Data Processing Agreement
This Data Processing Agreement governs the processing of Personal Data by Koopic on behalf of Customer in connection with the Koopic platform.
1. Definitions
In this Data Processing Agreement ("DPA"), the following terms shall have the meanings set forth below. Capitalized terms not defined herein shall have the meanings ascribed to them in the Terms of Service.
| Term | Definition |
|---|---|
| Applicable Data Protection Law | All laws and regulations relating to data protection, privacy, or the processing of Personal Data that apply to the processing in question, including without limitation the Virginia Consumer Data Protection Act ("VCDPA"), Va. Code Ann. § 59.1-575 et seq., and any comparable federal, state, or international privacy legislation applicable to either party. |
| Controller | The natural or legal person that determines the purposes and means of the processing of Personal Data. Under this DPA, the Customer is the Controller. |
| Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by the Processor or its Sub-Processors. |
| Data Subject | An identified or identifiable natural person to whom Personal Data relates. |
| Personal Data | Any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller pursuant to or in connection with this DPA. |
| Processing | Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. |
| Processor | The natural or legal person that processes Personal Data on behalf of the Controller. Under this DPA, Koopic LLC is the Processor. |
| Sub-Processor | Any third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the services provided under this DPA. |
| Technical and Organizational Measures | The technical and organizational security measures implemented by the Processor to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, or disclosure, as described in Section 7 of this DPA. |
| VCDPA | The Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq., as amended from time to time. |
2. Scope & Purpose
This DPA is incorporated into and supplements the Terms of Service (the " Agreement") between Koopic LLC (" Koopic," "Processor," " we," or "us") and the entity identified as the customer thereunder (" Customer," "Controller," or " you"). In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.
This DPA applies when and to the extent that Koopic processes Personal Data on behalf of Customer in the course of providing the Koopic platform and related services. The parties acknowledge and agree that:
- Customer is the Controller of Personal Data and determines the purposes and means of processing.
- Koopic is the Processor and processes Personal Data only on behalf of and in accordance with Customer's documented instructions.
- This DPA does not apply to data that Koopic processes as a controller in its own right (e.g., Customer billing information, account registration data for Koopic's own business purposes), which is governed by the Privacy Policy.
The subject matter, duration, nature, and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are as described in Section 3 below.
3. Processing Details
The following describes the processing activities Koopic performs on behalf of Customer under this DPA:
| Attribute | Description |
|---|---|
| Subject Matter | Processing of Personal Data in connection with the Koopic asset management platform, including data ingestion, unification, enrichment, compliance evaluation, lifecycle management, and reporting. |
| Duration | The term of the Agreement, plus any post-termination period required for data return and deletion as specified in Section 12. |
| Nature and Purpose | Koopic processes Personal Data to provide the asset management services described in the Agreement, including data ingestion from multiple sources, data unification and merging into golden records, enrichment rule execution, compliance rule evaluation and scoring, asset lifecycle management, audit logging of platform activity, and reporting and analytics. |
Categories of Data Subjects:
- Customer's employees and authorized users — individuals who access the Koopic platform under Customer's account, whose account data (name, email address, authentication provider) is processed for identity and access management purposes.
- Individuals whose information appears in asset records — persons identified in Customer's asset data (e.g., device assigned-to users, asset custodians), whose Personal Data may be incidentally processed as part of asset record management.
Categories of Personal Data:
| Category | Data Elements |
|---|---|
| Account Data | Email addresses, names, authentication provider identifiers |
| Asset Data | Device names, hostnames, IP addresses, MAC addresses, and other asset attributes that may contain or reference Personal Data |
| Audit Logs | User actions, IP addresses, timestamps, and identifiers of the acting user |
| Integration Credentials | Encrypted connection credentials (typically do not contain Personal Data, but are processed in conjunction with the above categories) |
4. Customer Obligations
Customer, as Controller, represents and warrants that it shall at all times during the term of this DPA:
- Lawful basis. Ensure that it has a valid legal basis under Applicable Data Protection Law for the processing of Personal Data as contemplated by this DPA, including obtaining any necessary consents from Data Subjects where required.
- Data minimization. Ensure that Personal Data submitted to the Koopic platform is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
- Accuracy. Take reasonable steps to ensure the accuracy of Personal Data provided to Koopic and to promptly correct or delete inaccurate data.
- Data Subject notification. Inform Data Subjects about the processing of their Personal Data in accordance with Applicable Data Protection Law, including providing appropriate privacy notices.
- Data Subject requests. Be responsible for responding to Data Subject requests regarding their Personal Data, utilizing Koopic's assistance as described in Section 8 of this DPA.
