This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Controller") and IT Custom Solution LLC, a New York limited liability company ("Processor"). It applies to any processing of Personal Data on behalf of the Controller via the GovBidAI service.
01Parties & roles
The Controller determines the purposes and means of processing. The Processor (ITC) processes Personal Data only on documented instructions from the Controller, except where required to do otherwise by Union or Member State law (in which case the Processor will inform the Controller of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest).
02Subject matter & duration
Subject matter: provision of the GovBidAI service. Duration: the term of the Order Form plus the retention period defined in Section 09. Nature and purpose: SaaS data processing covering storage, retrieval, analysis, and generation in furtherance of the Controller's procurement activities.
03Categories of data & data subjects
Categories of Personal Data: identifying data (name, work email, role, company), contact data, professional data (NAICS/PSC, certifications, past performance), and technical metadata (IP, user agent, timestamps). Categories of data subjects: Controller's employees, contractors, and authorized agents using the Service.
The Service is not intended for processing special categories of data under Art. 9 GDPR. Controller agrees not to upload such data without prior written agreement.
04Subprocessors
Controller authorizes Processor to engage the subprocessors listed in Appendix B. Processor will notify Controller 30 days before adding any new subprocessor, during which Controller may object on reasonable grounds. If Controller objects, Processor may terminate the affected portion of the Service with pro-rata refund.
05International transfers
For transfers of Personal Data from the EU/EEA/UK to a country without an adequacy decision, the parties incorporate by reference the Standard Contractual Clauses (Commission Implementing Decision 2021/914), Module Two (Controller-to-Processor), with the optional clause additions noted in Appendix C. The UK Addendum (Version B1.0) applies to transfers from the United Kingdom.
06Security measures
Processor implements the technical and organizational measures detailed in Appendix A, including: encryption in transit (TLS 1.3) and at rest (AES-256), role-based access control with MFA, audit logging with retention sized to plan, vulnerability management against an internal SLA, and engineering on-call coverage for customer-affecting incidents. Detailed control descriptions are available on request via trust@trygovbidai.com.
07Data subject rights
Processor will assist Controller in responding to data subject requests (access, correction, deletion, portability, objection, restriction) via product features and, where insufficient, by good-faith manual handling within 30 days of a written request to privacy@trygovbidai.com.
08Breach notification
Processor will notify Controller without undue delay (and in no event later than 72 hours) after becoming aware of a Personal Data Breach. Notification will include the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.
09Term & deletion
This DPA remains in effect for the duration of the Order Form. Upon termination, Processor will delete or return all Personal Data within 30 days, at Controller's option. Backups will be overwritten in the normal backup retention cycle, no later than 90 days. Certificates of deletion available on request.
10Appendices
- Appendix A: Technical and Organizational Measures
- Appendix B: Subprocessors (current list maintained on the Trust center)
- Appendix C: Standard Contractual Clauses (EU 2021/914 Module Two + UK Addendum B1.0)
- Appendix D: Signature Block (counter-sign and return; we'll do the rest)
To execute this DPA: download the PDF below, complete the signature block in Appendix D, and email the signed copy to dpa@trygovbidai.com. We'll counter-sign within one business day.