# DATA PROCESSING AGREEMENT
## Proscris Agency LLC
**Master Agreement for Digital Infrastructure, Automation & Marketing Services**
---
```
AGREEMENT REFERENCE: DPA-PROSCRIS-[YYYY]-[CLIENT-ID]
VERSION: 1.0
EFFECTIVE DATE: [DATE]
PREPARED BY: Proscris Agency LLC
GOVERNING LAW: State of New York, United States of America
```
---
**BETWEEN:**
**DATA CONTROLLER / CLIENT:**
```
Legal Business Name: _________________________________
Business Structure: _________________________________
Principal Address: _________________________________
_________________________________
State of Formation: _________________________________
Primary Contact Name: _________________________________
Primary Contact Title: _________________________________
Primary Contact Email: _________________________________
Primary Contact Phone: _________________________________
Website(s): _________________________________
(Hereinafter referred to as "Controller," "Client," or "You")
```
**AND:**
**DATA PROCESSOR / SERVICE PROVIDER:**
```
Legal Business Name: Proscris Agency LLC
Principal Address: Queens, New York, United States of America
Primary Contact Name: Robert Szopa
Primary Contact Title: Founder & Principal
Primary Contact Email: [agency contact email]
Website: proscris.com
(Hereinafter referred to as "Processor," "Agency," or "Proscris")
```
---
> **How to Read This Agreement:**
> This Data Processing Agreement (DPA) is the legal and operational foundation that governs how Proscris Agency handles data on your behalf. It defines who owns the data, who is responsible for it, where it goes, who can access it, and what happens to it when our engagement ends. It is not boilerplate β it describes the actual infrastructure, actual workflows, and actual data flows that govern our working relationship. Read it in full before signing. Keep it on file for the duration of our engagement and for six (6) years thereafter.
---
## PART ONE: FOUNDATIONS
---
### Article 1: Definitions
For the purposes of this Agreement, the following terms carry the meanings defined below. These definitions are consistent with applicable data protection law including the EU General Data Protection Regulation (GDPR) Regulation (EU) 2016/679, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and applicable US state privacy legislation in effect or coming into effect as of the date of this Agreement.
**1.1 "Personal Data"** means any information relating to an identified or identifiable natural person (a "Data Subject"). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
**1.2 "Processing"** means any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, making available, alignment, combination, restriction, erasure, or destruction.
**1.3 "Controller"** means the natural or legal person, public authority, agency, or other body that determines the purposes and means of processing Personal Data. Under this Agreement, the Client is the Controller.
**1.4 "Processor"** means the natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of the Controller. Under this Agreement, Proscris Agency LLC is the Processor.
**1.5 "Data Subject"** means any identified or identifiable natural person whose Personal Data is processed under this Agreement, including but not limited to the Client's customers, leads, prospects, patients, subscribers, and website visitors.
**1.6 "Sub-Processor"** means any Processor engaged by the Processor to process Personal Data on behalf of the Controller. Sub-Processors used by Proscris Agency are listed in Schedule C of this Agreement.
**1.7 "Personal Data Breach"** means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
**1.8 "Data Processing Agreement" or "DPA"** means this document in its entirety, including all Schedules, Exhibits, and Addenda attached hereto.
**1.9 "Services"** means the digital infrastructure, automation, marketing, and technical services provided by Proscris Agency to the Client as described in the governing Master Services Agreement or Statement of Work entered into between the parties.
**1.10 "Applicable Data Protection Law"** means all laws, regulations, and regulatory guidance applicable to the Processing of Personal Data under this Agreement, including without limitation: GDPR, CCPA/CPRA, and any US federal or state data protection legislation in effect or enacted during the term of this Agreement.
**1.11 "Custodian of Records"** means the designated individual within an organization who is formally responsible for the integrity, accuracy, accessibility, security, and compliant disposition of that organization's data records.
**1.12 "Chain of Custody"** means the documented, chronological, and unbroken record of the handling, transfer, modification, and disposition of data from the point of its collection through its final storage, use, transmission, and destruction.
**1.13 "Data Map"** means the structured document that identifies every category of Personal Data processed, the source and method of collection, the systems in which it is stored, the parties to whom it is transmitted, the legal basis for processing, the retention period, and the deletion procedure.
**1.14 "Stack"** or **"Technical Stack"** means the specific combination of infrastructure, software, platforms, and automation tools used by Proscris Agency to deliver the Services, as documented in Schedule B of this Agreement.
**1.15 "Signal Filtering"** means the technical process by which Personal Data is evaluated against an explicit allowlist prior to transmission to any third-party platform, ensuring that only permitted, minimized, and where applicable pseudonymized or hashed data is transmitted.
**1.16 "Engagement Term"** means the period during which Proscris Agency is actively delivering Services to the Client under a current Master Services Agreement or Statement of Work.
---
### Article 2: Purpose, Scope, and Nature of Processing
**2.1 Purpose of This Agreement**
This Agreement governs all Processing of Personal Data carried out by Proscris Agency in the course of delivering Services to the Client. It establishes the legal framework, operational protocols, technical safeguards, accountability structures, and data subject rights mechanisms that govern the relationship between the parties with respect to Personal Data.
**2.2 Nature of Processing**
Proscris Agency processes Personal Data on behalf of the Client for the following categories of purposes:
```
(a) Digital Infrastructure Operation
Design, deployment, configuration, and management of the Client's
website, hosting environment, and technical systems.
(b) Marketing Automation
Operation of automated workflows that collect, route, format,
and act upon lead and customer data submitted through the
Client's digital properties.
(c) Customer Relationship Management
Structuring, populating, and maintaining CRM databases containing
contact and interaction records for the Client's leads and customers.
(d) Advertising Signal Transmission
Transmitting filtered, minimized, pseudonymized conversion signals
to advertising platforms for campaign attribution and optimization
purposes, using server-side APIs exclusively.
(e) Email Communication Infrastructure
Configuration and operation of email delivery systems for
operational, transactional, and marketing communications
sent by or on behalf of the Client.
(f) Analytics and Reporting
Where applicable and only under appropriate legal basis and
Data Processing Agreement, operation of privacy-respecting
analytics tools to provide the Client with traffic and
conversion performance data.
(g) Security and Compliance Operations
Implementation and monitoring of technical safeguards,
access controls, audit logging, and backup systems that
protect Personal Data processed under this Agreement.
```
**2.3 Categories of Data Subjects**
Personal Data processed under this Agreement may relate to the following categories of Data Subjects:
```
β Website visitors (anonymous and identified)
β Prospective customers / leads who submit inquiry forms
β Existing customers and clients of the Controller
β Email subscribers and marketing contacts
β Appointment contacts and scheduling inquiries
β Any additional category of Data Subject identified in Schedule A
```
**2.4 Categories of Personal Data**
The categories of Personal Data processed under this Agreement include:
```
CONTACT IDENTIFIERS:
First name, last name, email address, telephone number,
mailing address (where collected)
COMMUNICATION DATA:
Content of inquiry and contact form submissions,
message threads, appointment notes
BEHAVIORAL AND ATTRIBUTION DATA:
Website pages visited, time of visit, referral source,
UTM campaign parameters, device type, browser type,
geographic region (derived from IP address)
TRANSACTIONAL DATA:
Purchase history, invoice records, payment confirmation
references (where applicable β no payment card data is
stored in systems operated by Proscris Agency)
CONSENT RECORDS:
Timestamp and mechanism of consent provided at form submission,
opt-in records, opt-out requests and their processing
Any additional category of Personal Data specified in Schedule A
```
**2.5 Sensitive Categories**
Proscris Agency does not, as a default matter, process Special Categories of Personal Data (as defined under GDPR Article 9) including data concerning health, race, religion, political opinions, biometric data, or sexual orientation.
Where the Client operates in a sector where such data may be incidentally disclosed by Data Subjects (for example, a health and wellness practice where a prospective client may volunteer health information in a free-text form field), the parties shall execute a separate addendum to this Agreement specifying the additional safeguards applicable to such data. No Special Category data shall be transmitted to any advertising platform, analytics platform, or Sub-Processor under any circumstances.
---
### Article 3: Roles, Responsibilities, and the Custodian of Records
**3.1 Controller Responsibilities**
The Client, as Controller, retains full responsibility for:
```
(a) Determining the purposes for which Personal Data is collected
from Data Subjects and ensuring those purposes are lawful
(b) Providing Data Subjects with a compliant privacy notice at
or before the point of data collection
(c) Establishing and maintaining a lawful basis for each
category of Processing under Applicable Data Protection Law
(d) Responding to Data Subject rights requests (access,
rectification, erasure, portability, objection) within
legally required timeframes
(e) Maintaining a current and accurate privacy policy on the
Client's website that reflects actual data practices
(f) Notifying Data Subjects and regulators of any Personal Data
Breach in accordance with Applicable Data Protection Law
(g) Ensuring that any instructions provided to Proscris Agency
regarding the Processing of Personal Data are lawful
(h) Designating a Custodian of Records for the Client's
organization (see Article 3.3)
```
**3.2 Processor Responsibilities**
Proscris Agency, as Processor, is responsible for:
```
(a) Processing Personal Data only on documented instructions
from the Controller, unless required to do otherwise by law
(b) Implementing and maintaining appropriate technical and
organizational security measures as described in Article 7
(c) Ensuring that all personnel with access to Personal Data
are bound by appropriate confidentiality obligations and
have received data protection training
(d) Engaging Sub-Processors only from the approved list in
Schedule C, or with prior written consent of the Controller
(e) Assisting the Controller in fulfilling Data Subject rights
requests, including providing technical access to records
where necessary
(f) Notifying the Controller within twenty-four (24) hours of
discovering a suspected or confirmed Personal Data Breach
(g) Maintaining complete and current documentation of all
Processing activities carried out under this Agreement
(h) Returning or deleting all Personal Data upon termination
of the Engagement Term, per the procedure in Article 11
(i) Maintaining this Agreement and its Schedules as a living
document, updated to reflect any changes in the Stack,
Sub-Processors, or Processing activities
```
**3.3 Custodian of Records β Designation and Obligations**
**3.3.1** Both parties shall designate a named Custodian of Records. The Custodian is the individual formally accountable for the integrity, security, accessibility, and compliant management of records and data within their respective organization.
