Data Processing Addendum

§01Purpose & scope

This DPA reflects the parties’ agreement on the processing of Personal Data by Acerti on behalf of the Client in connection with services provided under the MSA. It applies whenever Acerti processes Personal Data subject to GDPR, UK GDPR, the Swiss FADP, CCPA/CPRA, Quebec Law 25, Brazil’s LGPD, or comparable laws.

§02Definitions

• “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Sub-processor” have the meanings given in GDPR (or equivalent applicable law).
• “Standard Contractual Clauses” means the EU Commission Implementing Decision (EU) 2021/914 (2021 SCCs).
• “UK IDTA” means the UK International Data Transfer Addendum to the 2021 SCCs.
• “MSA” means the Master Services Agreement between the parties.

§03Roles of the parties

For services delivered under the MSA, Client is the Controller (or processor on behalf of its own controller) and Acerti is the Processor. Acerti processes Personal Data only on the documented instructions of the Client and only to deliver the services.

Acerti will inform the Client if, in its opinion, an instruction infringes applicable data protection law.

§04Subject matter, nature, and duration

§05Categories of Personal Data and Data Subjects

The specific categories depend on each engagement. Typical examples include:

Data Subjects

• Client employees and contractors using systems Acerti supports
• Client’s customers, prospects, partners, or end-users (where the services involve customer-facing systems)

Categories of Personal Data

• Identification data (name, work email, role, employer)
• Professional data (skills, experience, performance metrics)
• Contact data (phone, address)
• Technical data (IP address, device IDs, log data)
• Transaction or interaction data, where in scope

No special-category data is processed unless expressly agreed in the SOW and supported by appropriate safeguards.

§06Acerti's obligations as Processor

• Process Personal Data only on the Client’s documented instructions.
• Implement appropriate technical and organisational measures (see §08).
• Ensure personnel are bound by confidentiality (see §07).
• Assist the Client in responding to Data Subject requests and in meeting its accountability obligations.
• Notify the Client of any Personal Data Breach without undue delay (see §12).
• Engage Sub-processors only under the terms of §09.
• Make available all information needed to demonstrate compliance and allow audits (§13).
• At the end of the services, delete or return Personal Data per §14.

§07Confidentiality of personnel

Acerti personnel with access to Personal Data are bound by written confidentiality obligations and receive training on data protection. Access is granted on a least-privilege, need-to-know basis and removed promptly on role change or separation.

§08Security measures

Acerti maintains technical and organisational measures appropriate to the risk, including:

• SSO, MFA, and zero-trust network access
• Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+)
• Endpoint hardening, full-disk encryption, EDR
• Logical separation of client data; least-privilege access
• Documented backup, business continuity, and disaster-recovery plans
• Annual third-party penetration testing
• Background checks on personnel with access to Personal Data
• Security awareness training on joining and annually

A current statement of measures is maintained in our Security overview.

§09Sub-processors

The Client provides general authorisation for Acerti to engage Sub-processors in the categories listed in our Privacy Policy. Acerti will:

• Maintain a list of Sub-processors and make it available on request.
• Give the Client at least 30 days’ advance notice of any intended addition or replacement of a Sub-processor (by email to the address on file or via the engagement channel).
• Impose data-protection obligations on each Sub-processor that are no less protective than this DPA.
• Remain liable to the Client for the acts and omissions of its Sub-processors.

If the Client objects to a Sub-processor on reasonable data-protection grounds, the parties will work in good faith to find a workable solution; failing that, either party may terminate the affected services under the MSA termination provisions.

§10International data transfers

Acerti is a US Delaware LLC with consulting workforce in Mexico and other LATAM countries. Personal Data may be transferred to and processed in those locations.

• For transfers from the EEA or Switzerland, the parties incorporate the 2021 SCCs — Module Two (Controller to Processor) or Module Three (Processor to Processor), as applicable.
• For transfers from the UK, the parties incorporate the UK IDTA to the 2021 SCCs.
• For transfers from Switzerland, the SCCs apply with the FADP-specific adjustments published by the Swiss FDPIC.
• For transfers from Canada (PIPEDA / Quebec Law 25), Acerti applies contractual safeguards substantially equivalent to those above.

Acerti will not transfer Personal Data outside the jurisdictions reasonably required to deliver the services without the Client’s prior agreement.

§11Assisting with Data Subject rights

Taking the nature of the processing into account, Acerti will assist the Client by appropriate technical and organisational measures, insofar as possible, to respond to Data Subject requests under applicable law — including access, rectification, erasure, restriction, portability, and objection.

Acerti will not respond to a Data Subject directly unless required by law; it will promptly forward such requests to the Client.

§12Personal data breach

Acerti will notify the Client without undue delay, and in any event within 72 hours after becoming aware of a Personal Data Breach affecting the Client’s Personal Data. The notification will include, to the extent then known:

• Description of the breach and the categories of data and Data Subjects affected
• Likely consequences
• Measures taken or proposed to address the breach and mitigate harm
• The point of contact for further information at Acerti

Acerti will cooperate with the Client’s good-faith investigation and statutory notification obligations.

§13Audits & inspections

Acerti will make available to the Client all information reasonably required to demonstrate compliance with this DPA.

The Client may exercise its audit right by:

• Reviewing Acerti’s certifications and most recent third-party audit reports (e.g. SOC 2, ISO 27001) under NDA, when available;
• Completing a standard security questionnaire (SIG, CAIQ);
• Once per twelve-month period, conducting an on-site or remote audit with at least 30 days’ written notice, during business hours, in a manner that does not disrupt operations and at the Client’s expense.

§14Deletion or return of Personal Data

At the end of the services, Acerti will, at the Client’s choice, return all Personal Data to the Client or delete it from Acerti-managed systems, unless retention is required by law (in which case Acerti will protect the data and limit further processing).

Backups containing Personal Data will be purged on the applicable rotation cycle (no longer than 90 days).

§15Liability

Each party’s liability under or in connection with this DPA is subject to the limitation of liability set out in the MSA. Nothing in this DPA excludes or limits liability that cannot be excluded or limited under applicable law.

§16Term & order of precedence

This DPA takes effect on the Effective Date of the MSA and continues for the term of the MSA. In any conflict between this DPA and the MSA, this DPA controls with respect to the processing of Personal Data; in any conflict with the SCCs or UK IDTA, those clauses control.

§17How to execute the DPA