Data Processing Agreement
Version 1.1 · Effective date: June 1, 2025
This Data Processing Agreement ("DPA") supplements the Terms of Service between you ("Controller," "Customer") and ESG Automated, Inc. ("Processor," "Company") and governs the processing of personal data in connection with the ESG Automated platform.
This DPA applies where ESG Automated processes personal data on your behalf and is intended to satisfy the requirements of Article 28 of the EU General Data Protection Regulation (GDPR) and equivalent provisions under the UK GDPR and other applicable data protection laws.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection law.
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
"Controller" means the party that determines the purposes and means of processing Personal Data — in this context, you (the Customer).
"Processor" means the party that processes Personal Data on behalf of the Controller — in this context, ESG Automated, Inc.
"Sub-processor" means any third party engaged by the Processor to assist in processing Personal Data.
2. Scope and Roles
ESG Automated processes Personal Data only on your documented instructions and for the purpose of providing the platform services. You are the Controller; ESG Automated is the Processor with respect to Personal Data you submit through the platform.
3. Details of Processing
| Attribute | Details |
|---|---|
| Subject matter | Provision of ESG data management, metric calculation, and reporting services |
| Duration | For the term of the agreement plus data retention period (see Section 11) |
| Nature | Collection, storage, analysis, and deletion of personal data |
| Purpose | Providing ESG compliance and reporting services as described in the Terms |
| Categories of data | Business contact information, employee demographic data (anonymized), account activity data |
| Categories of data subjects | Customer employees, contacts, and authorized platform users |
4. Controller Obligations
You agree to:
- Ensure you have a lawful basis for processing and transferring Personal Data to ESG Automated
- Obtain any required consents from data subjects before uploading their data
- Provide accurate and complete instructions regarding the processing of Personal Data
- Comply with your own obligations under applicable data protection laws
5. Processor Obligations
ESG Automated agrees to:
- Process Personal Data only on documented instructions from you
- Ensure personnel authorized to process Personal Data are bound by confidentiality
- Implement appropriate technical and organizational security measures (see Section 8)
- Assist you in fulfilling data subject rights requests (see Section 9)
- Not engage sub-processors without authorization (see Section 6)
- Delete or return Personal Data upon termination (see Section 11)
- Make information necessary to demonstrate compliance available to you upon request
6. Sub-processors
We maintain a list of approved sub-processors used in delivering the service. Current key sub-processors include:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure and data storage | United States (us-east-1) |
| Stripe | Payment processing | United States |
| SendGrid (Twilio) | Transactional email delivery | United States |
| Intercom | Customer support chat | United States |
We will provide 30 days' prior written notice before adding or replacing sub-processors. You may object by notifying us in writing within 14 days; unresolved objections may result in termination without penalty.
7. International Data Transfers
Where Personal Data is transferred from the European Economic Area (EEA) or the United Kingdom to countries not deemed adequate by the relevant authority, such transfers rely on the EU Standard Contractual Clauses (SCCs) as adopted by the European Commission. By accepting this DPA, you enter into the SCCs as Controller (Module 2: Controller to Processor).
8. Security Measures
ESG Automated implements and maintains the following technical and organizational security measures:
- AES-256 encryption of data at rest
- TLS 1.3 encryption in transit
- SOC 2 Type II certification (security, availability, confidentiality)
- Role-based access controls with least-privilege principles
- Multi-factor authentication for all internal system access
- Annual third-party penetration testing
- Formal incident response procedures
- Employee security training and background checks
9. Data Subject Rights
We will notify you promptly (within 48 hours) of any data subject requests we receive directly. We will not respond to such requests without your instruction. We will provide reasonable assistance to help you fulfill rights requests, including access, correction, deletion, and portability.
10. Data Breach Notification
In the event of a personal data breach affecting your data, we will notify you without undue delay and no later than 72 hours after becoming aware of it. Notification will include: nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.
11. Return and Deletion of Data
Upon termination of the agreement or at your written request, we will delete all Personal Data within 30 days. We will provide written confirmation of deletion upon request. We may retain data longer only where required by applicable law, and will inform you of such retention.
12. Term
This DPA is effective from the date you accept the Terms of Service and continues until all data has been deleted as described in Section 11.
Questions: dpo@automatedesg.com
See also: Privacy Policy · Terms of Service · GDPR Compliance