**Client Custodian of Records:**
```
Name: _________________________________
Title: _________________________________
Email: _________________________________
Phone: _________________________________
Designated: [Date]
```
**Proscris Agency Custodian of Records:**
```
Name: Robert Szopa
Title: Founder & Principal, Proscris Agency LLC
Email: [agency email]
Phone: [agency phone]
Designated: Upon execution of this Agreement
```
**3.3.2** The Custodian of Records for each party shall be responsible for:
```
(a) INVENTORY ACCOUNTABILITY
Knowing where every category of data subject to this Agreement
is stored, in what system, under what agreement, and accessible
by whom.
(b) CHAIN OF CUSTODY INTEGRITY
Ensuring that every transfer, modification, and transmission of
Personal Data processed under this Agreement is documented and
traceable. No data shall move between systems outside of
documented, approved workflows.
(c) ACCESS OVERSIGHT
Maintaining current knowledge of which individuals have access
to Personal Data, at what permission level, and on what basis.
Reviewing access quarterly. Initiating access revocation within
one (1) hour of any team member's departure or role change that
removes the need for access.
(d) RETENTION ENFORCEMENT
Ensuring that Personal Data is not retained beyond the periods
defined in Schedule A, and that deletion procedures are executed
and documented on schedule.
(e) INCIDENT STEWARDSHIP
Receiving internal reports of potential data incidents,
evaluating their severity, and initiating the breach response
protocol defined in Article 9.
(f) DOCUMENTATION MAINTENANCE
Maintaining current versions of the Data Map (Schedule A),
Sub-Processor list (Schedule C), and any compliance records
generated under this Agreement.
(g) TESTIFYING CAPABILITY
Being prepared to provide factual testimony β in legal
proceedings, regulatory inquiries, or audit processes β
regarding the handling of records under this Agreement.
The Custodian must be able to attest that records are what
they claim to be, have not been altered, and were maintained
in the ordinary course of business.
```
**3.3.3 Custodian Succession:** If the designated Custodian of Records for either party becomes unavailable due to departure, incapacity, or role change, a successor Custodian shall be designated and documented within five (5) business days. The outgoing Custodian's records, documentation, and access credentials shall be formally transferred to the successor before access is revoked.
---
### Article 4: Instructions for Processing
**4.1** Proscris Agency shall process Personal Data only on the documented instructions of the Controller. The Master Services Agreement, Statement of Work, project briefs, and this Data Processing Agreement together constitute the Controller's documented instructions.
**4.2** If Proscris Agency believes that a specific instruction from the Controller would violate Applicable Data Protection Law, Proscris Agency shall immediately notify the Controller in writing. Proscris Agency is not obligated to execute an instruction that would place either party in violation of law.
**4.3** Proscris Agency shall not use Personal Data processed under this Agreement for any purpose other than the delivery of Services to the Client. Specifically, Proscris Agency shall not:
```
(a) Use Client data for Proscris Agency's own marketing purposes
(b) Aggregate Client data with data from other clients
(c) Sell, rent, or otherwise transfer Personal Data to any
third party for commercial consideration
(d) Use Personal Data to build models, profiles, or datasets
for use outside the scope of the Client's engagement
(e) Share Personal Data with any party not listed in Schedule C
without prior written consent of the Controller
```
---
## PART TWO: CHAIN OF CUSTODY AND DATA FLOWS
---
### Article 5: The Chain of Custody Framework
**5.1 The Documented Chain**
Every piece of Personal Data processed under this Agreement shall have a documented chain of custody. The chain of custody is not a post-hoc record β it is a real-time, system-generated audit trail that accompanies data from its point of collection through every system it traverses to its final disposition.
**5.2 Chain of Custody Documentation Standards**
For every transfer or transformation of Personal Data within the systems operated by Proscris Agency, the following shall be recorded:
```
β TIMESTAMP: The exact date and time of the action (ISO 8601 format)
β ACTION: What was done (collected, formatted, stored, transmitted, deleted)
β ACTOR: Which system or individual performed the action
β SOURCE: Where the data came from
β DESTINATION: Where the data went
β STATUS: Success or failure, with error details if applicable
β DATA SCOPE: Which categories of data were involved
```
**5.3 The Standard Data Journey β From Collection to Storage**
The following describes the standard data flow for Personal Data collected through a Proscris-operated contact or lead form. This flow is implemented consistently across client engagements and represents the default architecture:
```
STEP 1: DATA COLLECTION (Browser β HTTPS β Webhook)
The Data Subject completes and submits a form on the Client's website.
The form is built as a custom HTML element β no third-party form
platform processes the submission. The form sends an HTTPS POST request
directly to a self-hosted automation webhook endpoint.
The Client's web server (hosting the WordPress or other CMS installation)
does NOT receive, store, or process the form data. The website is a
display layer only. Form data bypasses the web server entirely.
Data in transit is encrypted via TLS 1.2 or 1.3 minimum.
The webhook endpoint is authenticated via a shared secret header
(X-Form-Secret) to prevent unauthorized submissions.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
CUSTODY AT THIS POINT: In transit β encrypted, authenticated
RESPONSIBLE PARTY: Proscris Agency (webhook operator)
DATA PRESENT: All form fields + UTM parameters + submission timestamp
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
STEP 2: INTAKE AND PROCESSING (Automation Engine)
The webhook payload is received by the self-hosted automation engine
(n8n, self-hosted on Google Cloud Platform infrastructure).
The automation engine validates the submission, formats the data,
generates a unique internal identifier (Lead ID), and routes the
data to its designated destinations.
This is where the chain of custody splits into parallel branches β
each branch documented and auditable independently.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
CUSTODY AT THIS POINT: Automation engine β self-hosted, controlled
RESPONSIBLE PARTY: Proscris Agency (automation operator)
SYSTEM: n8n (self-hosted on GCP) β see Schedule B
DATA PRESENT: Full formatted payload including all form fields
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
STEP 3A: CRM STORAGE (Google Sheets / CRM Database)
The formatted lead record is appended as a new row in the Client's
Google Sheets CRM database. This database is owned by the Client's
designated system account (e.g., system@[clientdomain].com) within
Google Workspace. Access is limited to named individuals per the
access table in Schedule D.
The Google Workspace platform is governed by Google's Data Processing
Agreement (for commercial accounts) or HIPAA Business Associate
Agreement (for healthcare clients). Google is a listed Sub-Processor
in Schedule C.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
CUSTODY AT THIS POINT: CRM database β Client-owned Google Workspace
RESPONSIBLE PARTY: Controller (data owner) / Processor (technical operator)
SYSTEM: Google Sheets (Google Workspace) β see Schedule B
DATA PRESENT: Full lead record including contact information
ACCESS: Named individuals per Schedule D only
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
STEP 3B: TEAM NOTIFICATION (Email)
An automated email notification is sent to designated team members
alerting them to the new submission. This email is sent via the
Client's Google Workspace Gmail account (system@[clientdomain].com)
to named internal recipients only.
The notification email contains contact data necessary for follow-up.
It is transmitted and stored within the Google Workspace environment
which is covered by the signed DPA/BAA with Google.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
CUSTODY AT THIS POINT: Google Workspace email environment
RESPONSIBLE PARTY: Processor (automation operator)
SYSTEM: Gmail (Google Workspace) β see Schedule B
DATA PRESENT: Contact information and submission details
RECIPIENTS: Named internal team members only
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
STEP 3C: LEAD ACKNOWLEDGMENT (Auto-Confirmation Email)
An automated confirmation email is sent to the Data Subject's
provided email address acknowledging receipt of their submission.
This email contains no sensitive or health-related content β
it is a neutral operational acknowledgment only.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
CUSTODY AT THIS POINT: In transit to Data Subject
RESPONSIBLE PARTY: Processor (automation operator)
SYSTEM: Gmail (Google Workspace) β see Schedule B
DATA PRESENT: Data Subject's first name and contact reference only
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
STEP 3D: ADVERTISING SIGNAL TRANSMISSION (Filtered β Server-Side Only)
A conversion signal is transmitted to the advertising platform
via server-side API (e.g., Meta Conversions API). This signal
is processed through the Signal Filter defined in Article 6
before transmission. The advertising platform NEVER receives
plaintext Personal Data under this architecture.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
CUSTODY AT THIS POINT: Signal filtered β partially exits controlled
environment to advertising platform
RESPONSIBLE PARTY: Processor (signal filter operator)
SYSTEM: n8n β Meta Conversions API (or equivalent) β see Schedule B
DATA PRESENT: Hashed identifiers + attribution metadata ONLY
(Full data blocked by Signal Filter β see Article 6)
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
STEP 4: AUDIT LOG ENTRY (Activity Logging)
Every action taken in Steps 2, 3A, 3B, 3C, and 3D generates an
entry in the Activity Log β a dedicated tab in the Client's
Google Sheets CRM. Each entry records: timestamp, Lead ID,
action taken, system involved, status (success/failure), and
any relevant error codes.
