Data Processing Agreement
Effective Date: March 3, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Engular LLC ("Processor," "we," "us") and the customer ("Controller," "you") using the SupplierScore platform (the "Service"). This DPA governs the processing of personal data by the Processor on behalf of the Controller in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR").
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.
- "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
- "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2. Scope and Roles
The Controller determines the purposes and means of processing Personal Data within the Service. The Processor processes Personal Data solely on behalf of and under the documented instructions of the Controller to provide the Service.
3. Processing Details
| Element | Description |
|---|---|
| Purpose | Providing cloud-based supplier quality management services |
| Nature of Processing | Collection, storage, retrieval, organization, and deletion of supplier quality data |
| Types of Personal Data | Names, email addresses, job titles, phone numbers, and business contact information of supplier contacts and organization users |
| Categories of Data Subjects | Supplier contacts, supplier employees, Controller's employees and authorized users |
| Duration | For the term of the agreement plus 30 days post-termination retention period |
4. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, including with respect to transfers outside the EEA
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures as described in Annex II
- Assist the Controller in responding to Data Subject requests
- Assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultations
- At the Controller's choice, delete or return all Personal Data after the end of the provision of services
- Make available all information necessary to demonstrate compliance with this DPA
5. Security Measures
The Processor implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data in transit (TLS/HTTPS)
- Application-level multi-tenant isolation ensuring data segregation between organizations
- Password hashing using bcrypt with appropriate cost factors
- Role-based access controls within the Service
- Regular security monitoring and logging
- Access restricted to authorized personnel only
6. Security Incident Notification
In the event of a Security Incident involving Personal Data, the Processor shall:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the incident
- Provide sufficient information to enable the Controller to meet its obligations under applicable data protection laws
- Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the incident
7. Sub-processors
The Controller provides general written authorization for the Processor to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | United States |
| Postmark (ActiveCampaign) | Transactional email delivery | United States |
| Hosting provider | Cloud infrastructure and data storage | United States |
The Processor shall notify the Controller at least 30 days in advance of any intended changes to the list of Sub-processors, giving the Controller the opportunity to object. If the Controller objects, the parties shall work in good faith to resolve the concern. If no resolution is reached, the Controller may terminate the agreement.
The Processor shall impose data protection obligations no less protective than those in this DPA on each Sub-processor by way of a written contract.
8. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject requests to exercise their rights under the GDPR, including rights of access, rectification, erasure, restriction, portability, and objection. The Service provides built-in data export features (CSV, PDF) to facilitate these requests.
9. Data Deletion and Return
Upon termination of the agreement, the Processor shall:
- Continue to make Customer Data available for export for 30 days post-termination
- After the 30-day period, permanently delete all Personal Data from active systems
- Delete Personal Data from backup systems within 90 days, except where retention is required by law
- Provide written confirmation of deletion upon request
10. Audits
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Audits shall be conducted with reasonable advance notice (at least 30 days) and during normal business hours, and shall not unreasonably interfere with the Processor's operations.
11. International Data Transfers
Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States, the parties shall rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission (Module Two: Controller to Processor) as the appropriate transfer mechanism.
The Processor shall implement supplementary measures as necessary to ensure an adequate level of protection for the transferred Personal Data.
12. Limitation of Liability
The liability of the Processor under this DPA is subject to the limitations of liability set forth in the Terms of Service. This DPA does not create any independent liability beyond what is established in the Terms of Service.
Annex II: Technical and Organizational Security Measures
The following measures are implemented by the Processor to protect Personal Data:
Access Control
- Authentication required for all Service access (email/password via Devise)
- Role-based access control (admin/member roles)
- Organization-level tenant isolation (acts_as_tenant)
- Session management with secure, HTTP-only cookies
Encryption
- TLS encryption for all data in transit
- Passwords hashed with bcrypt
- Encrypted credentials for service integrations (Rails credentials)
Data Isolation
- Logical data separation per organization enforced at application layer
- Database-level constraints to prevent cross-tenant data access
Availability and Resilience
- Regular automated database backups
- Health check monitoring endpoint
- Error tracking and alerting
Incident Response
- Security incident notification within 72 hours
- Immutable activity logging for audit trail (ActivityLog)
- Server-side request logging and monitoring