Effective Date October 8, 2025
Parties:
- Customer (“Controller”)
- Continuant, Inc. (“Processor”)
This DPA supplements the Maintenance Services Agreement between the Parties.
1. Subject Matter and Duration
- Processing limited to maintenance and support of Controller’s phone systems (troubleshooting, service requests, technician dispatch, service records).
- Duration = term of the Maintenance Services Agreement.
- Processor will not retain data longer than necessary unless required by law.
2. Categories of Data and Data Subjects
- Data Subjects: Controller’s employees and authorized users.
- Personal Data: Names, business phone numbers, emails, extensions, user IDs, service request metadata.
- Special categories: None intended.
3. Controller Obligations
Controller shall:
- Ensure lawful basis, provide notices, and give accurate instructions.
- Handle DSARs directly.
- Provide a designated privacy/DPO contact (or default to business contact if not provided).
- Retain overall responsibility for compliance.
4. Processor Obligations
4.1 Instructions
Process only on Controller’s documented instructions
4.2 Confidentiality
Ensure persons processing PII are bound by confidentiality.
4.3 Security
- Continuant shall maintain its ISO 27001 certification throughout the term and provide evidence of certification upon request.
- PII Transmission Controls: Use encryption in transit (TLS, HTTPS, VPN), secure file transfer, and access controls to ensure data reaches its intended destination without unauthorized access or alteration.
4.4 Sub-Processors
- Listed in Annex E (Sub-Processor Register).
- Bound by equivalent obligations.
- Updates published in the Register = notice.
- Controller may reasonably object within 30 days.
4.5 Assistance
- Assist with DSARs, DPIAs, and breaches as far as possible.
- Never respond directly to data subjects without controller's written consent.
4.6 Breach Notification
Notify Controller without undue delay.
4.7 Deletion/Return (GDPR Art. 28(3)(g))
- On termination: return or delete as instructed.
- Default = deletion after 60 days unless Controller requests return within 30 days.
- Exceptions: retention required by law (e.g., billing records).
4.8 Infringing Instructions
Inform Controller if instructions appear unlawful.
4.9 International Transfers (GDPR Art. 44–49)
- Default position (for US-only processing):
“Processor stores and processes all personal data in the United States. Where Controller and its data subjects are also located in the United States, no cross-border transfers occur and ISO/IEC 27701 B.8.5.1 is not applicable.”
- If Controller/data subjects are in EU/UK or other jurisdictions:
“Processor shall not transfer personal data outside the EEA/UK without appropriate safeguards (e.g., SCCs, UK Addendum, adequacy decision). Processor shall maintain a Sub-Processor Register identifying the location of processing and the legal basis for such transfers. Publication of an updated Register constitutes notice to Controller. Controller may object within thirty (30) days on reasonable data protection grounds or terminate the Agreement.”
4.10 Temporary Files (Annex B.8.4.1)
Processor shall ensure that any temporary files, diagnostic extracts, or working documents containing Personal Data are used solely for the purpose of providing the Services, are not retained longer than necessary, and are securely deleted immediately after use.
4.11 Marketing and Advertising Use (Annex B.8.2.3)
Processor shall not use Personal Data for marketing or advertising purposes, except where explicitly instructed by the Controller and based on a lawful basis identified by the Controller.
4.12 Legally Binding Disclosure Requests (Annex B.8.5.4–5)
Processor shall notify the Controller without undue delay of any legally binding request for disclosure of Personal Data by a law enforcement authority or regulator, unless prohibited by law. Processor shall reject any non-legally binding requests for disclosure and shall only act on such requests where the Controller has authorized disclosure in writing.
5. Annex – Processing Details
A. Categories of Data Subjects
- Employees, authorized users.
B. Categories of Personal Data
- Business contact info, service records, user IDs.
C. Nature & Purpose
- Logging/tracking service requests
- Troubleshooting/support
- Dispatch coordination
- Service history maintenance
D. Duration & Retention
- Duration = contract term.
- Retention = only as necessary (billing records 7 years).
- Deletion = within 60 days post-termination unless return requested.
E. Sub-Processor Register
|
Sub-Processor
|
Service
|
Location
|
Transfer Mechanism
|
Notes
|
|
Microsoft 365
|
Productivity & email
|
US
|
SCCs / DPF
|
Enterprise SaaS
|
|
AWS
|
Hosting/infrastructure
|
US
|
SCCs / DPF
|
Cloud services
|
|
ServiceNow
|
Ticketing
|
US
|
SCCs / DPF
|
Service platform
|
|
[Add others]
|
|
|
|
|
F. International Transfers
- Default = US storage only.
- For EU/UK controllers → rely on SCCs + UK Addendum, or adequacy decision (if applicable).
- Updates shown in Annex E.
G. Infringing Instructions
Processor informs Controller of unlawful instructions.
H. Controller Obligations
Controller ensures lawful basis, notices, DSAR handling.
%20Success%20Stories/3M%20-%20main.jpg)
%20Success%20Stories/Baylor-CS-Image-2.jpg)