This log constitutes the real-time chain of custody record for
every submission processed under this Agreement.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
CUSTODY AT THIS POINT: Audit log β Client-owned Google Workspace
RESPONSIBLE PARTY: Processor (log operator)
SYSTEM: Google Sheets β Activity Log tab β see Schedule B
DATA PRESENT: Operational metadata β no sensitive content
RETENTION: Same as primary data β per retention schedule in Schedule A
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
**5.4 Chain of Custody Integrity Obligations**
```
(a) No Personal Data shall be moved between systems outside of
documented, auditable workflows without prior written
approval from the Controller.
(b) No new system shall be added to the data flow without:
(i) Evaluation against the criteria in Article 8.2
(ii) Execution of a Data Processing Agreement or equivalent
with the new system's operator
(iii) Addition to Schedule C (Sub-Processor list)
(iv) Update to Schedule B (Stack documentation)
(v) Written notification to the Controller
(c) All chain of custody records shall be retained for a minimum
of six (6) years from the date of creation, consistent with
HIPAA record retention standards (applied universally as
the most stringent benchmark) and applicable data protection law.
(d) The chain of custody shall be producible β in full, unaltered,
and with authenticated timestamps β within five (5) business
days of any regulatory inquiry, legal request, or audit.
```
---
### Article 6: Signal Filtering β The Data Minimization Protocol
**6.1 The Principle**
Data minimization is a foundational requirement of GDPR (Article 5(1)(c)), a recognized principle under CCPA/CPRA, and the defining standard of the most demanding data protection frameworks in operation today. Applied to advertising signal transmission, data minimization means sending advertising platforms only what they need to attribute a conversion and optimize a campaign β nothing more.
The default behavior of browser-side advertising pixels violates this principle. Browser-side pixels are designed to transmit maximum data β IP addresses, browser fingerprints, page URLs, page titles, behavioral sequences, and where enabled, plaintext PII via Advanced Matching β to the advertising platform's servers, automatically, on every page load, without deliberate authorization for each transmission.
The Proscris Signal Filtering architecture replaces this model entirely.
**6.2 Signal Filtering Architecture**
All advertising conversion signals transmitted under this Agreement shall be sent exclusively via server-side API. No browser-side advertising pixel shall be placed on Client websites for the purpose of conversion tracking. The following architecture governs all advertising signal transmission:
```
SIGNAL RECEIPT:
The automation engine (n8n) receives the conversion event
(form submission, purchase confirmation, or equivalent) from
the workflow that processes it.
FILTER EVALUATION β EXPLICIT ALLOWLIST:
The Signal Filter evaluates every field in the event payload
against an explicit allowlist. The allowlist defines, field
by field, what is permitted to pass to the advertising platform.
Any field not on the allowlist is blocked, regardless of content.
The allowlist is documented in code, with comments, and constitutes
a permanent, auditable record of every data minimization decision
made for this Client's advertising signals.
FIELDS PERMITTED BY THE SIGNAL FILTER:
β
event_name β Generic conversion type (e.g., "Lead", "Purchase")
Never a description of health status, condition,
or sensitive service context
β
event_time β Unix timestamp of the conversion event
β
event_id β Internal unique identifier for deduplication
β
action_source β "website" (required by advertising platform)
β
em (hashed) β Email address, SHA-256 hashed before transmission
Platform receives hash β never plaintext email
β
ph (hashed) β Phone number, SHA-256 hashed before transmission
Platform receives hash β never plaintext phone
β
lead_source β UTM source parameter (attribution metadata)
β
lead_campaign β UTM campaign parameter (attribution metadata)
FIELDS BLOCKED BY THE SIGNAL FILTER (with documented reason):
β Full name β Personal identifier β not required for optimization
β Raw email β Plaintext PII β hashed version transmitted instead
β Raw phone β Plaintext PII β hashed version transmitted instead
β Message content β Free-text field β may contain sensitive disclosures
β Source URL β May contain sensitive service or condition context
β Page title β May contain sensitive service or condition context
β IP address β Personal identifier β not transmitted server-side
β Inquiry type β May reference sensitive service categories
β Any free-text fieldβ Uncontrolled content β never transmitted
β Any field not on β Default position is blocked, not permitted
the explicit
allowlist above
```
**6.3 Hashing Standards**
All Personal Data transmitted to advertising platforms under this Agreement shall be hashed using SHA-256 (Secure Hash Algorithm 256-bit) prior to transmission. Hashing is performed within the automation engine (n8n) on infrastructure controlled by Proscris Agency, before any data leaves the controlled environment. The advertising platform receives only the hashed value β which cannot be reverse-engineered to recover the original data β and uses it for audience matching within its own infrastructure.
**6.4 The Signal Filter as Compliance Documentation**
The code that implements the Signal Filter β including the documented allowlist and the commented explanation of every blocked field β is maintained as a permanent component of the Client's compliance documentation. It constitutes evidence that:
```
(a) The decision about what data reaches the advertising platform
was deliberate, documented, and authorized
(b) Data minimization was applied at the field level, with
specific rationale for each decision
(c) Plaintext PII was never transmitted to advertising platforms
under the Client's infrastructure as operated by Proscris Agency
(d) The architecture was designed to comply with GDPR Article 5
(data minimization), CCPA Section 1798.100 (proportionality),
and applicable advertising platform data policies
```
**6.5 PageView Signals**
Where PageView signals are transmitted to advertising platforms for campaign measurement purposes, such signals shall be transmitted via server-side mechanisms only. PageView signals shall contain: event timestamp, UTM parameters present in the URL at time of visit, and no user-identifying data. No IP address, no name, no email, no phone, and no health or service condition context shall be included in PageView signals.
---
## PART THREE: LEGAL BASIS, CONSENT, AND DATA SUBJECT RIGHTS
---
### Article 7: Lawful Basis for Processing
**7.1** The Controller is responsible for establishing and documenting a lawful basis for each category of Processing under Applicable Data Protection Law. The lawful bases available under GDPR (Article 6) and their corresponding application in standard Proscris client engagements are:
| Processing Purpose | Typical Lawful Basis | Notes |
|---|---|---|
| Responding to form inquiries | Consent (explicit at submission) | Consent checkbox required at form |
| Sending auto-confirmation emails | Legitimate Interests / Contract Performance | Operational necessity β notification of receipt |
| Maintaining CRM records | Contract Performance / Legitimate Interests | For ongoing client relationship management |
| Sending marketing communications | Consent | Separate opt-in required β distinct from inquiry consent |
| Advertising signal transmission | Legitimate Interests (filtered, minimized signals) | Documented as proportionate under LIA |
| Security and audit logging | Legitimate Interests / Legal Obligation | Necessary for security and compliance |
| Backup and data recovery | Legitimate Interests / Legal Obligation | Necessary for business continuity |
**7.2 Consent Mechanism Standards**
Where consent is the designated lawful basis for Processing, the consent mechanism shall meet the following minimum standards:
```
(a) FREELY GIVEN: Consent is not bundled with terms of service
or conditioned on receiving a service. A separate, distinct
consent action is required.
(b) SPECIFIC: The consent references the specific purpose for
which data will be used. Generic "I agree to your privacy
policy" consent is not sufficient.
(c) INFORMED: The consent mechanism links to the current,
accurate privacy policy. Data Subjects can review what
they are consenting to before consenting.
(d) UNAMBIGUOUS: Consent is obtained via an affirmative action
(ticking an unticked checkbox). Pre-ticked boxes,
implied consent through site use, or silence do not
constitute valid consent.
(e) DOCUMENTED: Timestamp of consent, mechanism of consent,
and version of privacy policy displayed at time of consent
shall be recorded and retained.
(f) WITHDRAWABLE: Data Subjects shall be informed of their
right to withdraw consent. Withdrawal shall be as easy
as giving consent.
```
---
### Article 8: Data Subject Rights
**8.1** The Controller is the primary party responsible for responding to Data Subject rights requests. Proscris Agency shall provide reasonable technical assistance to the Controller in fulfilling such requests within the timeframes required by Applicable Data Protection Law.
**8.2 Rights Under GDPR (applicable to EU/UK Data Subjects):**
| Right | Description | Proscris Obligation | Response Timeframe |
|---|---|---|---|
| **Right of Access** | Data Subject may request confirmation of processing and a copy of their data | Provide technical export of all records for the relevant Data Subject within 5 business days of Controller request | 30 days (Controller to Data Subject) |
| **Right to Rectification** | Data Subject may request correction of inaccurate data | Update records in all controlled systems within 5 business days | 30 days |
| **Right to Erasure** | Data Subject may request deletion of their data | Delete records from all controlled systems, document deletion, confirm to Controller within 10 business days | 30 days |
| **Right to Restriction** | Data Subject may request restriction of processing while a dispute is resolved | Flag records as restricted in CRM, suspend automation workflows for that record | 30 days |
| **Right to Portability** | Data Subject may request their data in a machine-readable format | Export records in CSV format from Google Sheets CRM within 5 business days | 30 days |
| **Right to Object** | Data Subject may object to processing based on legitimate interests | Assess and cease processing where objection is valid; document decision | 30 days |
**8.3 Rights Under CCPA/CPRA (applicable to California residents):**
| Right | Description | Response Timeframe |
|---|---|---|
| **Right to Know** | Know what personal information is collected and how it is used | 45 days (extendable to 90 days with notice) |
| **Right to Delete** | Request deletion of personal information | 45 days |
| **Right to Correct** | Request correction of inaccurate personal information | 45 days |
| **Right to Opt-Out of Sale/Sharing** | Opt out of sale or sharing of personal information | Immediately upon valid request |
| **Right to Limit Use of Sensitive PI** | Limit use of sensitive personal information to necessary purposes | Immediately upon valid request |
| **Right to Non-Discrimination** | Cannot be denied service for exercising privacy rights | Ongoing obligation |
**8.4** Proscris Agency shall not sell, share for cross-context behavioral advertising purposes, or otherwise transfer Personal Data to any third party in a manner that would constitute a "sale" or "sharing" under CCPA/CPRA without explicit prior written authorization from the Controller and, where required, the relevant Data Subjects.
