Data Processing Agreement
Key Sections
1. DEFINITIONS
2. PROCESSING OF PERSONAL DATA
3. SUB-PROCESSORS
4. SECURITY
5. RESTRICTED DATA TRANSFERS
6. RETURN OR DELETION OF PERSONAL DATA
7. DATA BREACH NOTIFICATION
8. COOPERATION
9. RELATIONSHIP WITH THE AGREEMENT
Schedule 1 – Description of Processing/Transfer
Schedule 2 – UK / EU Transfer Provisions
Schedule 3 – Technical and Organizational Measures
This Data Processing Agreement, including its Schedules (“DPA”) is supplemental to, and forms an integral part of, the Agreement (as defined below) for the provision of products or services (hereafter the “Services”) between the Aquatic Informatics entity (“Supplier”) and Customer entity (‘’Customer”) that are party to the Agreement.
This DPA shall be effective on the effective date of the Agreement (“Effective Date”). Supplier and Customer shall each be referred to herein as a “Party” and collectively as the “Parties”. In the course of providing the Services to Customer pursuant to the Agreement, Supplier may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith. All capitalized terms not defined in this DPA shall have the meanings ascribed to them in the Agreement.
1. DEFINITIONS
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, provided that as such definition pertains to Supplier, it is limited to those legal entities doing business under the
“Supplier” trademark or tradename. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Agreement” means any agreement between Supplier and Customer for the provision of Services that references and incorporates this DPA.
“Applicable Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the Processing of Personal Data under the Agreement, including, where applicable, EU & UK Data Protection Law and the CCPA.
“California Consumer Privacy Act” or “CCPA” means the California Consumer Privacy Act of 2018, as may be amended from time to time.
“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Process”, and “Processing” shall have the meanings ascribed to them under the Applicable Data Protection Laws.
“Customer” means the entity that executed the Agreement together with its Affiliates (for so long as they remain Affiliates) which have signed Order Forms.
“Customer Data” bears the meaning ascribed to it in the Agreement, provided that such data is electronic data and information submitted by or for Customer to the Services.
“Data Breach” means (i) the loss or misuse (by any means) of Personal Data; (ii) the inadvertent, unauthorized, and/or unlawful disclosure, access, alteration, corruption, transfer, sale, rental, destruction, or use of Personal Data; or (iii) any other act or omission that compromises or may compromise the security, confidentiality, or integrity of Personal Data.
“Supplier” means the Supplier entity that is a Party to the Agreement and this DPA.
“Supplier Group” means Supplier and its Affiliates engaged in the Processing of Personal Data.
“EU/UK Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation (“EU GDPR”); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under or pursuant to (i) or (ii), in each case as may be amended or superseded from time to time.
“Purposes” shall mean Supplier’s provision of the Services under the Agreement.
“Restricted Transfer” means (i) where the EU GDPR applies, a transfer of Personal Data to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Personal data to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.
“Standard Contractual Clauses” means (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (“EU SCCs”); and (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”).
“Sub-processor” means any other Data Processor engaged by a member of the Supplier Group to Process Personal Data.
“Usage Data” means data gathered by Supplier from the Services reflecting Customer’s usage, behavior and activity within the Services and used to optimize Supplier’s provision of Services.
2. PROCESSING OF PERSONAL DATA
2.1. Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and Supplier is a Processor. To the extent any Usage Data is considered Personal Data under Applicable Data Protection Laws, Supplier is the Controller of such data and shall Process such data in accordance with the Agreement and Applicable Data Protection Laws.
2.2. Supplier’s Processing of Personal Data. Customer shall ensure its Processing instructions are lawful and that the Processing of Personal Data in accordance with such instructions will not violate Applicable Data Protection Laws. The Parties agree that the Agreement (including this DPA) sets out Customer’s complete and final instructions to Supplier for the Processing of Customer Personal Data. Any Processing outside the scope of these instructions will require prior written agreement between the Parties.
2.3. Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Applicable Data Protection Laws, including any applicable requirement to provide notice to Data Subjects of the use of Supplier as Processor.
2.4. Details of the Processing. The subject-matter of Processing of Personal Data by Supplier is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Description of Processing/Transfer) hereto.
3. SUB-PROCESSORS
3.1 Authorized Sub-processors. The current list of Supplier’s Sub-processors engaged in Processing Personal Data for the performance of the Services, including a description of their processing activities and countries of location are listed in schedule 1. Customer specifically consents to the use of the listed Sub-processors. For clarity, this Section 3.1 (Authorized Sub-Processors) constitutes Customer’s general consent for Supplier’s engagement of onward Sub-processors under the Standard Contractual Clauses.
