This agreement governs the processing of personal data by EQTR, Inc. d/b/a ModernRelay on behalf of our customers in compliance with GDPR and other data protection regulations.
Data Controller
Customer
The entity engaging ModernRelay for services
Data Processor
EQTR, Inc. d/b/a ModernRelay
Processing data on behalf of the Controller
The following terms have the meanings set forth below for purposes of this Data Processing Agreement:
Personal Data
Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly.
Processing
Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means.
Data Subject
The individual whose Personal Data is processed.
GDPR
General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council.
Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
Processor
A natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
This Agreement governs the Processor's handling of Personal Data on behalf of the Controller in connection with the provision of ModernRelay's AI-native knowledge management platform and related services.
The Processor shall process Personal Data solely for the purpose of providing the agreed-upon services and as necessary to fulfill its contractual obligations to the Controller.
Types of Personal Data Processed:
The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject.
The Processor ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection law, including requests for:
The Processor shall respond to Data Subject requests within 30 days, or as otherwise required by applicable law.
The Processor shall notify the Controller without undue delay (and in any event within 24 hours) upon becoming aware of a Personal Data breach. Such notification shall include:
Critical: 24-Hour Notification Window
The Processor commits to notifying the Controller of any confirmed or suspected data breach within 24 hours of discovery to enable timely regulatory notification.
International transfers of Personal Data to countries outside the European Economic Area (EEA) must comply with GDPR Chapter V requirements. The Processor ensures appropriate safeguards are in place, including:
Data transfers are documented per the Controller's Binding Corporate Rules and applicable data protection impact assessments.
The Controller reserves the right to conduct audits and security assessments of the Processor's data processing activities. The Processor shall:
Audit Scheduling
Audits shall be conducted with reasonable prior notice (at least 30 days) and during normal business hours, unless urgent circumstances require otherwise.
Upon termination of the service agreement or upon the Controller's request, the Processor shall, at the choice of the Controller:
Deletion shall be completed within 30 days of termination or request, unless legal retention requirements apply.
The Processor shall maintain records of all processing activities carried out on behalf of the Controller as required by Article 30 of the GDPR. These records shall include:
Each party shall be liable for damages caused by processing that infringes this Agreement or applicable data protection law in accordance with the allocation of responsibilities set forth herein.
Important Notice
Specific liability terms, indemnification obligations, and limitations are governed by the Master Services Agreement between the parties. This section provides general guidance and should be reviewed in conjunction with the full contractual framework.
This Data Processing Agreement shall remain in effect for the duration of the service relationship between the Controller and Processor. The obligations regarding data protection, security, and confidentiality shall survive termination.
Upon termination, the Processor shall comply with the data deletion or return requirements specified in Section 8, unless applicable law requires continued retention of the data.
For questions about this Data Processing Agreement, contact:
legal@modernrelay.comContact our legal team for a customized agreement.
The Processor shall not engage another processor (sub-processor) without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes.
A current list of authorized sub-processors is maintained in our Privacy Policy.