---
## PART FOUR: TECHNICAL AND ORGANIZATIONAL SAFEGUARDS
---
### Article 9: Security Measures
**9.1 General Standard**
Proscris Agency shall implement and maintain technical and organizational measures appropriate to the risk presented by the Processing activities under this Agreement. These measures shall account for the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons.
**9.2 Technical Safeguards Implemented**
```
ENCRYPTION IN TRANSIT:
All data transmitted between systems operated by Proscris Agency
uses TLS 1.2 minimum, TLS 1.3 preferred. No plaintext transmission
of Personal Data is permitted at any point in the data flow.
ENCRYPTION AT REST:
All databases and storage volumes containing Personal Data are
encrypted at rest using AES-256 or equivalent. This includes:
β Google Cloud SQL database instances (GCP-managed encryption)
β Google Cloud Storage buckets (GCP-managed encryption)
β n8n PostgreSQL database (host-level encryption)
β Google Workspace (Google-managed encryption at rest)
AUTHENTICATION:
Multi-factor authentication (MFA) is required for every account
that has access to systems containing Personal Data. This includes:
β Google Workspace accounts
β Google Cloud Platform Console access
β n8n administration interface
β WordPress administration interface
β Any other system in the Stack listed in Schedule B
Password requirements minimum:
β 16 characters minimum
β Combination of uppercase, lowercase, numbers, and symbols
β Unique per service (no password reuse)
β Stored in a dedicated credential manager β never in plaintext documents
ACCESS CONTROL:
Access to systems containing Personal Data is limited to named
individuals whose roles require such access. Access permissions
follow the principle of least privilege β no individual has more
access than their role requires. Access is reviewed quarterly
and revoked within one (1) hour of a team member's departure
or role change.
NETWORK SECURITY:
β SSH access to server infrastructure via Identity-Aware Proxy (IAP)
tunneling only β no public SSH ports exposed
β Web Application Firewall (WAF) deployed at CDN/DNS layer
(Cloudflare) and at infrastructure layer (Google Cloud Armor)
β DDoS protection active at CDN layer
β Rate limiting on all webhook and form endpoints
LOGGING AND MONITORING:
β All administrative actions logged with tamper-evident timestamps
β Server access logs retained for minimum six (6) years
β n8n execution logs retained for minimum ninety (90) days
in hot storage, archived to Google Cloud Storage thereafter
for six (6) years minimum
β Failed authentication attempts logged and alerted
β Anomalous access patterns generate automated alerts
BACKUP AND RECOVERY:
β Automated daily backups of all systems containing Personal Data
β Backups stored in Google Cloud Storage (GCP BAA covered for
healthcare clients; DPA covered for all clients)
β Backup restoration tested quarterly
β Recovery Time Objective (RTO): 24 hours
β Recovery Point Objective (RPO): 24 hours (maximum 1 day data loss)
PATCH MANAGEMENT:
β Operating system security patches applied within 30 days
of release; critical patches within 72 hours
β WordPress core and plugin updates applied within 14 days
of release for security updates; major updates scheduled quarterly
β Docker/n8n container updates applied monthly or immediately
upon security advisory
```
**9.3 Organizational Safeguards Implemented**
```
DATA PROTECTION TRAINING:
All Proscris Agency personnel with access to systems containing
Personal Data processed under this Agreement receive data
protection training before access is granted. Training covers:
β Applicable data protection law and principles
β Confidentiality obligations
β Security procedures and credential management
β Breach identification and reporting procedures
β Data Subject rights and how to support them
Training is refreshed annually. Records are retained.
CONFIDENTIALITY OBLIGATIONS:
All personnel and contractors who may access Personal Data
are bound by written confidentiality obligations that survive
termination of their engagement with Proscris Agency.
ACCESS REVOCATION:
Access to all systems containing Client Personal Data is
revoked within one (1) hour of any team member's departure
from Proscris Agency or removal from a Client's project.
Revocations are documented in the access revocation log.
VENDOR EVALUATION:
No new Sub-Processor is added to the Stack without evaluation
against the five criteria in Article 10.2. No Sub-Processor
processes Personal Data without a signed Data Processing
Agreement or equivalent legal mechanism.
```
---
### Article 10: Sub-Processors
**10.1 Authorization**
The Controller authorizes Proscris Agency to engage the Sub-Processors listed in Schedule C of this Agreement to assist in the delivery of Services. Proscris Agency shall ensure that each Sub-Processor is bound by a Data Processing Agreement (or equivalent legal mechanism) imposing data protection obligations materially equivalent to those in this Agreement.
**10.2 Sub-Processor Evaluation Criteria**
Before engaging any Sub-Processor (whether listed in Schedule C or proposed as an addition), Proscris Agency evaluates the vendor against the following criteria:
```
CRITERION 1 β DATA PROCESSING AGREEMENT AVAILABILITY
Does the vendor sign a Data Processing Agreement?
For healthcare clients: Does the vendor sign a Business Associate Agreement?
β If No to either applicable question: the vendor is not used for
any purpose involving Personal Data. No exceptions.
CRITERION 2 β DATA DESTINATION TRANSPARENCY
Where does the data processed by this vendor actually go?
Does the vendor's own infrastructure send it to other parties?
Are those sub-sub-processors identified and governed by agreements?
β Vendors with opaque sub-processor chains are rejected.
CRITERION 3 β DATA MINIMIZATION CAPABILITY
Can the vendor be configured to collect less than the default?
Can data be hashed, pseudonymized, or minimized before it reaches
this vendor?
β Vendors that require maximum data collection with no configuration
options are rejected or used in a minimized capacity only.
CRITERION 4 β DATA PORTABILITY AND DELETION
Can all data be exported in a portable format?
Is there a documented, enforceable deletion process?
β Vendors that do not commit to deletion timelines are rejected.
CRITERION 5 β JURISDICTION AND DATA RESIDENCY
Where does this vendor store and process data?
For EU Data Subjects: Are appropriate transfer mechanisms in place
(Standard Contractual Clauses, adequacy decision)?
β Vendors without documented, adequate transfer mechanisms for
cross-border data flows are not used for cross-border Personal Data.
```
**10.3 Sub-Processor Change Notification**
Proscris Agency shall provide the Controller with a minimum of fourteen (14) days' written notice before adding or replacing a Sub-Processor. The Controller may object to a proposed Sub-Processor change within that fourteen (14) day period. If the Controller objects and the parties cannot reach agreement, the Controller may terminate this Agreement without penalty with respect to the affected Services.
---
## PART FIVE: INCIDENT RESPONSE AND BREACH NOTIFICATION
---
### Article 11: Personal Data Breach Response
**11.1 Detection and Internal Notification**
Upon discovering a confirmed or suspected Personal Data Breach involving data processed under this Agreement, Proscris Agency shall:
```
WITHIN 1 HOUR:
β Assign a named Incident Manager (Custodian of Records or designee)
β Attempt to contain the breach: isolate affected systems,
revoke compromised credentials, stop ongoing exposure
β Preserve all evidence: do NOT delete logs, do NOT wipe
affected systems without documented authorization
β Begin written incident log
WITHIN 24 HOURS:
β Notify the Controller's designated contact in writing
β Provide initial written incident report including:
(a) Nature of the breach (what happened)
(b) Categories and approximate volume of Personal Data involved
(c) Categories of Data Subjects affected
(d) Likely consequences of the breach
(e) Measures taken or proposed to address the breach
(f) Proscris Agency incident contact for ongoing communication
```
**11.2 Controller's Downstream Obligations**
Upon receiving Proscris Agency's breach notification, the Controller carries the following regulatory obligations (Proscris Agency provides technical support but the Controller is responsible for execution):
```
UNDER GDPR:
β Notify the relevant supervisory authority within 72 hours
of becoming aware of the breach (Article 33)
β Notify affected Data Subjects without undue delay where the
breach is likely to result in high risk to their rights and
freedoms (Article 34)
UNDER CCPA/CPRA:
β Notify affected California residents in the most expedient
time possible and without unreasonable delay
UNDER HIPAA (healthcare clients only):
β Notify affected individuals within 60 days
β Notify HHS β annually for breaches affecting fewer than 500;
within 60 days for breaches affecting 500 or more in a state
β Notify prominent media for breaches affecting 500 or more
in a single state
```
**11.3 Incident Documentation**
Proscris Agency shall maintain a written record of every suspected or confirmed Personal Data Breach, including:
```
β Date and time of discovery
β Date and time of containment
β Description of the breach
β Systems affected
β Data categories involved
β Volume of records affected
β Data Subjects affected (where identifiable)
β Containment measures taken
β Remediation measures implemented
β Notifications sent (to Controller, regulators, Data Subjects)
β Final disposition and lessons learned
```
All breach documentation shall be retained for a minimum of six (6) years.