3.2 Sub-processor Obligations. Supplier shall: (i) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Personal Data than Supplier’s obligations hereunder to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain liable for each Sub-processor’s compliance with the obligations hereunder.
3.3 Changes to Sub-processors. In the event Supplier wishes to make a change to its list of Sub-processors, Supplier shall notify Customer in writing of any intended changes to that list through the addition or replacement of Sub-processors at least thirty (30) days in advance, thereby giving the Customer sufficient time to be able to object to such changes prior to the engagement of a new Sub-processor (the “Objection Period”). The Parties agree that publication of a new Sub-processor on a website of Supplier is a notification in writing. During the Objection Period, Customer may object in writing to Supplier’s appointment of the new Sub-processor, provided that such objection is based on reasonable grounds relating to data protection. In such event, the Parties will discuss Customer’s concerns in good faith with a view to achieving resolution. If Customer can reasonably demonstrate that the new Sub-processor is unable to Process Personal Data in compliance with the terms of this DPA and Supplier cannot provide an alternative Sub-processor, or the Parties are not otherwise able to achieve resolution, Customer, as its sole and exclusive remedy, may terminate any order forms with respect only to those aspects of the Services which cannot be provided by Supplier without the use of the new Sub-processor by providing written notice to Supplier. In such an event, Supplier will refund Customer any prepaid unused fees associated with the order forms following the effective date of termination for the terminated Services.
4. SECURITY
4.1 Controls for the Protection of Customer Data. Supplier shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data, as set forth in Schedule 3 (“Supplier Technical and Operational Minimum Security Measures”). Supplier regularly monitors compliance with these measures. Supplier will not materially decrease the overall security of the Services during a Subscription Term. Further, Supplier shall ensure that any person it authorizes to Process Personal Data (including its staff, agents and subcontractors) is bound by appropriate confidentiality obligations, whether contractual or statutory in nature.
4.2 Audit. Customer may contact Supplier to request an audit of Supplier’s Processing activities covered by this DPA (“Audit”). An Audit may be conducted by Customer either itself or through a qualified Third-Party Auditor selected by the Customer when:
- Customer has received a notice from Supplier of a Data Breach; or
- such an audit is required by Applicable Data Protection Laws or by Customer’s competent supervisory authority.
Following receipt by Supplier of such request, Supplier and Customer shall mutually agree in advance in writing on the details of the audit, including reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any such audit. Supplier may charge a fee (rates shall be reasonable, taking into account the resources expended by Supplier) for any such audit. Any information arising from the Audit shall be Supplier’s Confidential Information.
Where the Auditor is a third-party, the Auditor may be required to execute a separate confidentiality agreement with Supplier prior to any review of Reports or an audit of Supplier, and Supplier may object in writing to such Auditor, if in Supplier’s reasonable opinion, the Auditor is not suitably qualified or is a direct competitor of Supplier. Any such objection by Supplier will require Customer to either appoint another Auditor or conduct the audit itself. Expenses incurred by Auditor in connection with any audit shall be borne exclusively by the Customer. For clarity, the exercise of audit rights under the Standard Contractual Clauses shall be as described in this Section 4 (Security).
5. RESTRICTED DATA TRANSFERS
For any transfers by Customer of Personal Data from the European Economic Area and/or its member states, United Kingdom and/or Switzerland (collectively, “Restricted Countries”) to Supplier in a country which does not ensure an adequate level of protection (within the meaning of and to the extent governed by the Applicable Data Protection Laws of the Restricted Countries) (collectively, “Third Country”), such transfers shall be governed by the Standard Contractual Clauses in the manner set out in Schedule 2, which are incorporated herein by reference, and for these purposes Supplier shall be the “data importer” and Customer is the “data exporter” (notwithstanding that Customer may be an entity located outside of a Restricted Country). Notwithstanding the foregoing, if Supplier has adopted Binding Corporate Rules (BCRs) for Processors that cover the transfer of Personal Data to a Third Country, then such BCRs shall govern the transfer of Personal Data.
6. RETURN OR DELETION OF PERSONAL DATA
Customer may retrieve or delete all Personal Data upon expiration or termination of the Agreement as set forth in the Agreement. Subject to Section 8.3 (Government, Law Enforcement, and/or Third-Party Inquiries) hereof, any Personal Data not deleted by Customer shall be deleted by Supplier promptly upon the later of (i) expiration or termination of the Agreement.
