Home > Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the service agreement between the merchant ("Controller") and Clarion Edge Corp ("Processor").
1.1 "Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the services.
1.2 "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
1.3 "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
1.4 "Sub-processor" means any third party appointed by Processor to process Personal Data on behalf of Controller.
2.1 Purpose: Personal Data is processed solely for the purpose of providing payment decline recovery services.
2.2 Categories of Data:
2.3 Categories of Data Subjects: End customers of the Controller making payment attempts.
2.4 Retention Period: Personal Data is retained for the duration necessary to provide services, plus applicable legal retention periods.
3.1 Controller Obligations:
3.2 Processor Obligations:
4.1 Encryption: All Personal Data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.
4.2 Access Controls: Access to Personal Data is restricted to authorized personnel on a need-to-know basis.
4.3 Monitoring: Comprehensive logging and monitoring of all data access and processing activities.
4.4 Incident Response: Documented procedures for detecting, investigating, and responding to security incidents.
5.1 Authorized Sub-processors: Processor may engage Sub-processors to assist in providing services, subject to Controller approval.
5.2 Sub-processor Requirements: All Sub-processors must provide sufficient guarantees regarding data protection measures.
5.3 Liability: Processor remains fully liable for any Sub-processor's compliance with this DPA.
6.1 Assistance: Processor will assist Controller in responding to Data Subject requests for access, rectification, erasure, portability, and objection.
6.2 Response Time: Processor will respond to Controller's requests for assistance within 30 days.
6.3 Direct Requests: Any direct requests from Data Subjects will be forwarded to Controller without delay.
7.1 Notification: Processor will notify Controller of any Personal Data breach affecting Controller's data within 72 hours of discovery.
7.2 Information Required: Notifications will include description of the breach, categories and approximate number of affected Data Subjects, likely consequences, and measures taken or proposed.
7.3 Assistance: Processor will provide reasonable assistance to Controller in fulfilling regulatory notification obligations.
8.1 Transfer Restrictions: Personal Data will not be transferred outside Florida without Controller's prior written consent.
8.2 Adequacy Decisions: Transfers may be made to jurisdictions with adequate data protection as determined by competent authorities.
8.3 Safeguards: Where transfers are necessary, appropriate safeguards such as standard contractual clauses will be implemented.
9.1 Audit Rights: Controller may audit Processor's compliance with this DPA annually or following a Personal Data breach.
9.2 Compliance Certificates: Processor will provide relevant compliance certificates (SOC 2, ISO 27001) upon request.
9.3 Remediation: Any non-compliance issues identified will be remediated within 30 days.
10.1 Return: Upon Controller's request, Processor will return all Personal Data in a commonly used format.
10.2 Deletion: Following service termination, Processor will securely delete all Personal Data unless required to retain by law.
10.3 Certification: Processor will provide written certification of data deletion upon completion.
For questions about this Data Processing Agreement, please contact us at info@revitalsales.com
For Merchants
For Customers