**11.4 The Four-Factor Risk Assessment**
Where a potential breach is identified, Proscris Agency shall conduct a documented four-factor risk assessment to determine whether the incident constitutes a reportable breach:
```
FACTOR 1: Nature and extent of Personal Data involved
β What categories of data? (contact data vs. sensitive data)
β How many records?
β What identifiers were exposed?
FACTOR 2: Who accessed or may have accessed the data
β Was the recipient an authorized party who received it erroneously?
β Was it an unauthorized external party?
β Is the recipient identifiable?
FACTOR 3: Whether the data was actually acquired or viewed
β Is there evidence the data was accessed?
β Was access logged?
β Can access be confirmed or excluded?
FACTOR 4: Extent to which risk has been mitigated
β Was the data encrypted?
β Has it been recovered?
β Can the recipient be bound to confidentiality?
PRESUMPTION: Any impermissible disclosure is presumed to be a
reportable breach unless the four-factor assessment demonstrates
a low probability of compromise. This is the most conservative
standard and is applied universally.
```
---
## PART SIX: RETENTION, DELETION, AND TERMINATION
---
### Article 12: Data Retention and Deletion
**12.1 Retention Principle**
Personal Data shall not be retained beyond the period necessary for the purposes for which it was collected, or as required by Applicable Data Protection Law or legitimate legal hold obligations. Indefinite retention is not a permitted default.
**12.2 Standard Retention Schedules**
The following default retention schedules apply. Specific retention periods for this Client are documented in Schedule A.
| Data Category | Standard Retention Period | Basis |
|---|---|---|
| Lead / inquiry contact data | 3 years from date of last contact or date of inquiry (whichever is later) | Legitimate interests β commercial follow-up window |
| Customer / client contact data | Duration of commercial relationship + 3 years | Contract performance + legal obligations |
| Transaction / invoice records | 7 years from transaction date | Legal obligation β tax and accounting law |
| Email communications | 3 years from date of communication | Legitimate interests |
| Audit and activity logs | 6 years from date of log entry | HIPAA standard applied universally as highest benchmark |
| Consent records | Duration of consent + 3 years | Legal obligation β demonstrating consent |
| Access control records | 6 years from date of access event | Legal obligation β audit requirements |
| Breach incident records | 6 years from date of incident | Legal obligation β regulatory requirements |
| Backup data | Follows primary data retention β deleted on same schedule | Data minimization principle |
**12.3 Deletion Procedure**
When a retention period expires, or upon a valid Data Subject erasure request, the following deletion procedure shall be followed:
```
STEP 1: IDENTIFY
Identify all records and locations where the relevant data exists:
β Google Sheets CRM (primary records)
β Activity Log (audit trail entries referencing this record)
β Email records (Gmail β where accessible)
β n8n execution logs (where data appears)
β Backup files (schedule deletion on next backup cycle)
STEP 2: DELETE
Delete records from each identified location.
For Google Sheets: rows are deleted (not just cleared)
For backups: flag for deletion on the next scheduled backup cycle;
data will be absent from all backups after two consecutive cycles
STEP 3: DOCUMENT
Record the deletion in the Activity Log:
β Date and time of deletion
β Record identifier (Lead ID or equivalent)
β Systems from which deletion was performed
β Confirming individual (Custodian of Records or designee)
STEP 4: CONFIRM
Provide written confirmation to the Controller that deletion
has been completed, including the Activity Log entry reference.
```
**12.4 Legal Hold**
Where Personal Data is subject to a legal hold (litigation, regulatory investigation, or formal legal request), normal retention schedules are suspended for the relevant data. The Controller shall notify Proscris Agency promptly upon the commencement of any legal hold that affects data processed under this Agreement. Proscris Agency shall preserve affected records and suspend deletion procedures until the hold is lifted in writing.
---
### Article 13: Termination and Data Return
**13.1** Upon termination of the Engagement Term β whether by expiration, mutual agreement, or either party's election β the following procedure governs the disposition of Personal Data:
```
PHASE 1: DATA RETURN (within 30 days of termination)
Proscris Agency shall provide the Controller with a complete
export of all Personal Data processed under this Agreement
in the following formats:
β Google Sheets CRM: exported as .xlsx and .csv files
β Activity Log: exported as .xlsx and .csv files
β n8n workflow configurations: exported as .json files
(for portability β the Client can import workflows to their
own n8n instance)
β Any other data held in controlled systems: exported in the
most portable standard format available
Data is delivered to the Controller via:
β Google Drive shared folder (transferred to Controller ownership)
β Secure file transfer if Drive sharing is not preferred
PHASE 2: ACCESS REVOCATION (within 48 hours of termination)
All Proscris Agency access to Client systems is revoked:
β Google Workspace: Proscris accounts removed from Client domain
β Google Cloud Platform: IAM roles revoked
β WordPress: All Proscris Agency user accounts deleted
β n8n: All Proscris Agency user accounts deleted
β Any other system: all access credentials revoked and documented
PHASE 3: PROSCRIS COPIES DELETED (within 30 days of data return)
Unless subject to a legal hold or legal obligation requiring
retention, Proscris Agency shall delete all copies of Personal
Data processed under this Agreement from Proscris-controlled systems:
β n8n execution logs (containing Client data) β deleted
β Any working copies, exports, or test data β deleted
β Backup copies β flagged and deleted on next backup cycle
Proscris Agency shall provide the Controller with written
confirmation of deletion, including the systems from which
data was deleted and the date of deletion.
PHASE 4: EXCEPTION β COMPLIANCE RECORDS RETAINED
The following categories of records are retained by Proscris Agency
for the minimum period required by law, notwithstanding termination:
β This Agreement and its Schedules: 6 years from termination date
β Breach incident records: 6 years from incident date
β Consent records: Duration of consent + 3 years
β Security incident logs: 6 years from log date
β Training records for personnel who accessed Client data: 6 years
These records are retained solely for compliance and legal purposes
and are not used for any commercial purpose.
```
---
## PART SEVEN: INTERNATIONAL DATA TRANSFERS AND GLOBAL COMPLIANCE
---
### Article 14: Cross-Border Data Transfers
**14.1** Where Personal Data processed under this Agreement is transferred across international borders β including transfers from the European Economic Area (EEA) or United Kingdom to the United States β such transfers shall be made only under an appropriate legal mechanism as required by Applicable Data Protection Law.
**14.2 Applicable Transfer Mechanisms:**
```
EU/EEA TO US TRANSFERS:
Standard Contractual Clauses (SCCs) β Commission Implementing
Decision (EU) 2021/914 β Controller-to-Processor modules.
Where SCCs are required, they are incorporated by reference
into this Agreement and the parties agree to be bound by them.
UK TO US TRANSFERS:
UK International Data Transfer Agreement (IDTA) or
UK Addendum to EU SCCs.
ADEQUACY DECISIONS:
Where the European Commission has issued an adequacy decision
for the destination country, transfers may proceed on that basis.
BINDING CORPORATE RULES:
Where applicable and implemented.
```
**14.3 The Global Standard Principle**
Proscris Agency's technical infrastructure and data handling practices are engineered to meet the requirements of the most stringent applicable data protection frameworks, including GDPR, HIPAA, CCPA/CPRA, and equivalent legislation in Canada (PIPEDA/Law 25), Australia (Privacy Act 1988), Brazil (LGPD), and Japan (APPI).
The practical consequence of this approach: any business operating a Proscris-built infrastructure stack is operating at a standard that satisfies the data protection requirements of every major regulated market. The infrastructure does not need to be rebuilt when a business expands nationally across all US states or enters international markets. The data minimization, consent mechanisms, access controls, audit logging, retention scheduling, and Sub-Processor governance described in this Agreement meet the threshold requirements of all major global frameworks simultaneously.
This is an intentional architectural choice. We build to the highest available standard because the regulatory floor is rising β in the US, in every other major market, and globally. Engineering to that standard once is more efficient, more protective, and more durable than building to a lower standard and retrofitting under regulatory pressure.
---
## PART EIGHT: GENERAL PROVISIONS
---
### Article 15: Liability and Indemnification
**15.1** Each party shall be liable for damages caused by Processing that violates Applicable Data Protection Law only to the extent that such violation is attributable to that party's failure to fulfill its obligations under this Agreement or under the law.
**15.2** Proscris Agency shall be exempt from liability under this Agreement to the extent it can demonstrate that it is not in any way responsible for the event giving rise to the damage β including where it has followed the Controller's documented instructions and those instructions were the source of the violation.
**15.3** The parties shall cooperate in good faith to determine each party's proportionate responsibility for any claim, fine, or penalty related to the Processing of Personal Data under this Agreement.
**15.4** Nothing in this Agreement limits either party's liability to Data Subjects under Applicable Data Protection Law.
---
### Article 16: Confidentiality
**16.1** Both parties agree to maintain the strict confidentiality of Personal Data processed under this Agreement and of any proprietary, technical, or business information shared in the course of the engagement.
**16.2** Proscris Agency shall ensure that all personnel with access to Personal Data are subject to written confidentiality obligations that are no less protective than those in this Article and that survive the termination of their employment or engagement.
**16.3** Confidentiality obligations shall not apply to information that: (a) is or becomes publicly known through no breach of this Agreement; (b) is required to be disclosed by law, regulation, or court order (in which case the disclosing party shall provide advance notice to the other party to the extent permitted by law); or (c) the Controller has authorized in writing for disclosure.
