1. Scope and Purpose
This Data Processing Agreement ("DPA") applies to the processing of personal data by Rasan Group, operating as Pactline ("Processor"), on behalf of customers ("Controller") who use the Pactline service.
Processing Scope:
- Consent request workflows and decision records
- User account data and authentication information
- API usage logs and analytics
- Audit trails and compliance records
- Communications and support interactions
2. Definitions
- Controller: The Pactline customer who determines the purposes and means of data processing
- Processor: Rasan Group / Pactline, which processes data on Controller's behalf
- Personal Data: Any information relating to an identified or identifiable natural person
- Data Subject: The individual to whom personal data relates (e.g., user providing consent)
- Processing: Any operation performed on personal data (collection, storage, use, deletion)
3. Data Categories and Subjects
3.1 Data Categories Processed
| Data Category | Examples | Purpose |
|---|---|---|
| Identification Data | Email, name, user ID, organization | Account management, consent attribution |
| Consent Records | Consent decisions, approvals, audit logs | Compliance and audit trail |
| Technical Data | IP address, user agent, timestamps, device info | Security, usage analytics, troubleshooting |
| Behavioral Data | API usage patterns, login history, feature usage | Service analytics and improvement |
| Billing Data | Payment method, billing address, usage metrics | Payment processing and invoicing |
3.2 Data Subjects
- Account holders and authorized users of Pactline
- Individuals who submit or respond to consent requests via Pactline
- End users of Customer's AI agents or systems
4. Controller and Processor Obligations
4.1 Controller Obligations
The Controller (Customer) shall:
- Determine the lawful basis for processing personal data
- Obtain necessary consent from data subjects before processing
- Ensure compliance with applicable data protection laws (GDPR, CCPA, etc.)
- Maintain records of processing activities (Processing Register)
- Conduct Data Protection Impact Assessments (DPIA) where required
- Notify data subjects about data processing practices
- Respond to data subject rights requests (access, deletion, etc.)
- Notify Processor of any breaches or compliance concerns
4.2 Processor Obligations
The Processor (Pactline) shall:
- Process personal data only on documented instructions from Controller
- Ensure persons authorized to process data are subject to confidentiality
- Implement appropriate technical and organizational security measures
- Assist Controller in responding to data subject rights requests
- Assist Controller in achieving compliance with applicable laws
- Delete or return customer data upon termination of services
- Maintain a list of sub-processors and notify Controller of changes
- Allow audits and inspections by Controller or auditors
5. Sub-Processor Management
5.1 Authorized Sub-Processors
Pactline may engage the following sub-processors to process customer data:
- Cloud Infrastructure Provider: Data storage and compute resources
- Payment Processing: Stripe for payment and billing
- Email Service Provider: Transactional email delivery
- Analytics Provider: Usage metrics and performance analysis
- Customer Support Platform: Ticketing and communication tools
- Security and Monitoring: Security scanning and log analysis
5.2 Sub-Processor Changes
Pactline shall notify Controller of any changes to sub-processors with at least 30 days' advance notice. Controller may object to the addition or replacement of a sub-processor on reasonable grounds. If Controller objects, Processor will work to resolve the concern or facilitate contract termination.
6. Data Security Measures
6.1 Technical Security Measures
- Encryption: TLS 1.2+ for data in transit; AES-256 encryption at rest
- Access Control: Role-based access control (RBAC) and multi-factor authentication
- Network Security: Firewalls, intrusion detection, DDoS protection
- Backup and Recovery: Regular encrypted backups with tested recovery procedures
- Vulnerability Management: Regular security scanning, patching, penetration testing
6.2 Organizational Security Measures
- Personnel: Background checks, confidentiality agreements, security training
- Access Management: Principle of least privilege, access logs and monitoring
- Incident Response: Formal procedures for breach detection and notification
- Audit Trails: Comprehensive logging of all data access and modifications
- Compliance: Regular security audits and compliance assessments
7. Data Breach Notification
7.1 Breach Definition
A breach of security is an incident resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
7.2 Notification Timeline
Upon discovery of a breach, Pactline shall notify Controller without undue delay and in no case later than 72 hours, providing:
- Description of the breach and data affected
- Categories and estimated number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact point for further information
7.3 Further Cooperation
Pactline shall cooperate with Controller to:
- Investigate the breach and determine scope
- Notify affected data subjects (if required by law)
- Notify relevant authorities (data protection authorities)
- Minimize harm and prevent future breaches
8. Data Subject Rights
8.1 Processor Assistance with Subject Requests
Upon receipt of a data subject request (e.g., access, deletion, rectification, portability), Controller shall forward the request to Pactline. Pactline shall assist Controller by:
- Locating and retrieving relevant personal data
- Preparing data in the requested format
- Implementing erasure or modification of data
- Restricting processing as requested
- Providing audit logs and processing records
8.2 Response Timeline
Pactline will use commercially reasonable efforts to respond to assistance requests within 10 business days. Controller is responsible for responding to the data subject within the legal timeframe (typically 30 days).
