Data Processing Agreement

1. Definitions

In this DPA, the following terms have the following meanings:

• "Controller" means the entity that determines the purposes and means of processing Personal Data
• "Processor" means the entity that processes Personal Data on behalf of the Controller
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed
• "Personal Data" means any information relating to a Data Subject
• "Processing" means any operation performed on Personal Data
• "Sub-processor" means any third party engaged by Leet Service to process Personal Data
• "GDPR" means the General Data Protection Regulation (EU) 2016/679
• "SCCs" means the Standard Contractual Clauses approved by the European Commission

2. Roles and Responsibilities

2.1 Controller and Processor

For the purposes of this DPA:

• You (the Customer) act as the Controller of Personal Data stored in the Service
• Leet Service acts as the Processor of such Personal Data

2.2 Customer Obligations

As Controller, you are responsible for:

• Ensuring you have a lawful basis for processing Personal Data
• Providing appropriate notice to Data Subjects
• Obtaining necessary consents where required
• Responding to Data Subject requests
• Ensuring the accuracy of Personal Data

2.3 Leet Service Obligations

As Processor, Leet Service will:

• Process Personal Data only on documented instructions from the Controller
• Ensure persons authorized to process Personal Data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Assist the Controller with Data Subject requests and compliance obligations
• Delete or return Personal Data at the end of the service relationship
• Make available information necessary to demonstrate compliance

3. Data Processing Details

3.1 Subject Matter

The subject matter of the processing is the provision of password management and credential storage services as described in our Terms of Service.

3.2 Nature and Purpose

Leet Service will process Personal Data for the purpose of providing the Service, including:

• Storing encrypted credentials and related metadata
• Enabling secure access and sharing features
• Maintaining audit logs for security purposes
• Providing customer support

3.3 Categories of Personal Data

• Account information (name, email address)
• Encrypted credential data (usernames, passwords, URLs, notes)
• Usage data and audit logs
• Device and connection information

3.4 Categories of Data Subjects

• Customer employees and contractors
• Customer team members
• Individuals whose credentials are stored in the Service

3.5 Duration

Processing will continue for the duration of the service agreement and as necessary to comply with legal obligations.

4. Security Measures

Leet Service implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

4.1 Technical Measures

• Encryption at Rest: AES-256 encryption for all stored data
• Encryption in Transit: TLS 1.3 for all data transmission
• Access Controls: Role-based access control and authentication
• Two-Factor Authentication: Available for all accounts
• Audit Logging: Comprehensive logging of all access and changes
• Intrusion Detection: Monitoring for unauthorized access attempts
• Regular Backups: Encrypted backups with geo-redundancy

4.2 Organizational Measures

• Personnel Security: Background checks and confidentiality agreements
• Training: Regular security and privacy awareness training
• Incident Response: Documented incident response procedures
• Business Continuity: Disaster recovery and business continuity plans
• Vendor Management: Due diligence on sub-processors

5. Sub-processors

5.1 Authorization

The Customer provides general authorization for Leet Service to engage sub-processors for the processing of Personal Data. Leet Service will:

• Enter into written agreements with sub-processors imposing equivalent obligations
• Remain responsible for sub-processors' compliance
• Notify Customers of changes to sub-processors

5.2 Current Sub-processors

6. Data Subject Rights

Leet Service will assist the Customer in responding to requests from Data Subjects to exercise their rights under applicable data protection law, including:

• Right to access Personal Data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing

Customers can manage most Data Subject requests directly through the Service. For additional assistance, contact dpa@leetservice.com.

7. Data Breach Notification

In the event of a Personal Data breach, Leet Service will:

• Notify the Customer without undue delay (and within 48 hours where feasible)
• Provide information about the nature, scope, and impact of the breach
• Describe measures taken or proposed to address the breach
• Cooperate with the Customer's investigation and remediation efforts
• Document the breach and actions taken

8. International Transfers

For transfers of Personal Data outside the European Economic Area (EEA), Leet Service relies on:

• Standard Contractual Clauses (SCCs): EU Commission-approved clauses for data transfers
• Supplementary Measures: Additional technical and organizational safeguards
• Data Transfer Impact Assessments: Evaluating transfer risks

Copies of executed SCCs are available upon request.

9. Audit Rights

Upon reasonable request and subject to confidentiality obligations, Leet Service will:

• Make available information necessary to demonstrate compliance with this DPA
• Allow for and contribute to audits conducted by the Customer or an independent auditor
• Provide access to relevant certifications and audit reports (SOC 2, ISO 27001)

10. Data Deletion

Upon termination of the service agreement or upon Customer request:

• Customers may export their data in a standard format
• Leet Service will delete Personal Data within 30 days
• Backup copies will be deleted within 90 days
• Certification of deletion is available upon request

Data may be retained where required by law, in which case it will be isolated and protected.

11. Governing Law

This DPA is governed by the same law that governs the underlying Terms of Service, except where GDPR or other applicable data protection law requires otherwise.

12. Contact Information

For questions about this DPA or to request a signed copy: