA shall prevail to the extent of the conflict with respect to data protection matters.

19. Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions will continue in full force and effect.

20. Contact Information

For questions or concerns regarding this DPA or data protection matters, please contact:

Data Protection Officer: [email protected]
Legal Department: [email protected]
Address: Floodlight, Inc., 123 Climate Street, San Francisco, CA 94105, USA
Phone: +1 (415) 555-0100

21. Acknowledgment

By using Floodlight's services, the Controller acknowledges that it has read, understood, and agrees to be bound by the terms of this Data Processing Agreement.

Related Documents:

Privacy Policy - Our privacy practices
Terms of Service - Service agreement terms
Cookie Policy - Use of cookies and tracking