9. Audit Rights
9.1 Audit and Inspection
Controller and its authorized auditors may:
- Request audit reports and compliance certifications (SOC 2, ISO 27001)
- Interview Pactline personnel responsible for data security
- Request documentation of security measures and incident logs
- Conduct on-site audits with 15 days' written notice
9.2 Audit Frequency
Routine audits may occur no more than once per calendar year unless Controller has reasonable grounds to believe non-compliance or a breach has occurred.
10. International Data Transfers
10.1 Adequacy Determination
If data is transferred outside the European Economic Area (EEA) to countries deemed inadequate by the European Commission, Pactline shall implement appropriate safeguards.
10.2 Transfer Mechanisms
Pactline shall use:
- Standard Contractual Clauses (SCCs): EU Commission-approved contractual terms
- Adequacy Decisions: Countries deemed adequate under GDPR Article 45
- Binding Corporate Rules (BCRs): Where available within Rasan Group
10.3 Supplementary Measures
Pactline shall implement supplementary technical and organizational measures to ensure an adequate level of protection in third countries, including encryption and restricted access.
11. Term and Termination
11.1 Effective Period
This DPA becomes effective upon execution and continues for the duration of the customer agreement.
11.2 Termination of Services
Upon termination of the customer agreement or customer request, Pactline shall, at Controller's discretion:
- Delete: Permanently and securely delete all customer data within 90 days
- Return: Export all customer data in a portable, machine-readable format
11.3 Backup Retention
Encrypted backup copies may be retained for an additional 30 days for disaster recovery purposes, then securely deleted.
12. Liability and Indemnification
12.1 Processor Liability
Pactline's liability for data processing breaches is limited to direct damages up to the total fees paid by Controller in the 12 months preceding the incident. This does not limit liability for:
- Data breaches resulting from Pactline's negligence or willful misconduct
- Breaches of confidentiality obligations
- Unauthorized processing of data
12.2 Indemnification
Pactline indemnifies Controller against claims that Pactline's processing of data in accordance with Controller's documented instructions violates applicable data protection laws, provided Controller has not contributed to the violation.
13. Compliance with Regulations
13.1 GDPR Compliance
This DPA complies with EU Regulation 2016/679 (GDPR), including Articles 28-32 regarding processor obligations.
13.2 Additional Laws
Pactline also complies with:
- California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
- UK General Data Protection Regulation (UK GDPR)
- Health Insurance Portability and Accountability Act (HIPAA)
- Other applicable data protection and privacy laws
14. Amendments and Updates
Pactline may amend this DPA to reflect changes in processing activities or to comply with legal requirements. Material changes will be communicated to Controller with 30 days' notice. Controller's continued use of Pactline constitutes acceptance of amendments.
15. Entire Agreement
This Data Processing Agreement, together with the customer agreement and privacy policy, constitutes the entire agreement regarding data processing and supersedes all prior agreements.
16. Contact and Notices
For questions about this DPA or data processing practices:
Data Protection Officer / Processor Contact
Rasan Group
Email: privacy@pactline.io
Website: https://pactline.io
Signature: By using Pactline, you accept and agree to this Data Processing Agreement as incorporated into your service agreement with Rasan Group.