- Lawful instructions. Ensure that all instructions provided to Koopic for the processing of Personal Data are lawful under Applicable Data Protection Law. Customer shall not instruct Koopic to process Personal Data in a manner that would cause Koopic to violate any Applicable Data Protection Law.
- Third-party compliance. Where Customer integrates third-party data sources with the Koopic platform, ensure that such integration and the resulting processing of Personal Data comply with all applicable laws and any agreements Customer has with such third parties or the relevant Data Subjects.
5. Koopic's Obligations
Koopic, as Processor, shall comply with the following obligations with respect to all Personal Data processed on behalf of Customer:
- Processing on instructions. Process Personal Data only on Customer's documented instructions, including with respect to transfers of Personal Data to a third country or international organization, unless required to do so by law to which Koopic is subject. In such a case, Koopic shall inform Customer of that legal requirement before processing, unless prohibited by law from doing so on important grounds of public interest.
- Confidentiality. Ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality. Koopic shall limit access to Personal Data to those personnel who require such access to perform the services under the Agreement.
- Security measures. Implement and maintain the Technical and Organizational Measures described in Section 7 of this DPA to protect the security, confidentiality, and integrity of Personal Data.
- Sub-Processor management. Comply with the conditions set forth in Section 6 with respect to the engagement of Sub-Processors.
- Data Subject request assistance. Taking into account the nature of the processing, assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to Data Subject requests, as further described in Section 8.
- Compliance assistance. Assist Customer in ensuring compliance with its obligations under Applicable Data Protection Law with respect to security of processing, Data Breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to Koopic.
- Data return and deletion. At the choice of Customer, delete or return all Personal Data to Customer after the end of the provision of services and delete existing copies unless applicable law requires storage of the Personal Data, as further described in Section 12.
- Audit support. Make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, as further described in Section 11.
- Notification of unlawful instructions. Promptly inform Customer if, in Koopic's opinion, an instruction from Customer infringes Applicable Data Protection Law. Koopic shall not be required to independently determine the legality of Customer's instructions but shall notify Customer of any instruction that Koopic reasonably believes to be unlawful.
6. Sub-Processors
Customer acknowledges and agrees that Koopic may engage third-party Sub-Processors to process Personal Data on behalf of Customer. Koopic's current third-party Sub-Processors are listed below:
| Sub-Processor | Processing Activity | Location |
|---|---|---|
| DigitalOcean, LLC | Cloud infrastructure hosting (Managed Kubernetes, Managed PostgreSQL database, block storage, networking) | NYC1 region, United States |
| Stripe, Inc. | Payment processing for paid Subscription plans. Receives billing contact information and payment method details directly from Customer's browser. Koopic does not store or have access to payment card numbers. | United States |
In addition, Koopic operates the following self-hosted infrastructure components on its own DigitalOcean infrastructure. These are not third-party Sub-Processors, as no Personal Data is transmitted to any external party through these components:
| Component | Function | Location |
|---|---|---|
| Keycloak (self-hosted) | Identity and access management, authentication, and authorization services | NYC1 region, United States |
| Redis (self-hosted) | In-memory caching and task queue management | NYC1 region, United States |
Engagement of new Sub-Processors. Koopic shall provide Customer with at least thirty (30) days' prior written notice before engaging any new Sub-Processor or replacing an existing Sub-Processor. Such notice shall identify the Sub-Processor, the nature of the processing to be performed, and the location of processing.
Right to object. Customer may object to the engagement of a new or replacement Sub-Processor by notifying Koopic in writing within fifteen (15) days of receiving notice. If Customer objects on reasonable grounds relating to data protection, the parties shall discuss the objection in good faith with a view to achieving a commercially reasonable resolution. If no resolution can be reached within thirty (30) days, Customer may terminate the affected services without penalty by providing written notice to Koopic.
Sub-Processor agreements. Koopic shall impose on each Sub-Processor, by way of a written agreement, data protection obligations no less protective than those set forth in this DPA. Koopic shall remain fully liable to Customer for the performance of each Sub-Processor's obligations.