---
### Article 17: Audit Rights
**17.1** The Controller, or a third-party auditor appointed by the Controller and reasonably acceptable to Proscris Agency, may conduct an audit of Proscris Agency's Processing activities under this Agreement no more than once per calendar year, upon a minimum of thirty (30) days' written notice.
**17.2** The scope of an audit shall be limited to Processing activities directly relevant to Personal Data processed under this Agreement.
**17.3** Proscris Agency shall cooperate fully with any audit, providing access to relevant documentation, systems logs, and personnel responses within the agreed audit scope.
**17.4** The Controller shall bear the cost of any third-party audit it commissions. Proscris Agency's personnel time devoted to supporting an audit shall be billable at standard consulting rates unless the audit reveals material non-compliance by Proscris Agency.
---
### Article 18: Amendments and Updates
**18.1** This Agreement may be amended only by written instrument signed by authorized representatives of both parties.
**18.2** Proscris Agency shall notify the Controller of any proposed amendment to this Agreement with a minimum of thirty (30) days' written notice. The Controller's continued use of Services after the thirty (30) day period constitutes acceptance of the amendment unless the Controller provides written objection within that period.
**18.3** Schedule C (Sub-Processor list) and Schedule B (Technical Stack) shall be updated by Proscris Agency upon any change to the Sub-Processors or Stack, with notification to the Controller per Article 10.3. Updated Schedules are incorporated into this Agreement upon notification without requiring a full amendment.
---
### Article 19: Governing Law and Dispute Resolution
**19.1** This Agreement shall be governed by and construed in accordance with the laws of the State of New York, United States of America, without regard to its conflict of law provisions.
**19.2** Any dispute arising out of or relating to this Agreement that cannot be resolved through good-faith negotiation between the parties within thirty (30) days of written notice shall be submitted to binding arbitration in New York, New York, under the rules of the American Arbitration Association.
**19.3** Nothing in this Article shall prevent either party from seeking emergency injunctive relief from a court of competent jurisdiction where necessary to prevent irreparable harm pending arbitration.
**19.4** Notwithstanding this Article, nothing in this Agreement shall limit the rights of Data Subjects to seek remedies before competent supervisory authorities or courts under Applicable Data Protection Law.
---
### Article 20: Entire Agreement and Order of Precedence
**20.1** This Agreement, together with its Schedules and any applicable addenda, constitutes the entire agreement between the parties with respect to the Processing of Personal Data under the engagement and supersedes all prior agreements, representations, and understandings with respect to that subject matter.
**20.2** In the event of any conflict between this Agreement and the Master Services Agreement or Statement of Work regarding the Processing of Personal Data, this Agreement shall prevail.
**20.3** In the event of any conflict between this Agreement and the requirements of Applicable Data Protection Law, the requirements of Applicable Data Protection Law shall prevail.
---
## PART NINE: SIGNATURES
---
### Execution
This Data Processing Agreement is entered into by the authorized representatives of the parties as of the Effective Date stated on the cover page.
---
**DATA CONTROLLER / CLIENT**
```
Signature: _________________________________
Printed Name: _________________________________
Title: _________________________________
Organization: _________________________________
Date: _________________________________
Email: _________________________________
```
---
**DATA PROCESSOR / PROSCRIS AGENCY LLC**
```
Signature: _________________________________
Printed Name: Robert Szopa
Title: Founder & Principal
Organization: Proscris Agency LLC
Date: _________________________________
Email: _________________________________
```
---
---
# SCHEDULE A: DATA MAP AND RETENTION SCHEDULE
**Agreement Reference:** DPA-PROSCRIS-[YYYY]-[CLIENT-ID]
**Client:** [CLIENT NAME]
**Last Updated:** [DATE]
**Maintained By:** Proscris Agency β Custodian of Records
---
### A.1 β Data Inventory
| Data Category | Collected From | Collection Method | Storage Location | Legal Basis | Retention Period | Deletion Method | Custodian |
|---|---|---|---|---|---|---|---|
| Lead contact data (name, email, phone) | Website visitors β form submission | Custom HTML form β n8n webhook | Google Sheets CRM | Consent (form checkbox) | 3 years from last contact | Row deletion + Activity Log confirmation | [Client Custodian] |
| Inquiry content (message, inquiry type) | Website visitors β form submission | Custom HTML form β n8n webhook | Google Sheets CRM | Consent (form checkbox) | 3 years from last contact | Row deletion + Activity Log confirmation | [Client Custodian] |
| Marketing attribution data (UTM parameters) | Website visitors β URL parameters | JavaScript capture at form load | Google Sheets CRM | Legitimate interests | 3 years from last contact | Row deletion with associated lead record | [Client Custodian] |
| Customer / client records | Existing clients | Various (manual entry, form) | Google Sheets CRM | Contract performance | Relationship + 3 years | Row deletion + Activity Log confirmation | [Client Custodian] |
| Email communications | Team, clients, leads | Gmail (Google Workspace) | Google Workspace | Contract / legitimate interests | 3 years | Google Workspace account management | [Client Custodian] |
| Consent records | Data Subjects at form submission | n8n workflow β automated logging | Google Sheets β Activity Log | Legal obligation | Consent period + 3 years | Row deletion per schedule | [Client Custodian] |
| Audit / activity logs | System β automated | n8n workflow β automated | Google Sheets β Activity Log | Legitimate interests / legal obligation | 6 years | Row deletion per schedule | Robert Szopa (Proscris) |
| Advertising signals (hashed) | Automation engine | n8n β Meta CAPI (or equivalent) | Ad platform only β not retained | Legitimate interests | Not retained β transmitted only | N/A β not stored | Robert Szopa (Proscris) |
| Server access logs | GCP infrastructure | Google Cloud Logging | Google Cloud (GCP) | Legal obligation / security | 6 years | GCP retention policy β automated | Robert Szopa (Proscris) |
| WordPress admin audit log | WordPress admin actions | WP Activity Log plugin | WordPress database β Drive backup | Security / legal obligation | 6 years | Plugin management + backup deletion | Robert Szopa (Proscris) |
| Backup data | All systems above | UpdraftPlus / GCP automated backup | Google Drive / GCP Cloud Storage | Legitimate interests | Mirrors primary data β deleted on same schedule | Backup manager | Robert Szopa (Proscris) |
---
### A.2 β Data Flow Diagram (Narrative)
```
DATA SUBJECT submits form at [clientwebsite.com]
β
β Form: Custom HTML β no third-party form platform
β Transport: HTTPS POST β TLS 1.3
β Authentication: X-Form-Secret header
β
β
N8N AUTOMATION ENGINE (self-hosted β GCP Compute Engine, us-east1)
β
β Receives: Full form payload
β Actions:
β (1) Validates required fields
β (2) Generates Lead ID
β (3) Formats data
β (4) Routes to parallel branches:
β
βββ β GOOGLE SHEETS CRM
β Owner: system@[clientdomain].com (Google Workspace)
β Data: Full lead record
β Agreement: Google DPA / BAA (healthcare)
β Access: Named individuals per Schedule D
β
βββ β GMAIL NOTIFICATION
β Sender: system@[clientdomain].com
β Recipients: Named team members only
β Data: Lead contact details
β Agreement: Google DPA / BAA (healthcare)
β
βββ β GMAIL AUTO-CONFIRM
β Sender: system@[clientdomain].com
β Recipient: Data Subject's email
β Data: First name + acknowledgment β no sensitive content
β Agreement: Google DPA / BAA (healthcare)
β
βββ β ADVERTISING PLATFORM (via CAPI β server-side only)
Filter: Signal Filter applied β see Article 6
Sent: Hashed email, hashed phone, event metadata
Blocked: All plaintext PII, message content, source URL
Agreement: Platform data policies (no DPA required
for hashed, filtered signals that do not constitute
personal data at the platform level)
β
β
ACTIVITY LOG (Google Sheets β dedicated tab)
β Every branch action above generates an audit log entry
β Fields: Timestamp, Lead ID, Action, System, Status, Notes
β Retention: 6 years
```
---
### A.3 β Special Category Data
```
Special Category Data processed under this Agreement:
[CHECK ONE]
β NONE β This engagement does not involve Special Category Personal Data
β APPLICABLE β The following Special Category data may be incidentally
disclosed by Data Subjects:
Category: _________________________________
Circumstances: _________________________________
Additional safeguards addendum: [ADDENDUM REFERENCE]
```
---
