00Legal · Data Processing Addendum

Data Processing Addendum.

How UnionEleven processes Personal Data on Customer's behalf.

Effective 2026-01-15 · Last reviewed 2026-04-15

This Data Processing Addendum ("DPA") forms part of the agreement between Customer and UnionEleven, Inc. and applies when UnionEleven processes Personal Data on Customer's behalf.

01

Definitions

  • "Personal Data" — any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws.
  • "Data Protection Laws" — GDPR (EU 2016/679), UK GDPR, CCPA / CPRA, and equivalent national or state laws as applicable.
  • "Sub-processor" — any processor engaged by UnionEleven to assist in processing Personal Data on behalf of Customer.
02

Roles of the parties

Customer is the Controller of Personal Data; UnionEleven is the Processor. Both parties will comply with their respective obligations under applicable Data Protection Laws.

03

Processing instructions

UnionEleven will process Personal Data only on documented instructions from Customer, including for the purposes set out in the Order Form. UnionEleven will inform Customer if instructions appear to violate Data Protection Laws.

04

Sub-processors

Customer authorizes UnionEleven to engage the sub-processors listed at /security. UnionEleven will provide 30 days notice of new sub-processors. Customer may object on reasonable grounds; if unresolved, Customer may terminate the affected service.

05

Security measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access control and MFA for all production systems.
  • Least-privilege defaults; access reviewed quarterly.
  • Audit logging on data-access events with 90-day retention minimum.
  • Annual penetration testing by an independent third party.
06

Data subject rights

UnionEleven will assist Customer in responding to data subject requests (access, correction, deletion, portability) within 5 business days of receipt.

07

Breach notification

UnionEleven will notify Customer without undue delay, and in any event within 48 hours of becoming aware of a Personal Data breach affecting Customer's data.

08

International transfers

Where Personal Data is transferred outside the EEA / UK, the parties rely on the EU Standard Contractual Clauses (Modules 2 and 3) and the UK International Data Transfer Addendum, incorporated by reference.

09

Audits

UnionEleven will make available to Customer information necessary to demonstrate compliance with this DPA. Customer may, no more than once per 12 months and on 30 days notice, conduct an audit (or commission an independent third-party auditor) at Customer's expense.

10

Termination and data return

On termination of the underlying agreement, UnionEleven will, at Customer's choice, return or delete all Personal Data within 30 days, unless retention is required by law.

11

Signed copy

A countersignature-ready PDF version of this DPA is available at /legal/unioneleven-dpa.pdf or by request to legal@unioneleven.ai.

This document is provided as a template and reflects our current practice. Counsel review is encouraged before contractual reliance. Email legal@unioneleven.ai for the countersigned PDF.