Milenial/Legal/Data Processing Agreement
Milenial Legal

Data Processing Agreement

GDPR-aligned DPA governing how Milenial processes personal data on behalf of customers.

Updated 12/3/2025v1

Last Updated: December 3, 2025 · Effective Date: December 3, 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Milenial Procurments Inc. ("Processor") and the Customer ("Controller") for the Milenial Compliance Platform.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on Personal Data
  • Data Subject: An identified or identifiable natural person
  • Sub-processor: Any third party engaged by Processor to process Personal Data

3. Scope and Purpose

The Processor will process Personal Data solely for providing compliance services, including:

  • Compliance risk assessments and readiness scoring
  • Document management and audit trails
  • Supplier verification and monitoring
  • Regulatory compliance reporting

4. Controller Obligations

The Controller warrants that:

  • It has lawful basis to process and transfer Personal Data
  • Data Subjects have been informed of processing activities
  • All necessary consents have been obtained
  • Instructions to Processor comply with applicable laws

5. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented Controller instructions
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist Controller in responding to Data Subject requests
  • Delete or return Personal Data upon termination

6. Sub-processors

6.1 Authorization

Controller provides general authorization for Processor to engage Sub-processors listed in our Sub-processor List.

6.2 Sub-processor Requirements

Processor shall ensure Sub-processors are bound by data protection obligations no less protective than this DPA.

6.3 Notification

Processor will notify Controller of new Sub-processors with 30 days advance notice. Controller may object within 14 days.

7. Security Measures

Processor implements:

  • AES-256 encryption at rest, TLS 1.2+ in transit
  • Role-based access controls (RBAC)
  • Multi-factor authentication
  • Regular security audits and penetration testing
  • Intrusion detection and monitoring
  • Secure data centers with SOC 2 certification

8. Data Breach Notification

Processor shall notify Controller within 72 hours of becoming aware of a Personal Data breach, including:

  • Nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Likely consequences
  • Measures taken or proposed to address the breach

9. International Transfers

Personal Data may be transferred to countries outside the EEA only with appropriate safeguards:

  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules
  • Adequacy decisions

10. Audit Rights

Controller may audit Processor's compliance with this DPA upon reasonable notice. Processor will provide necessary information and access.

11. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, Processor will delete or return all Personal Data within 90 days.

12. Contact

Data Protection Officer: dpo@milenialinc.com

← Back to Legal