# SCHEDULE B: TECHNICAL STACK β APPROVED SYSTEMS
**All systems in this Schedule have been evaluated against the criteria in Article 10.2. Data Processing Agreements or equivalent legal mechanisms are in place for every system that processes Personal Data.**
---
### B.1 β Infrastructure Layer
| System | Provider | Purpose | Data It Processes | Agreement Type | Agreement Status | Data Location |
|---|---|---|---|---|---|---|
| **Compute Engine VM (WordPress)** | Google Cloud Platform | Hosts Client website β WordPress installation | Website traffic (logs only β form data bypasses) | Google Cloud DPA / GCP BAA (healthcare) | β Signed | us-east1 (US) |
| **Compute Engine VM (n8n)** | Google Cloud Platform | Hosts automation engine | All form data β primary processing point | Google Cloud DPA / GCP BAA (healthcare) | β Signed | us-east1 (US) |
| **Cloud SQL** | Google Cloud Platform | WordPress database | WordPress content β no form data | Google Cloud DPA / GCP BAA (healthcare) | β Signed | us-east1 (US) |
| **Cloud Storage** | Google Cloud Platform | File storage, backups | Backup data β encrypted | Google Cloud DPA / GCP BAA (healthcare) | β Signed | us-east1 (US) |
| **Cloud Armor** | Google Cloud Platform | WAF and DDoS protection | Traffic metadata β no Personal Data retained | Google Cloud DPA | β Signed | US |
| **Cloud Logging** | Google Cloud Platform | Infrastructure audit logs | Server access logs β IP addresses, timestamps | Google Cloud DPA / GCP BAA (healthcare) | β Signed | us-east1 (US) |
| **Secret Manager** | Google Cloud Platform | Credential storage | API keys, tokens β no Personal Data | Google Cloud DPA | β Signed | US |
---
### B.2 β Application Layer
| System | Provider | Purpose | Data It Processes | Agreement Type | Agreement Status | Data Location |
|---|---|---|---|---|---|---|
| **WordPress (self-hosted)** | Automattic (software only β self-hosted) | Client website CMS | Website content β no form data (bypassed) | No DPA required β self-hosted software | N/A | Client-controlled GCP |
| **n8n (self-hosted)** | n8n GmbH (software only β self-hosted) | Automation engine | All form data and workflow data | No DPA required β self-hosted software | N/A | Client-controlled GCP |
| **ASE Pro (Admin Site Enhancements)** | WPase | WordPress security and admin management | WordPress admin actions β no Personal Data sent externally | No DPA required β local plugin | N/A | Client-controlled GCP |
| **Wordfence** | Defiant Inc. | WordPress security β WAF and malware scanning | File integrity, login attempts β limited Personal Data | Defiant Privacy Policy / DPA | β Reviewed | US |
| **WP 2FA** | WP White Security | Two-factor authentication enforcement | Authentication metadata β no Personal Data transmitted | No external data transmission | N/A | Client-controlled GCP |
| **WP Activity Log** | WP White Security | WordPress admin audit logging | Admin action metadata | No external data transmission | N/A | Client-controlled GCP |
| **UpdraftPlus** | Updraft Plus Ltd | WordPress backup | Full WordPress content β Google Drive | Updraft DPA + Google DPA | β Reviewed | Google Workspace |
---
### B.3 β Productivity and CRM Layer
| System | Provider | Purpose | Data It Processes | Agreement Type | Agreement Status | Data Location |
|---|---|---|---|---|---|---|
| **Gmail** | Google LLC | Email β internal notifications and external communication | Lead contact data, team communications | Google Workspace DPA / BAA (healthcare) | β Signed | US (Workspace) |
| **Google Sheets** | Google LLC | CRM database β lead and customer records | All lead and client Personal Data | Google Workspace DPA / BAA (healthcare) | β Signed | US (Workspace) |
| **Google Drive** | Google LLC | File storage β backup files, compliance documents | Backup data, compliance records | Google Workspace DPA / BAA (healthcare) | β Signed | US (Workspace) |
| **Google Calendar** | Google LLC | Appointment scheduling | Appointment metadata β see note | Google Workspace DPA / BAA (healthcare) | β Signed | US (Workspace) |
| **Google Meet** | Google LLC | Video consultations (where applicable) | Meeting metadata β see note | Google Workspace DPA / BAA (healthcare) | β Signed | US (Workspace) |
| **Google Docs** | Google LLC | Document management | Compliance and operational documents | Google Workspace DPA / BAA (healthcare) | β Signed | US (Workspace) |
> **Note on Google Calendar and Meet:** Event titles and descriptions shall contain only neutral, non-sensitive content (see Data Handling Protocols for scheduling). Meeting recordings shall not be made without explicit Data Subject consent.
---
### B.4 β DNS, CDN, and Security Layer
| System | Provider | Purpose | Data It Processes | Agreement Type | Agreement Status | Data Location |
|---|---|---|---|---|---|---|
| **Cloudflare (DNS + WAF)** | Cloudflare Inc. | DNS management, CDN, WAF, DDoS protection | IP addresses, traffic metadata | Cloudflare DPA / BAA (healthcare) | β Signed | US / Global CDN |
---
### B.5 β Advertising Signal Transmission
| System | Provider | Purpose | Data It Processes | Agreement Type | Agreement Status |
|---|---|---|---|---|---|
| **Meta Conversions API** | Meta Platforms Inc. | Server-side conversion signal β filtered | Hashed email, hashed phone, event metadata ONLY β Signal Filter applied | Meta Business Terms + Data Processing Terms | β Accepted |
| **Google Enhanced Conversions** (if applicable) | Google LLC | Server-side conversion signal β filtered | Hashed email ONLY β Signal Filter applied | Google Ads DPA | β Signed |
> **Critical Note:** Neither Meta nor Google receives plaintext Personal Data under the Proscris Signal Filtering architecture. All signals transmitted to advertising platforms are filtered per Article 6 before transmission. Hashed identifiers are not "personal data" within the meaning of GDPR Article 4(1) when hashing is performed correctly and the original data is not transmitted alongside the hash.
---
### B.6 β Systems NOT Approved for Client Data
The following categories of tools are not approved for use in any Proscris client engagement involving Personal Data, for the reasons stated:
| Tool Category | Example Tools | Reason Not Approved |
|---|---|---|
| CRMs without DPA/BAA | GoHighLevel (healthcare), many others | No signed DPA available or BAA declined |
| Email marketing platforms without DPA | Many mainstream platforms | Use aggregate customer data for own purposes |
| Browser-side ad pixels for conversion tracking | Meta Pixel (conversion), GA4 (healthcare) | Plaintext PII or health context transmission to third parties |
| Session recording without consent + DPA | Hotjar, FullStory (unconsented) | Captures behavioral data including potentially sensitive content |
| Scheduling tools without BAA (healthcare) | Calendly (healthcare) | No healthcare BAA available |
| Free video conferencing (healthcare) | Zoom (free tier) | No BAA on free tier |
| Shared hosting without DPA | InstaWP, shared cPanel hosts | No DPA available; data residency not guaranteed |
| AI tools with training data opt-in | Any AI tool that trains on user inputs by default | Data may be used to train third-party models |
---
# SCHEDULE C: SUB-PROCESSOR LIST
**All Sub-Processors listed below have been evaluated against the criteria in Article 10.2. Proscris Agency maintains signed Data Processing Agreements or equivalent legal instruments with each Sub-Processor that processes Personal Data.**
| Sub-Processor | Registered Office | Processing Activity | Data Categories Processed | Legal Mechanism | DPA/Agreement | Data Location |
|---|---|---|---|---|---|---|
| **Google LLC (Google Cloud Platform)** | Mountain View, CA, USA | Infrastructure hosting β WordPress and n8n VMs, database, storage, logging | All categories per Schedule A that flow through GCP infrastructure | Google Cloud DPA; GCP BAA (healthcare clients) | β Signed | us-east1, USA |
| **Google LLC (Google Workspace)** | Mountain View, CA, USA | Email, CRM (Sheets), Drive, Calendar, Meet, Docs | All categories per Schedule A that flow through Workspace | Google Workspace DPA; Workspace BAA (healthcare clients) | β Signed | USA |
| **Cloudflare Inc.** | San Francisco, CA, USA | DNS, CDN, WAF, DDoS protection | IP addresses, traffic metadata | Cloudflare DPA; Cloudflare BAA (healthcare clients) | β Signed | USA / Global |
| **Meta Platforms Inc.** | Menlo Park, CA, USA | Advertising signal receipt (CAPI) β filtered only | Hashed email, hashed phone, event metadata ONLY | Meta Business and Platform Terms; Meta Data Processing Terms | β Accepted | USA |
| **Defiant Inc. (Wordfence)** | Defiance, WA, USA | WordPress security scanning | Login metadata, file integrity data | Defiant Privacy Policy | β Reviewed | USA |
**Sub-Processors Applicable Only for Healthcare Clients (HIPAA BAA Required):**
| Sub-Processor | Processing Activity | BAA Status |
|---|---|---|
| **Paubox Inc.** | Encrypted email delivery for PHI communications | β BAA Signed |
**Notification of Sub-Processor Changes:**
Any addition to or removal from this Schedule shall be communicated to the Controller with fourteen (14) days' written notice per Article 10.3.