7. DATA BREACH NOTIFICATION
Should Supplier become aware that a Data Breach has occurred, Supplier shall:
- provide Customer written notice of the same without undue delay after becoming aware of a confirmed Data Breach;
- insofar available, provide Customer with information to allow it to report or inform Data Subjects of the Data Breach, as necessary;
- undertake an investigation of such Data Breach and reasonably cooperate with Customer, regulators and law enforcement agencies;
- take reasonable corrective action in a timely manner to assist in the investigation, mitigation and remediation of a Data Breach, to remediate and mitigate the risk of a recurrence of such Data Breach.
8. COOPERATION
8.1 Data Subject Requests. To the extent legally permitted, Supplier shall promptly notify Customer if Supplier receives a request from a Data Subject that identifies Customer and seeks to exercise the Data Subject’s right to access, rectify, erase, transfer or port Customer Personal Data, or to restrict the Processing of Personal Data (“Data Subject Request”). Supplier shall (upon Customer’s written request) provide commercially reasonable cooperation to assist Customer in responding to any Data Subject Requests.
8.2 Data Protection Impact Assessments. Upon Customer’s request, Supplier shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under Applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Supplier.
8.3 Government, Law Enforcement, and/or Third-Party Inquiries. If Supplier receives a demand to retain, disclose, or otherwise Process Personal Data for any third party, including, but not limited to law enforcement or a government authority (“Third-Party Demand”), then Supplier shall attempt to redirect the Third-Party Demand to Customer. If Supplier cannot redirect the Third-Party Demand to Customer, then Supplier shall, to the extent legally permissible, provide Customer reasonable notice of the Third-Party Demand as promptly as feasible under the circumstances to allow Customer to seek a protective order or other appropriate remedy.
9. RELATIONSHIP WITH THE AGREEMENT
9.1 The Parties agree that this DPA shall replace and supersede any existing data processing addendum, attachment or exhibit (including the Standard Contractual Clauses, as applicable) that the Parties may have previously entered into in connection with the Services.
9.2 Except as provided by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict in connection with the Processing of Personal Data.
9.3 Notwithstanding anything to the contrary in the Agreement or this DPA, each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. Without limiting either of the Parties’ obligations hereunder, each Party agrees that any regulatory penalties incurred by one Party (the “Incurring Party”) in relation to the Personal Data that arise as a result of, or in connection with, the other Party’s failure to comply with its obligations hereunder or any Applicable Data Protection Laws shall count toward and reduce the Incurring Party’s liability under the Agreement as if it were liability to the other Party under the Agreement.
9.4 In no event shall this DPA or any party restrict or limit the rights of any Data Subject or of any competent supervisory authority.
LIST OF SCHEDULES
Schedule 1: Description of Processing/Transfer
Schedule 2: UK / EU Transfer Provisions
Schedule 3: Technical and Organizational Measures
Schedule 1 – Description of Processing/Transfer
1. List of Parties
Processor:
| 1. | Name: | Supplier |
| Address: | As defined in the Agreement | |
| Contact person’s name, position and contact details: | As defined in the Agreement | |
| Activities relevant to the data transferred under the Standard Contractual Clauses: | Described in this Schedule 1 | |
| Role: | Processor or Controller as defined in Section 2.1 of the DPA |
Controller:
| 1. | Name: | Customer |
| Address: | As defined in the Agreement | |
| Contact person’s name, position and contact details: | As defined in the Agreement | |
| Activities relevant to the data transferred under the Standard Contractual Clauses: | Processor or Controller as defined in Section 2.1 of the DPA | |
| Role: | Controller |
2. Categories of data subjects whose personal data is transferred
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
Employees, agents, advisors, freelancers of Customer (who are natural persons)
3. Categories of personal data transferred
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:[SS4]
first name, last name, username, email address, IP address, Geo-coordinates
4. Sensitive data transferred (if applicable)
The Customer will not submit any sensitive Personal Data to the Services.
5. Frequency of transfer
The Personal Data will be Processed on a continuous basis depending on the use of the Services by Customer.
6. Nature of the processing
The nature of the Processing is the performance of Services pursuant to the Agreement.
7. Purpose of processing, the data transfer and further processing
Authenticate, authorize, and communicate with users. First name and surname are used within the application for auditing and traceability purposes
8. Duration of processing
Subject to section 9 of the DPA, Supplier will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
9. Competent Authority
This will be the competent data protection or privacy supervisory authority in the jurisdiction where the exporter is established. Where the exporter is not established in a jurisdiction with a competent supervisory authority but is subject to applicable data protection or privacy laws, this will be the competent supervisory authority in the jurisdiction where the exporter’s designated representative is established, where such a representative is required under applicable law. Where no representative is required, the competent supervisory authority will be determined based on the jurisdiction whose data protection or privacy laws apply to the relevant processing activities or, where applicable, the jurisdiction in which the affected individuals are primarily located.
