EphronTech
Legal & Compliance

Data Processing Agreement

Effective June 2, 2026

This Data Processing Agreement (DPA) sets out the terms on which Ephrontech LLC processes personal data on behalf of its customers. It is designed to satisfy GDPR Article 28 and CCPA/CPRA service-provider requirements, and may be executed as a standalone agreement using the PDF below.

Download signable PDF

This Data Processing Agreement (“DPA”) forms part of the agreement between Ephrontech LLC(“Processor” or “Ephrontech”) and the customer identified in the underlying services agreement (“Controller” or “Customer”) (each a “Party,” together the “Parties”) for the provision of services (the “Services”), and governs the Processing of Personal Data by Ephrontech on behalf of Customer.

1. Definitions

Capitalized terms not defined here have the meaning given in Applicable Data Protection Law. “Applicable Data Protection Law” means all laws and regulations applicable to the Processing of Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR, and the California Consumer Privacy Act as amended (“CCPA”). “Personal Data,” “Processing,” “Controller,” “Processor,” and “Data Subject” have the meanings given in the GDPR. “Sub-processor” means any third party engaged by Ephrontech to Process Personal Data.

2. Roles and scope

As between the Parties, Customer is the Controller (or a Processor acting on behalf of a third-party controller) and Ephrontech is the Processor. For Personal Data subject to the CCPA, Customer is the “Business” and Ephrontech is a “Service Provider.” Ephrontech will Process Personal Data only as a Processor / Service Provider, solely to provide the Services, and as described in Annex I.

3. Processing instructions

Ephrontech will Process Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do otherwise by law (in which case Ephrontech will inform Customer of that legal requirement before Processing, unless prohibited by law). The underlying services agreement and this DPA constitute Customer’s complete and final instructions. Ephrontech will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

4. CCPA service-provider commitments

With respect to Personal Data subject to the CCPA, Ephrontech will not:

  • Sell or share Personal Data within the meaning of the CCPA;
  • Retain, use, or disclose Personal Data for any purpose other than performing the Services, or as otherwise permitted by the CCPA;
  • Retain, use, or disclose Personal Data outside the direct business relationship between the Parties; or
  • Combine Personal Data with information received from other sources, except as permitted by the CCPA.

Ephrontech certifies that it understands and will comply with these restrictions.

5. Confidentiality

Ephrontech will treat Personal Data as confidential and will ensure that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations and are made aware of the confidential nature of the data.

6. Security measures

Ephrontech will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing. These measures are described in Annex II.

7. Sub-processors

Customer provides general authorization for Ephrontech to engage Sub-processors to Process Personal Data, provided that Ephrontech: (a) enters into a written agreement with each Sub-processor imposing data-protection obligations no less protective than those in this DPA; and (b) remains responsible for each Sub-processor’s performance. The current Sub-processors are listed in Annex III. Ephrontech will inform Customer of any intended addition or replacement of a Sub-processor, giving Customer the opportunity to object on reasonable data-protection grounds.

8. Assistance with data-subject requests

Taking into account the nature of the Processing, Ephrontech will assist Customer by appropriate technical and organizational measures, insofar as possible, in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law. If Ephrontech receives such a request directly, it will, unless legally prohibited, promptly notify Customer and will not respond except on Customer’s instructions.

9. Personal-data breach notification

Ephrontech will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer’s Personal Data, and will provide Customer with information reasonably available to it to assist Customer in meeting its breach-notification obligations. Ephrontech will take reasonable steps to contain and remediate the breach.

10. Data protection impact assessments

Ephrontech will provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with supervisory authorities that Customer reasonably considers required, in each case solely in relation to Processing under this DPA and taking into account the information available to Ephrontech.

11. Return and deletion

Upon termination of the Services, and at Customer’s choice, Ephrontech will delete or return all Personal Data and delete existing copies, unless retention is required by law. Customer may request return or confirmation of deletion within a reasonable period following termination.

12. Audits

Ephrontech will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, on reasonable prior notice, no more than once per year (absent a Personal Data Breach or regulatory requirement), during normal business hours, and subject to confidentiality. Ephrontech may satisfy this obligation by providing relevant third-party attestations or reports where available.

13. International transfers

Where Ephrontech Processes Personal Data originating from the EEA, UK, or Switzerland in a country that has not received an adequacy decision, the Parties agree that the applicable Standard Contractual Clauses (and the UK Addendum, where relevant) are incorporated into this DPA by reference and apply to such transfers, with Customer as data exporter and Ephrontech as data importer.

14. Liability and precedence

Each Party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the underlying services agreement. In the event of a conflict between this DPA and the services agreement regarding the Processing of Personal Data, this DPA controls. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses control.

15. Governing law

This DPA is governed by the law of the underlying services agreement, except where Applicable Data Protection Law requires otherwise (for example, the law governing the Standard Contractual Clauses).

Annex I — Details of Processing

Subject matterProvision of the Services described in the underlying services agreement.
DurationFor the term of the services agreement, plus any period of retention required by law or agreed for return/deletion.
Nature and purposeHosting, storage, transmission, software operation, and related technical processing necessary to provide the Services.
Categories of Data SubjectsCustomer’s end users, customers, employees, and contacts whose Personal Data is submitted to the Services.
Categories of Personal DataIdentification and contact data, account data, and any other Personal Data that Customer elects to submit to the Services. The Parties do not intend for special categories of data to be Processed unless expressly agreed in writing.

Annex II — Technical and Organizational Measures

Ephrontech maintains the following measures, as further described on its Security & Trust page:

  • Encryption — TLS 1.2+ in transit; AES-256 at rest with managed keys (AWS KMS).
  • Access control — least-privilege access, multi-factor authentication for administrative access, and periodic access reviews.
  • Infrastructure security — isolated AWS VPCs, network controls, and use of a provider with SOC 2 / ISO 27001 attestations.
  • Application security — peer-reviewed, version- controlled changes and automated dependency vulnerability scanning.
  • Monitoring and logging — infrastructure logging and monitoring to support detection and incident investigation.
  • Resilience — managed redundant services and automated backups supporting availability and recovery.

Annex III — Approved Sub-processors

Sub-processorPurposeLocation
Amazon Web Services, Inc. (AWS)Cloud infrastructure, hosting, and storageUnited States

Additional Sub-processors, if any, will be specified in the executed copy of this DPA or otherwise notified to Customer in accordance with Section 7.

Execution

A signable copy of this DPA is available as a PDF. To put it in force, complete the signature block and return a copy to info@ephrontech.com.

Related documents