Data Processing Agreement
Last Updated: December 2, 2025
Version 1
Data Protection
Data Processing Agreement
Last Updated: December 3, 2025
Effective Date: December 3, 2025
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Milenial Procurments Inc. ("Processor") and the Customer ("Controller") for the Milenial Compliance Platform.
2. Definitions
Personal Data: Any information relating to an identified or identifiable natural person
Processing: Any operation performed on Personal Data
Data Subject: An identified or identifiable natural person
Sub-processor: Any third party engaged by Processor to process Personal Data
3. Scope and Purpose
The Processor will process Personal Data solely for providing compliance services, including:
Compliance risk assessments and scoring
Document management and audit trails
Supplier verification and monitoring
Regulatory compliance reporting
4. Controller Obligations
The Controller warrants that:
It has lawful basis to process and transfer Personal Data
Data Subjects have been informed of processing activities
All necessary consents have been obtained
Instructions to Processor comply with applicable laws
5. Processor Obligations
The Processor shall:
Process Personal Data only on documented Controller instructions
Ensure personnel are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Assist Controller in responding to Data Subject requests
Delete or return Personal Data upon termination
6. Sub-processors
6.1 Authorization
Controller provides general authorization for Processor to engage Sub-processors listed in our Sub-processor List.
6.2 Sub-processor Requirements
Processor shall ensure Sub-processors are bound by data protection obligations no less protective than this DPA.
6.3 Notification
Processor will notify Controller of new Sub-processors with 30 days advance notice. Controller may object within 14 days.
7. Security Measures
Processor implements:
AES-256 encryption at rest, TLS 1.2+ in transit
Role-based access controls (RBAC)
Multi-factor authentication
Regular security audits and penetration testing
Intrusion detection and monitoring
Secure data centers with SOC 2 certification
8. Data Breach Notification
Processor shall notify Controller within 72 hours of becoming aware of a Personal Data breach, including:
Nature of the breach
Categories and approximate number of Data Subjects affected
Likely consequences
Measures taken or proposed to address the breach
9. International Transfers
Personal Data may be transferred to countries outside the EEA only with appropriate safeguards:
Standard Contractual Clauses (SCCs)
Binding Corporate Rules
Adequacy decisions
10. Audit Rights
Controller may audit Processor's compliance with this DPA upon reasonable notice. Processor will provide necessary information and access.
11. Term and Termination
This DPA remains in effect for the duration of the service agreement. Upon termination, Processor will delete or return all Personal Data within 90 days.
12. Contact
Data Protection Officer: dpo@milenialinc.com