10. Sub-processors
WIMS-RIO
| Sub-processor name | Purpose of processing | Location (country) |
| Microsoft Corporation | Hosting & infrastructure | Azure data center closest to Customer’s environment location:
|
| Twillio, Inc. | Transactional communications through Sendgrid | USA |
| Twillio, Inc. | Communication Platform | USA |
Claros
| Sub-processor name | Purpose of processing | Location (country) |
| Microsoft Corporation | Hosting & infrastructure | Azure data center closest to Customer’s environment location:
|
AQUARIUS
| Sub-processor name | Purpose of processing | Location (country) |
| Amazon Web Services, Inc. | Hosting & infrastructure | AWS data center closest to Customer’s environment location:
|
| Data Dog, Inc. | Operational and Performance Monitoring | USA |
Schedule 2 – UK / EU Transfer Provisions
This Schedule 2 forms part of the Addendum and sets out how the EU / UK SCC will be completed:
1. Where the EU SCCs are deemed entered into and incorporated into the DPA by reference the EU SCCs will be completed as follows:
- Module Two will apply to the extent that Customer is a controller of the Personal Data
- in Clause 7, the optional docking clause will apply;
- in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-Processor changes shall be as set out in Clause 3.3 of the DPA;
- in Clause 11, the optional language will not apply;
- in Clause 17, Option 2 will apply, and the EU SCCs will be governed by the law of the jurisdiction of establishment for the Data Exporter, where applicable and where such law allows for third-party rights, and otherwise the law of Belgium;
- in Clause 18(b), disputes shall be resolved before the country courts of the data exporter and otherwise the courts of Belgium;
- Annex I of the EU SCCs shall be deemed completed;
Part A: with the information set out in Schedule 1 to the DPA;
Part B: with the relevant Processing Annex(es) set out in Schedule 1 to the DPA; and
Part C: in accordance with the criteria set out Clause 13 (a) of the EU SCCs; - Annex II: with the Minimum Security Measures; and
2. Where the UK Addendum is deemed entered into and incorporated into the DPA by reference, the UK Addendum will be completed as follows:
- the EU SCCs, completed as set out above in clause 1 of this Schedule 2, shall also apply to transfers of such Personal Data, subject to sub-clause (ii) below;
- Tables 1 to 3 of the UK Addendum shall be deemed completed with the relevant information from the EU SCCs, completed as set out above, and the options “neither party” shall be deemed checked in Table 4. The start date of the UK Addendum (as set out in Table 1) shall be the Effective Date.
Schedule 3 – Technical and Organizational Measures
Aquatic Informatics’ Information Security Program consists of organizational, technical, and operational controls used to protect information assets across the product environment. The program is governed by the Information Security Management System (ISMS) Committee, composed of senior security, infrastructure, and engineering leaders reporting to the CTO. This committee ensures that security strategy is aligned with business objectives, risk tolerance, and regulatory obligations, including ISO 27001:2022, GDPR, and alignment with NIST standards, with support from specialized technical and governance teams.
Risk management is implemented through formal, recurring risk assessments, a centralized risk register, documented risk treatment plans, threat modeling for new or changed systems, and continuous vulnerability scanning. These activities are designed to proactively identify, prioritize, and mitigate risks to systems and data.
The program emphasizes workforce security through mandatory annual security awareness training, phishing simulations, role-based training, background checks, confidentiality agreements, acceptable use training, rapid access revocation upon termination, and monitoring for insider threats. Clear roles, responsibilities, and incident reporting expectations are established for all personnel.
Supplier and third-party risks are managed through pre-onboarding and lifecycle risk assessments, mandatory contractual security requirements, continuous vendor monitoring, and use of an approved vendor list.
Identity, authentication, and access controls enforce accountability and least privilege. Controls include unique user IDs, mandatory MFA for critical and remote access, strong password requirements, approved authentication mechanisms, session timeouts, restricted shared accounts, formal access approvals, regular access reviews, and segregation of duties.
Security monitoring and auditability are supported through standardized centralized logging, protected audit logs, automated alerting, periodic log reviews, and compliance reporting. Configuration management requires asset inventories, hardened baselines, formal change control, rollback procedures, automated configuration monitoring, patch management, and security reviews of changes.
Additional controls address system and communications protection, secure software development and procurement, media protection, security assessments, maintenance, system integrity, physical security, contingency planning, and incident response. These measures collectively ensure confidentiality, integrity, availability, resilience, regulatory compliance, and timely detection, response, and recovery from security incidents.