Data Processing Addendum (DPA)

Effective date: August 15, 2025

This Data Processing Addendum ("DPA") forms part of any agreement between Growth Right Solutions, LLC ("GRS" or "Processor/Service Provider") and the client entity that executes an order, SOW, or master services agreement with GRS ("Customer" or "Controller/Business"). Capitalized terms not defined herein have the meanings in the Agreement.

1) Scope and Roles

(a) This DPA applies to GRS’s processing of Customer Data on behalf of Customer while providing the Services.
(b) Customer is the data controller/business and GRS is the data processor/service provider with respect to Customer Data.

2) Customer Instructions

GRS will process Customer Data only on documented instructions from Customer, including as described in the Agreement, this DPA, and any SOW. Customer is responsible for the lawfulness of its instructions and for providing required notices and consents to data subjects.

3) Confidentiality

GRS will ensure that individuals authorized to process Customer Data are subject to appropriate confidentiality obligations and receive appropriate data protection training.

4) Security

GRS will implement and maintain appropriate technical and organizational measures designed to protect Customer Data, as described in Annex II (Security Measures).

5) Subprocessors

Customer authorizes GRS to engage subprocessors as reasonably necessary to provide the Services, subject to obligations no less protective than those set out in this DPA. GRS will remain responsible for subprocessors’ performance. A current list of categories of subprocessors is provided in Annex III and may be updated. Upon request, GRS will provide an updated list.

6) Personal Data Breach Notification

GRS will notify Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Data, and will provide information reasonably available to assist Customer in meeting its legal obligations.

7) Assistance

Taking into account the nature of processing, GRS will assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer’s obligations to respond to data subject requests and to comply with security, breach notifications, impact assessments, and consultations with supervisory authorities.

8) Audits and Reports

Upon reasonable advance notice and no more than once annually (unless required by a competent authority or following a material breach), Customer may conduct an audit of GRS’s compliance with this DPA, which may include review of available reports or questionnaires and, where reasonably necessary, an on‑site audit during normal business hours, subject to confidentiality and safety requirements.

9) Return or Deletion

Upon termination or expiration of the Services, GRS will, at Customer’s choice and subject to applicable law, delete or return Customer Data and delete existing copies within a commercially reasonable period, unless retention is required by law.

10) International Transfers

Where GRS processes Customer Data subject to EU/EEA, UK, or Swiss data protection laws and transfers such data outside those jurisdictions, the parties agree that the EU Standard Contractual Clauses (SCCs) – Controller‑to‑Processor (Module 2) and the UK IDTA/Addendum are incorporated by reference and will apply as set forth in Annex I(B). In case of conflict, the SCCs/UK Addendum prevail for the relevant processing.

11) CCPA/CPRA Service Provider

For Customer Data subject to U.S. state privacy laws (including CPRA), GRS will act as a service provider/processor and will not: (i) sell or share personal information; (ii) retain, use, or disclose personal information for any purpose other than to provide the Services and as permitted by law; or (iii) combine personal information with other data except as permitted for service provider purposes.

12) Liability

The parties’ aggregate liability under this DPA is subject to the limitations of liability in the Agreement.

13) Order of Precedence

If there is a conflict between this DPA and the Agreement, this DPA controls with respect to processing of Customer Data.

14) Miscellaneous

This DPA becomes effective upon execution of the Agreement or SOW that references it and remains in force for so long as GRS processes Customer Data on behalf of Customer.

Annex I — Details of Processing

A. Subject matter: Processing of Customer Data to provide consulting and AI automation advisory Services to Customer.
B. Duration: For the term of the Agreement and any data return/deletion period.
C. Nature and purpose: Implementing, configuring, advising on, and supporting AI and automation workflows; related analytics; communications; and support.
D. Types of personal data: Business contact details; user identifiers; communication metadata; usage and event data from systems integrated at Customer’s direction; limited content data as necessary for troubleshooting or implementation. Customer should avoid providing sensitive data unless expressly agreed in writing.
E. Categories of data subjects: Customer’s employees, contractors, users, prospects, and end‑customers (as determined by Customer).
F. Special categories: Not intended; if required, parties will execute additional safeguards.
G. Transfers: As described in §10.

Annex I(B) — International Transfers (SCC/UK)

Where applicable, Module 2 of the EU SCCs is incorporated. The data exporter is Customer; the data importer is GRS. Annex I(A) provides the description of transfer; Annex II sets out security measures; Annex III lists subprocessors. The governing law for SCCs is that of Ireland; the competent supervisory authority is determined by the Customer’s EEA establishment. For UK transfers, the UK Addendum applies with analogous selections. Copies available upon request.

Annex II — Security Measures

GRS maintains administrative, technical, and physical safeguards appropriate to the risk, including:

Governance & Access Control: Role‑based access; least privilege; unique accounts; MFA for administrative access; regular access reviews.

Asset & Data Management: Inventory of systems; data classification; separation of environments; secure disposal.

Encryption: Encryption in transit (TLS) and at rest for managed platforms where supported; key management via reputable providers.

Secure Development & Change Management: Version control; change approvals; code scanning and dependency management; logging of changes.

Network & System Security: Firewalls/security groups; endpoint protection; vulnerability management and patching; DDoS protections provided by hosting/CDN providers.

Monitoring & Logging: Audit logging for administrative actions; alerting for anomalous activity; time‑synchronized logs retained for a reasonable period.

Business Continuity & Backups: Documented backup procedures for critical systems; periodic restoration tests.

Incident Response: Documented incident response plan with defined roles; breach notification workflow aligned to §6.

Personnel Security & Training: Confidentiality agreements; background checks where permitted; annual security and privacy training.

Vendor Management: Due diligence and contractual controls for subprocessors; periodic reviews.

Annex III — Subprocessor Categories (Illustrative)

GRS may use subprocessors in the following categories (providers may change over time):

Cloud hosting & infrastructure: e.g., AWS, Google Cloud Platform, Microsoft Azure.

Productivity & storage: e.g., Google Workspace/Drive, Microsoft 365.

CRM/communications: e.g., GoHighLevel (GHL), email/SMS providers.

Workflow orchestration/automation: e.g., n8n (cloud or self‑hosted), Zapier (if used by Customer instruction).

AI inference & content generation: e.g., OpenAI, Anthropic, Google AI, Azure OpenAI.

Analytics & logging: e.g., privacy‑respecting analytics and logging platforms.

Support & ticketing: e.g., help desk providers.

GRS will provide an updated list of specific subprocessors upon request or will publish the list at a URL designated by GRS.

Disclaimer:

These materials are provided for general informational purposes and to support your compliance planning. They are not legal advice. You should consult qualified counsel to adapt these documents to your specific operations, data flows, and jurisdictional requirements.