Data Processing Agreement

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by CyberCore in connection with the Service.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, or erasure.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Sub-processor" means any third party engaged by CyberCore to process Personal Data on behalf of the Customer.
• "Protected Health Information" (PHI) has the meaning given under HIPAA and refers to individually identifiable health information transmitted or maintained in any form or medium.
• "Security Incident" means any confirmed unauthorized access to, or acquisition, use, or disclosure of, Personal Data or PHI.
• "Applicable Data Protection Law" means all laws and regulations relating to data protection and privacy applicable to the processing of Personal Data under this DPA, including HIPAA, HITECH, GDPR, and applicable state privacy laws.

2. Scope & Roles

Under this DPA, the Customer acts as the Controller (or "Covered Entity" under HIPAA) determining the purposes and means of processing Personal Data, and CyberCore acts as the Processor (or "Business Associate" under HIPAA) processing Personal Data on behalf of the Customer.

CyberCore shall process Personal Data only in accordance with the Customer's documented instructions and shall not process Personal Data for any purpose other than providing the Service, unless required by applicable law.

3. Data Processing Details

4. Obligations of the Processor

CyberCore shall:

• Process Personal Data only on documented instructions from the Customer, unless required by applicable law.
• Ensure that all personnel authorized to process Personal Data are bound by obligations of confidentiality.
• Implement and maintain appropriate technical and organizational security measures as described in Section 8.
• Not engage any Sub-processor without prior written authorization from the Customer (see Section 5).
• Assist the Customer in fulfilling its obligations to respond to Data Subject requests (see Section 6).
• Make available to the Customer all information necessary to demonstrate compliance with this DPA.
• Immediately inform the Customer if, in CyberCore's opinion, an instruction infringes applicable data protection law.
• At the Customer's choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless storage is required by law.

5. Sub-processors

CyberCore may engage Sub-processors to assist in providing the Service. CyberCore shall:

• Maintain a current list of Sub-processors and make it available to the Customer upon request.
• Notify the Customer at least 30 days in advance before adding or replacing a Sub-processor.
• Enter into written agreements with each Sub-processor imposing data protection obligations no less protective than those in this DPA.
• Remain fully liable for the acts and omissions of its Sub-processors.

If the Customer objects to a new Sub-processor on reasonable data protection grounds, the parties shall work together in good faith to find a mutually acceptable solution. If no resolution is reached within 30 days, the Customer may terminate the affected portion of the Service without penalty.

6. Data Subject Rights

CyberCore shall, to the extent technically feasible and legally permitted, assist the Customer in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including rights of:

• Access to their Personal Data
• Rectification of inaccurate data
• Erasure ("right to be forgotten")
• Restriction of processing
• Data portability
• Objection to processing

If CyberCore receives a Data Subject request directly, it will promptly redirect the request to the Customer and will not respond to the request without the Customer's prior authorization, unless required by law.

7. Data Transfers

CyberCore processes data primarily within the United States. To the extent that Personal Data is transferred to a jurisdiction that does not provide an adequate level of data protection, CyberCore shall ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission.
• Binding Corporate Rules, where applicable.
• Other legally recognized transfer mechanisms under applicable data protection law.

8. Security Measures

CyberCore shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

For a comprehensive overview of our security practices, please see our Security & Compliance page.

9. Breach Notification

In the event of a Security Incident, CyberCore shall:

• Notify the Customer without undue delay and no later than 48 hours after becoming aware of a confirmed Security Incident.
• Provide the Customer with sufficient information to fulfill any obligation to report or inform Data Subjects of the incident, including:
  • Nature of the incident and categories of data affected
  • Likely consequences of the incident
  • Measures taken or proposed to address the incident
  • Contact point for further information
• Take immediate steps to contain, investigate, and remediate the Security Incident.
• Cooperate with the Customer and provide reasonable assistance in the Customer's investigation and response.
• Maintain a detailed record of all Security Incidents.

HIPAA Breach Notification

To the extent a Security Incident constitutes a "Breach" as defined under HIPAA, CyberCore shall comply with the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), including notifying the Customer within 48 hours of discovery, which exceeds the HIPAA requirement of 60 days, reflecting our commitment to prompt disclosure.

10. HIPAA Business Associate Provisions

11. Audit Rights

CyberCore shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer.

• Audits shall be conducted with reasonable advance notice (at least 30 days) and during normal business hours.
• The Customer shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by CyberCore.
• CyberCore may satisfy audit requests by providing relevant certifications, audit reports (e.g., SOC 2 Type II), or other documentation demonstrating compliance.
• Audit frequency shall be limited to once per 12-month period, unless a Security Incident or regulatory requirement necessitates an additional audit.

12. Term & Termination

This DPA shall remain in effect for the duration of the subscription agreement and shall automatically terminate upon the termination or expiration of the subscription agreement.

Upon termination of this DPA, CyberCore shall:

• Cease all processing of Personal Data on behalf of the Customer.
• At the Customer's election, return or securely delete all Personal Data within 30 days.
• Provide written certification of deletion upon the Customer's request.
• Retain Personal Data only to the extent required by applicable law, and solely for that purpose.

Obligations under this DPA that by their nature should survive termination (including confidentiality, security, and breach notification) shall continue to apply.

13. Liability

Each party's liability under this DPA shall be subject to the limitations of liability set forth in the underlying subscription agreement, except that such limitations shall not apply to breaches of HIPAA obligations or willful misconduct. Each party shall be liable for damages caused by processing that infringes applicable data protection law, in accordance with the liability provisions of those laws.

14. Contact