---
# SCHEDULE D: ACCESS CONTROL TABLE
**This Schedule documents every individual with access to systems containing Personal Data processed under this Agreement. It is reviewed and updated quarterly.**
**Client Organization β System Access:**
| Name | Role | Systems Accessible | Access Level | MFA Enabled | Access Granted Date | Last Reviewed |
|---|---|---|---|---|---|---|
| [Name] | [Role] | Google Workspace, Google Sheets CRM | Editor | β Yes | [Date] | [Date] |
| [Name] | [Role] | Google Workspace, Google Sheets CRM | Editor | β Yes | [Date] | [Date] |
| system@[clientdomain].com | System Account | All Google Workspace, GCP Console | Owner | β Yes | [Date] | [Date] |
**Proscris Agency β System Access:**
| Name | Role | Systems Accessible | Access Level | MFA Enabled | Access Granted Date | Last Reviewed |
|---|---|---|---|---|---|---|
| Robert Szopa | Principal / CTO | All systems listed in Schedule B | Admin (active projects) | β Yes | [Date] | [Date] |
| [Additional Proscris team member] | [Role] | [Specific systems only] | [Level] | β Yes | [Date] | [Date] |
**Access Revocation Log:**
| Name | Role | Systems | Access Revoked Date | Revoked By | Reason | Credentials Rotated |
|---|---|---|---|---|---|---|
| [Name] | [Role] | [Systems] | [Date] | [Name] | Departure / Role Change | β Yes |
**Quarterly Access Review β Completion Record:**
| Review Period | Review Date | Reviewer | Changes Made | Sign-Off |
|---|---|---|---|---|
| Q1 [Year] | | | | |
| Q2 [Year] | | | | |
| Q3 [Year] | | | | |
| Q4 [Year] | | | | |
---
# SCHEDULE E: APPROVED INSTRUCTIONS AND RESTRICTED PROCESSING
**This Schedule documents the specific processing instructions authorized by the Controller and any processing activities that are explicitly restricted.**
### E.1 β Authorized Processing Instructions
```
β
Collect lead contact data via custom HTML form on Client website
β
Process form submissions through self-hosted n8n automation engine
β
Store lead records in Google Sheets CRM under Client's Workspace account
β
Send team notification emails via Client's Gmail (Google Workspace)
β
Send auto-confirmation emails to Data Subjects upon form submission
β
Transmit filtered, hashed conversion signals to designated ad platforms
via server-side API only β Subject to Signal Filter (Article 6)
β
Maintain audit log of all automated actions in Activity Log
β
Configure and operate WordPress website on GCP infrastructure
β
Operate n8n automation engine on GCP infrastructure
β
Maintain security controls, backups, and monitoring systems
β
Conduct access reviews and maintain access control records
β
Provide Controller with data exports upon request
β
Assist with Data Subject rights request fulfillment
```
### E.2 β Explicitly Restricted Processing
```
β Proscris Agency shall NOT sell Personal Data to any third party
β Proscris Agency shall NOT share Personal Data with parties
not listed in Schedule C without prior written Controller consent
β Proscris Agency shall NOT use Client Personal Data for its own
marketing, business development, or analytics purposes
β Proscris Agency shall NOT aggregate Client Personal Data with
data from other Proscris clients
β Proscris Agency shall NOT install browser-side advertising pixels
on Client websites for conversion tracking purposes
β Proscris Agency shall NOT transmit plaintext Personal Data to
advertising platforms β hashed, filtered signals only
β Proscris Agency shall NOT process Special Category Personal Data
without a separate signed addendum to this Agreement
β Proscris Agency shall NOT retain Personal Data beyond the retention
periods specified in Schedule A without written Controller instruction
β Proscris Agency shall NOT add Sub-Processors without prior
notification to the Controller per Article 10.3
β Proscris Agency shall NOT make Personal Data available to any
government authority without written notification to the Controller,
except where prohibited by law from providing such notification
```
---
# SCHEDULE F: TRAINING AND CERTIFICATION RECORD
**Proscris Agency maintains the following training records for personnel with access to Personal Data processed under this Agreement:**
| Name | Role | Training Completed | Training Date | Training Topics | Acknowledgment Signed | Next Refresh Due |
|---|---|---|---|---|---|---|
| Robert Szopa | Principal | Data protection principles, GDPR, CCPA, HIPAA overview, security protocols, breach response | [Date] | Full curriculum | β Yes | [Annual date] |
| [Additional personnel] | [Role] | [Topics] | [Date] | [Topics] | β Yes | [Date] |
**Training Curriculum Minimum Requirements:**
```
β Overview of applicable data protection law (GDPR, CCPA, HIPAA where applicable)
β Definition and examples of Personal Data and Special Category data
β The principle of data minimization and how it applies to daily work
β Confidentiality obligations β what can and cannot be discussed externally
β Password hygiene and credential management
β MFA β why it is required and how to use it
β Breach identification β what does a potential breach look like?
β Breach reporting β internal escalation procedure
β Data Subject rights β what are they and how do we support them?
β Consequences of non-compliance β regulatory and professional
β Client-specific protocols relevant to this engagement
```
---
# SCHEDULE G: COMPLIANCE FOLDER STRUCTURE
**All documentation generated under this Agreement shall be maintained in the following folder structure, owned by the Client's system account within Google Workspace:**
```
π [CLIENT NAME] β Data Compliance/
β
βββ π Agreements/
β βββ DPA-PROSCRIS-[YYYY]-[CLIENT-ID]_Signed.pdf β This document
β βββ Google_Workspace_DPA_[Date].pdf
β βββ Google_Cloud_DPA_[Date].pdf
β βββ Cloudflare_DPA_[Date].pdf
β βββ [Additional vendor DPAs]
β
βββ π Risk_Assessments/
β βββ [Year]_Initial_Risk_Assessment.pdf
β βββ [Year]_Annual_Risk_Assessment.pdf
β
βββ π Training_Records/
β βββ [Year]/
β β βββ [StaffName]_Training_[Date].pdf
β β βββ Training_Completion_Log_[Year].xlsx
β βββ Training_Curriculum_v[X].pdf
β
βββ π Access_Audits/
β βββ Q1_[Year]_Access_Review.pdf
β βββ Q2_[Year]_Access_Review.pdf
β βββ Q3_[Year]_Access_Review.pdf
β βββ Q4_[Year]_Access_Review.pdf
β
βββ π Incident_Reports/
β βββ [Date]_Incident_[Brief_Description].pdf
β
βββ π Data_Subject_Requests/
β βββ [Date]_[RequestType]_[Reference].pdf
β
βββ π Signal_Filter_Documentation/
β βββ CAPI_Filter_Code_[Date].pdf β Printed, commented code
β
βββ π Deletion_Records/
β βββ [Date]_Deletion_Confirmation_[Reference].pdf
β
βββ π Data_Map_Current.xlsx β Schedule A β kept current
```
---
**Document Control:**
| Field | Value |
|---|---|
| **Document Title** | Data Processing Agreement β Proscris Agency LLC |
| **Version** | 1.0 |
| **Prepared By** | Proscris Agency LLC β Robert Szopa |
| **Template Created** | February 2026 |
| **Review Cycle** | Annually β or upon any material change to the Stack, Sub-Processors, or Applicable Data Protection Law |
| **Governing Law** | State of New York, United States of America |
| **Retention** | 6 years from termination of the Engagement Term to which it applies |
---
> **A note on this document and what it represents:**
> Most agencies do not have a Data Processing Agreement. Most of the ones that do have one copied a template that describes nothing about how they actually work. This document describes exactly how we work β the specific tools, the specific data flows, the specific filtering logic, the specific access controls. It is not aspirational language. It is a description of architecture that already exists and is already running.
>
> The clients who sign this document are not just getting legal protection β they are getting documented evidence that the infrastructure running their business was built by people who understood what they were building and why every decision was made the way it was.
>
> That is the Proscris standard. It does not change based on client size, industry, or whether a regulator is watching. The data belongs to the people who gave it. We build infrastructure that honors that.
---
**Sources:**
- [EU General Data Protection Regulation β Full Text](https://gdpr-info.eu/)
- [GDPR Article 5 β Principles of Processing](https://gdpr-info.eu/art-5-gdpr/)
- [GDPR Article 28 β Processor Requirements](https://gdpr-info.eu/art-28-gdpr/)
- [GDPR Article 33 β Breach Notification to Supervisory Authority](https://gdpr-info.eu/art-33-gdpr/)
- [GDPR Standard Contractual Clauses β Commission Decision 2021/914](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914)
- [California Consumer Privacy Act β Full Text](https://oag.ca.gov/privacy/ccpa)
- [California Privacy Rights Act β CPRA](https://cppa.ca.gov/regulations/)
- [IAPP β US State Privacy Law Tracker](https://iapp.org/resources/article/us-state-privacy-legislation-tracker/)
- [HHS β HIPAA Privacy Rule](https://www.hhs.gov/hipaa/for-professionals/privacy/index.html)
- [HHS β HIPAA Security Rule](https://www.hhs.gov/hipaa/for-professionals/security/index.html)
- [HHS β Business Associate Guidance](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html)
- [HHS β Breach Notification Rule](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html)
- [Google Cloud β Data Processing Addendum](https://cloud.google.com/terms/data-processing-addendum)
- [Google Cloud β HIPAA BAA](https://cloud.google.com/terms/hipaa-baa)
- [Google Workspace β Data Processing Amendment](https://workspace.google.com/terms/dpa_terms.html)
- [Google Workspace β HIPAA Functionality List](https://workspace.google.com/terms/2015/1/hipaa_functionality/)
- [Cloudflare β Data Processing Addendum](https://www.cloudflare.com/cloudflare-customer-dpa/)
- [Meta β Data Processing Terms](https://www.facebook.com/legal/terms/dataprocessing)
- [Meta β Conversions API Documentation](https://developers.facebook.com/docs/marketing-api/conversions-api)
- [NIST β SHA-256 Standard](https://csrc.nist.gov/publications/detail/fips/180/4/final)
- [ICO β Guide to Data Minimisation](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/data-minimisation/)
- [ICO β Legitimate Interests Assessment](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/)
- [Cookieyes β GDPR Data Processing Agreement Guide](https://www.cookieyes.com/blog/data-processing-agreement/)
- [IAPP β Data Processing Agreement Template Analysis](https://iapp.org/resources/article/data-processing-agreement/)
- [Stinson β New Era of Privacy Laws 2026](https://www.stinson.com/newsroom-publications-a-new-era-of-comprehensive-privacy-laws-and-the-surge-in-data-privacy-litigation-important-updates-for-2026)
- [Cookie Script β US State Privacy Laws Small Business 2025-2026](https://cookie-script.com/privacy-laws/us-state-privacy-laws-for-small-businesses-2025-2026)