Data Processing Addendum (DPA)
1. Purpose and Scope
This Data Processing Addendum ("DPA") forms part of and supplements the agreement between Avíspa Solutions, LLC ("Avíspa Solutions," "Processor," or "Service Provider") and the client ("Client," "Controller," or "Business").
This DPA applies where Avíspa Solutions processes personal data or other Client Data on behalf of the Client in connection with services provided. It does not apply to general website visitors.
2. Definitions
For purposes of this DPA:
- "Client Data" means any data, including personal data, provided by or on behalf of Client
- "Personal Data" means information that identifies or can reasonably be linked to an individual
- "Processing" means any operation performed on Client Data (collection, use, storage, transmission, etc.)
- "Subprocessor" means a third party engaged by Avíspa Solutions to process Client Data
3. Roles of the Parties
- Client is the data owner / controller / business
- Avíspa Solutions is the processor / service provider
Avíspa Solutions will process Client Data:
- Only on documented instructions from Client
- Only as necessary to perform services
- Only in accordance with applicable law
4. Nature and Purpose of Processing
Processing may include:
- Workflow automation
- CRM and system integrations
- AI-assisted content generation
- Data routing, transformation, and synchronization
- Communication automation
- System configuration, testing, and maintenance
The purpose is to enable and support Client's business operations.
5. Categories of Data and Data Subjects
Data may include:
- Names, emails, phone numbers
- Business and company data
- CRM records and communications
- Marketing and outreach data
- Operational workflow data
Data subjects may include:
- Client employees and contractors
- Leads, prospects, and customers
- Vendors and business contacts
6. Client Instructions
Avíspa Solutions will process Client Data only based on:
- Signed agreements
- Statements of work
- Approved workflows
- Written requests or instructions
If an instruction appears unlawful, Avíspa Solutions may suspend the relevant processing and notify the Client.
7. Confidentiality
Avíspa Solutions will:
- Treat Client Data as confidential
- Restrict access to authorized personnel only
- Ensure personnel are bound by confidentiality obligations
8. Data Security
Avíspa Solutions will implement commercially reasonable safeguards, including:
- Access controls and permission management
- Secure authentication practices
- Use of established third-party platforms
- Limiting access based on operational necessity
Important: No system is completely secure. Avíspa Solutions reduces risk through architecture and controlled data exposure.
9. Subprocessors
Client authorizes Avíspa Solutions to use subprocessors necessary to deliver services. These may include:
- AI platforms (e.g., OpenAI, Anthropic)
- CRM and marketing tools (e.g., HubSpot, GoHighLevel)
- Cloud and infrastructure providers (e.g., Google)
- Payment processors
Avíspa Solutions will use reputable providers and limit use to service delivery purposes.
10. No Sale or Unauthorized Use of Data
Avíspa Solutions will not:
- Sell Client Data
- Use Client Data for unrelated purposes
- Retain data beyond what is necessary for services
Data is used only to deliver services, maintain system functionality, and comply with legal obligations.
11. AI Processing
Where AI is used:
- It is limited to defined workflow purposes
- Client data is not used to train Avíspa Solutions' own models
- Data exposure is minimized where feasible
Client acknowledges that AI outputs may be imperfect and human review is required.
12. Data Subject Rights
Avíspa Solutions will provide reasonable assistance to Client in responding to access, deletion, and correction requests. Client remains responsible for responding to such requests and for legal compliance.
13. Incident Notification
If Avíspa Solutions becomes aware of unauthorized access or disclosure, Client will be notified without unreasonable delay. Notice will include relevant available details.
14. Data Retention and Deletion
Avíspa Solutions:
- Does not maintain unnecessary long-term storage
- Will delete or return data upon request where feasible
Exceptions include legal obligations, dispute resolution, and minimal internal recordkeeping.
15. Cross-Border Data Transfers
Client acknowledges that third-party providers may process data in multiple jurisdictions and that data location depends on selected platforms. Avíspa Solutions will use reasonable care in provider selection and configure systems based on Client requirements where specified.
16. Client Responsibilities
Client is responsible for:
- Ensuring lawful data collection and use
- Providing valid instructions
- Determining appropriate data sensitivity levels
- Reviewing system configurations
17. Audit and Information Rights
Upon reasonable request, Avíspa Solutions may provide information demonstrating general compliance, subject to limitations including protection of proprietary systems, protection of other clients, and reasonable scope and frequency.
18. Term
This DPA remains in effect for the duration of services and as long as Client Data is processed.
19. Order of Precedence
If there is a conflict, this DPA governs data processing obligations. The main agreement governs all other terms.
20. Execution
This DPA may be accepted through:
- Signed agreements
- SOW acceptance
- Proposal approval
- Continued use of services