7. Technical & Organizational Security Measures
Koopic implements and maintains the following technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, or disclosure. These measures are designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing:
| Category | Measures |
|---|---|
| Encryption at Rest | All sensitive credentials encrypted using industry-standard symmetric encryption with message authentication. Database storage encrypted at the infrastructure level via DigitalOcean managed disk encryption. |
| Encryption in Transit | All data transmitted between clients and the Koopic platform is protected by TLS 1.2 or higher. Internal service-to-service communications within the cluster use encrypted channels. |
| End-to-End Encryption | Data transmitted from on-premises agents to the Koopic cloud gateway is protected by end-to-end encryption using X25519 key exchange with AES-256-GCM authenticated encryption. The cloud gateway cannot decrypt agent data in transit. |
| Multi-Tenant Isolation | PostgreSQL Row-Level Security (RLS) enforced on all tenant-scoped tables (23 tables), ensuring that each Customer's data is logically isolated at the database level. No Customer can access another Customer's data through application queries. |
| Access Controls | Four-tier role-based access control (RBAC) system (viewer, member, admin, owner) enforced at both the application and database levels. Authentication via Keycloak with support for enterprise SSO (OIDC/SAML). |
| Audit Logging | Comprehensive audit logging of all data mutations, user actions, and administrative operations. Logs include actor identity, action performed, affected resource, timestamp, and source IP address. |
| Personnel Security | All personnel with access to Personal Data are bound by confidentiality obligations. Access to production systems is restricted to authorized personnel on a need-to-know basis. |
| Network Security | Production infrastructure deployed within isolated virtual private cloud (VPC) networks. Firewall rules restrict inbound traffic to necessary ports and protocols. Kubernetes network policies enforce pod-level segmentation. |
| Incident Response | Documented incident response procedures including identification, containment, eradication, recovery, and post-incident review. Data Breach notification procedures as described in Section 9. |
| Regular Testing | Regular security reviews and testing of Technical and Organizational Measures to ensure their continued effectiveness. Automated test suites covering security controls and access policies. |
Koopic shall regularly review and update these measures to address evolving threats and to maintain an appropriate level of security. Customer acknowledges that security measures are subject to technical progress and development and that Koopic may update or modify the measures from time to time, provided that such updates do not materially decrease the overall level of protection.
8. Data Subject Rights
Koopic shall assist Customer in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law. Taking into account the nature of the processing, Koopic shall implement appropriate technical and organizational measures to enable Customer to respond to such requests.
Rights under the VCDPA. Under the Virginia Consumer Data Protection Act, consumers have the following rights with respect to their Personal Data:
- Right of access. The right to confirm whether a controller is processing the consumer's Personal Data and to access such data.
- Right to correction. The right to correct inaccuracies in the consumer's Personal Data, taking into account the nature of the data and the purposes of the processing.
- Right to deletion. The right to delete Personal Data provided by or obtained about the consumer.
- Right to data portability. The right to obtain a copy of the consumer's Personal Data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance.
- Right to opt out. The right to opt out of the processing of Personal Data for purposes of targeted advertising, the sale of Personal Data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
Response timeline. Where Customer receives a Data Subject request that requires Koopic's assistance, Customer shall promptly notify Koopic. Koopic shall respond to Customer's assistance request without undue delay and in any event within a timeframe that enables Customer to comply with the forty-five (45) day response period prescribed by the VCDPA or any other applicable statutory deadline.
Verification. Koopic shall cooperate with Customer's reasonable verification procedures to authenticate Data Subject requests. Koopic shall not independently respond to Data Subject requests unless authorized to do so by Customer or required by Applicable Data Protection Law, in which case Koopic shall promptly inform Customer of such requirement.
Costs. To the extent that Koopic's assistance with Data Subject requests requires significant effort beyond the standard functionality of the platform, Koopic may charge Customer a reasonable fee based on Koopic's administrative costs. Koopic shall inform Customer of any such fee before performing the requested assistance.
9. Data Breach Notification
Koopic shall notify Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Data Breach affecting Personal Data processed on behalf of Customer. Notification shall be directed to the contact designated by Customer in the Agreement or, if no such contact has been designated, to the email address associated with Customer's account.
Content of notification. The Data Breach notification shall include, to the extent reasonably available at the time of notification:
- A description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.
- The name and contact details of Koopic's designated point of contact from whom further information can be obtained.
- A description of the likely consequences of the Data Breach.
- A description of the measures taken or proposed to be taken by Koopic to address the Data Breach, including where appropriate measures to mitigate its possible adverse effects.
Where it is not possible to provide all information at the time of initial notification, Koopic shall provide such information in phases without further undue delay as it becomes available.
Cooperation. Koopic shall cooperate with Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Data Breach. Koopic shall preserve and make available to Customer all relevant records, logs, files, data reporting, and other materials required to comply with Applicable Data Protection Law or as reasonably requested by Customer.
No assessment by Koopic. Koopic's obligation to notify Customer of a Data Breach is not and shall not be construed as an acknowledgment by Koopic of any fault or liability with respect to the Data Breach. Customer retains sole responsibility for determining whether the Data Breach triggers any notification obligations to Data Subjects or supervisory authorities under Applicable Data Protection Law.
10. Data Transfers
All Personal Data processed by Koopic under this DPA is hosted within the United States, specifically in DigitalOcean's NYC1 data center region. Koopic does not transfer Personal Data outside the United States in the ordinary course of providing the services.
International transfers. In the event that the processing of Personal Data under this DPA involves the transfer of Personal Data from a jurisdiction outside the United States to the United States (for example, where Customer is established in the European Economic Area, the United Kingdom, or Switzerland), the parties shall ensure that such transfer is subject to appropriate safeguards as required by Applicable Data Protection Law, which may include:
- Standard Contractual Clauses (SCCs). The parties shall execute the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries (Module Two: Controller to Processor), as applicable. Where SCCs are required, they shall be deemed incorporated into this DPA by reference and shall prevail over this DPA to the extent of any conflict.
- UK International Data Transfer Addendum. Where Personal Data is transferred from the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs shall apply.
- Swiss Federal Act on Data Protection. Where Personal Data is transferred from Switzerland, the SCCs shall apply with the modifications required under Swiss law.
- Supplementary measures. Where required by Applicable Data Protection Law or relevant regulatory guidance, Koopic shall implement supplementary technical, organizational, or contractual measures to ensure an essentially equivalent level of data protection.
Koopic shall not transfer Personal Data to any country or international organization without Customer's prior written consent, unless required by law, in which case Koopic shall inform Customer of such requirement in advance (unless prohibited by law).
11. Audit Rights
Koopic shall make available to Customer, upon reasonable written request, all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Law. Compliance verification is conducted through documentation and information access as described below.
- Compliance documentation. Koopic shall, upon Customer's written request (no more than once per twelve (12) month period), provide documentation describing the Technical and Organizational Measures in effect, the current list of Sub-Processors, and any material changes to Koopic's data processing practices since the prior request.
- Security incident information. In the event of a confirmed Data Breach affecting Customer's Personal Data, Koopic shall provide Customer with all reasonably available information necessary to assess the breach and comply with Customer's notification obligations under Applicable Data Protection Law, as further described in Section 9.
- Data protection assessment support. Koopic shall cooperate with Customer in providing information necessary for Customer to conduct data protection assessments required under the VCDPA or other Applicable Data Protection Law.
- Confidentiality. All compliance documentation provided by Koopic under this Section 11 shall be treated as Koopic's confidential information and shall not be disclosed to third parties without Koopic's prior written consent, except as required by Applicable Data Protection Law or a supervisory authority.
Future audit capabilities. Koopic may, at its discretion, make additional compliance verification mechanisms available in the future, including independent third-party security assessments, certifications, or on-site audit rights. Any such expanded verification mechanisms will be reflected in an updated version of this DPA.
12. Data Return & Deletion
Upon termination or expiration of the Agreement, Koopic shall, at Customer's election, either return or delete all Personal Data processed on behalf of Customer, in accordance with the following procedure:
- Export period. Customer shall have a period of thirty (30) days following the effective date of termination (the "Export Period") during which Customer may export its data from the Koopic platform using the platform's standard export functionality or by requesting a data export from Koopic.
- Deletion. Following the expiration of the Export Period, Koopic shall securely delete all Personal Data processed on behalf of Customer from its production systems and active databases. Koopic shall use commercially reasonable efforts to complete such deletion within thirty (30) days after the end of the Export Period.
- Backup copies. Personal Data residing in backup or disaster recovery systems that cannot be selectively deleted shall be isolated and protected from further processing and shall be securely deleted in accordance with Koopic's standard backup rotation schedule, not to exceed ninety (90) days from the end of the Export Period.
- Certification. Upon Customer's written request, Koopic shall provide a written certification confirming the deletion of all Personal Data, including the date of deletion and a description of the deletion method employed.
- Legal retention. Notwithstanding the foregoing, Koopic may retain Personal Data to the extent and for the duration required by Applicable Data Protection Law or other applicable law to which Koopic is subject. In such cases, Koopic shall inform Customer of the retention requirement and shall limit the processing of such retained data to the purpose(s) required by law. The confidentiality and security obligations of this DPA shall continue to apply to such retained data.
13. VCDPA Compliance
To the extent that the Virginia Consumer Data Protection Act applies to the processing of Personal Data under this DPA, the following additional provisions shall apply:
- Processor obligations. Koopic, acting as a processor within the meaning of Va. Code Ann. § 59.1-579, shall: (a) adhere to Customer's instructions with respect to the processing of Personal Data; (b) assist Customer in meeting its obligations under the VCDPA, including obligations related to the security of processing and Data Breach notification; (c) provide information necessary for Customer to conduct and document data protection assessments required under Va. Code Ann. § 59.1-580; and (d) upon the reasonable request of Customer, make available to Customer all information in Koopic's possession necessary to demonstrate Koopic's compliance with the VCDPA.
- Data protection assessments. Koopic shall cooperate with and assist Customer in conducting data protection assessments required under the VCDPA where Customer's use of the Koopic platform involves processing activities that present a heightened risk of harm to consumers, including processing for purposes of targeted advertising, sale of Personal Data, or profiling. Koopic represents that it does not process Personal Data for any of these purposes on its own behalf.
- Consumer rights. Koopic shall assist Customer in responding to consumer rights requests received under the VCDPA, including requests for access, correction, deletion, data portability, and the right to opt out, as more fully described in Section 8 of this DPA.
- Binding contractual obligations. This DPA constitutes the written contract required under Va. Code Ann. § 59.1-579(D), setting forth the instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.
- Confidentiality of consumer data. Koopic shall ensure the confidentiality of Personal Data during and after the processing, and shall not process Personal Data other than as provided in Customer's instructions or as permitted by the VCDPA.
- Sub-Processor compliance. Koopic shall ensure that each Sub-Processor engaged to process Personal Data on behalf of Customer is bound by a written contract that meets the requirements of Va. Code Ann. § 59.1-579(D).
14. Liability & Indemnification
Limitations of liability. Each party's liability under or in connection with this DPA shall be subject to the exclusions and limitations of liability set forth in the Terms of Service. Nothing in the Agreement or this DPA shall exclude or limit either party's liability for: (a) fraud or fraudulent misrepresentation; (b) death or personal injury caused by its negligence; or (c) any other liability that cannot be excluded or limited under Applicable Data Protection Law.
Liability for breaches. Each party shall be liable for damage caused by processing that infringes this DPA or Applicable Data Protection Law. The Processor shall be liable for damage caused by processing only where it has not complied with obligations of this DPA specifically directed to the Processor, or where it has acted outside of or contrary to the lawful instructions of the Controller.
Indemnification. Each party (the " Indemnifying Party") shall indemnify, defend, and hold harmless the other party and its officers, directors, employees, and agents (collectively, the " Indemnified Parties") from and against any third-party claims, demands, actions, judgments, settlements, fines, penalties, losses, damages, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to the Indemnifying Party's breach of this DPA or its obligations under Applicable Data Protection Law.
Mitigation. Each party shall take reasonable steps to mitigate any damages for which it is entitled to indemnification under this Section 14.
15. Term & Termination
Term. This DPA shall become effective on the date Customer accepts the Terms of Service (or, if earlier, the date on which Koopic first processes Personal Data on behalf of Customer) and shall remain in effect for the duration of the Agreement. This DPA is co-terminous with the Agreement and does not require separate execution or renewal.
Survival. The obligations of the parties with respect to the confidentiality, security, return, and deletion of Personal Data shall survive the termination or expiration of this DPA for as long as Koopic retains any Personal Data processed on behalf of Customer, whether for the purpose of data return, deletion, or compliance with legal retention requirements.
Post-termination processing. Following termination or expiration of the Agreement, Koopic shall not process Personal Data except as necessary to: (a) fulfill its obligations under Section 12 (Data Return & Deletion); (b) comply with applicable law; or (c) exercise or defend legal claims. All such post-termination processing shall remain subject to the terms of this DPA.
16. Governing Law & Dispute Resolution
This DPA shall be governed by and construed in accordance with the laws of the Commonwealth of Virginia, without regard to its conflict of laws principles, except to the extent that Applicable Data Protection Law mandates the application of the law of a different jurisdiction with respect to specific data protection obligations.
Any dispute, claim, or controversy arising out of or relating to this DPA, including its validity, interpretation, performance, breach, or termination, shall be resolved in accordance with the dispute resolution provisions set forth in the Terms of Service, including mandatory binding arbitration administered by the American Arbitration Association.
To the extent that Applicable Data Protection Law grants Data Subjects or supervisory authorities the right to bring claims or proceedings in a specific forum, nothing in this Section 16 shall restrict or limit such rights.
17. Contact
For inquiries relating to this Data Processing Agreement or to Koopic's data processing activities, please contact:
- DPA inquiries: [email protected]
- Privacy inquiries: [email protected]
- Entity: Koopic LLC, a Virginia limited liability company
- Location: Virginia, USA
For information about our general privacy practices, please see our Privacy Policy.
Other Legal Documents