Data Processing Agreement

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalised terms not defined here have the meanings given to them in the main service agreement ("Agreement"), the GDPR, or applicable data protection laws.

• "Applicable Data Protection Law" means all applicable laws relating to data protection and privacy, including the GDPR (Regulation (EU) 2016/679), the UK GDPR, the Swiss Federal Act on Data Protection, the CCPA/CPRA, and any implementing or supplementary legislation.
• "Controller" means the customer entity that determines the purposes and means of processing personal data through the Service.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed.
• "Personal Data" means any information relating to a Data Subject that is processed by TTXLab on behalf of the Controller in connection with the Service.
• "Processor" means TTXLab, which processes Personal Data on behalf of the Controller.
• "Subprocessor" means a third party engaged by TTXLab to process Personal Data on behalf of the Controller.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Scope and role of the parties

The Controller determines the purposes and means of processing Personal Data. TTXLab acts as a Processor, processing Personal Data only on behalf of and in accordance with the documented instructions of the Controller (as described in this DPA and the Agreement), except where required by Applicable Data Protection Law to act without such instructions.

This DPA applies to all processing of Personal Data by TTXLab on behalf of the Controller in connection with the provision of the Service. It supplements the Agreement and the Privacy Policy.

3. Categories of personal data processed

TTXLab processes the following categories of Personal Data on behalf of the Controller:

• Account and identity data: Email addresses, display names, organisation affiliation, role assignments, and workspace membership of participants.
• Exercise and operational data: Scenario configurations, role assignments, participant responses, transcript content, facilitator notes, scoring outputs, generated recommendations, and exercise reports.
• Technical data: IP addresses, browser information, session identifiers, and audit logs related to service access and operations.

Categories of Data Subjects include: employees, contractors, and authorised representatives of the Controller who access or participate in exercises through the Service.

4. Processing purposes

TTXLab processes Personal Data solely for the following purposes:

• Providing, operating, and maintaining the Service as described in the Agreement.
• Authenticating users and enforcing access controls within the Controller's workspace.
• Facilitating tabletop exercises and generating reports as configured by the Controller.
• Providing technical support and resolving incidents at the Controller's request.
• Complying with applicable legal obligations.

TTXLab will not process Personal Data for any other purpose, including marketing, profiling, or AI/ML model training, without the Controller's prior written consent.

5. Processor obligations (GDPR Article 28)

In accordance with Article 28 of the GDPR, TTXLab as Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by Applicable Data Protection Law, in which case TTXLab shall inform the Controller of that legal requirement before processing (unless prohibited by law from doing so).
• Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate: encryption of Personal Data in transit (TLS) and at rest; logical tenant isolation by organisation identifiers; role-based access control; audit logging of key lifecycle events; and regular security reviews.
• Not engage another processor (Subprocessor) without prior specific or general written authorisation of the Controller. In the case of general written authorisation, TTXLab shall inform the Controller of any intended changes concerning the addition or replacement of Subprocessors, giving the Controller the opportunity to object.
• Assist the Controller, taking into account the nature of processing, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights.
• Assist the Controller in ensuring compliance with obligations relating to security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultations, taking into account the nature of processing and the information available to TTXLab.
• At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Applicable Data Protection Law requires storage of the Personal Data.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

6. Subprocessor management

The Controller provides general authorisation for TTXLab to engage Subprocessors to assist in providing the Service. A current list of Subprocessors is maintained on the Trust Center.

TTXLab shall:

• Provide the Controller with at least 30 days' prior written notice before adding or replacing a Subprocessor that processes Personal Data, including the name, location, and processing activities of the proposed Subprocessor.
• Impose data protection obligations on each Subprocessor that are no less protective than those set out in this DPA, by way of a written contract.
• Remain fully liable to the Controller for the performance of each Subprocessor's obligations.

If the Controller objects to a new Subprocessor on reasonable data protection grounds, the parties shall discuss the objection in good faith with a view to achieving a resolution. If no resolution is reached, the Controller may terminate the affected portion of the Service by providing written notice.

7. Data breach notification

TTXLab shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach. The notification shall include:

• A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned.
• The name and contact details of the data protection point of contact.
• A description of the likely consequences of the Personal Data Breach.
• A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

TTXLab shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach. TTXLab shall document all Personal Data Breaches, including the facts, effects, and remedial actions taken.

8. Data subject rights assistance

TTXLab shall assist the Controller in responding to Data Subject requests to exercise their rights under Applicable Data Protection Law, including the rights to access, rectify, erase, restrict processing, port data, and object to processing.

If TTXLab receives a request directly from a Data Subject, TTXLab shall promptly redirect the Data Subject to the Controller and notify the Controller of the request, unless otherwise instructed by the Controller. TTXLab shall not respond to a Data Subject request directly without the Controller's prior written authorisation, except to inform the Data Subject that their request has been forwarded.

9. International data transfers

TTXLab processes Personal Data primarily in the United States. Where Personal Data originating from the EEA, UK, or Switzerland is transferred to the United States or another country without an adequacy decision, TTXLab shall ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission (Module 2: Controller to Processor and Module 3: Processor to Processor as applicable).
• Supplementary technical and organisational measures where required by applicable guidance.

The Controller may request copies of the applicable transfer mechanism documentation by contacting support@ttxlab.com.

10. Deletion and return of data

Upon termination or expiry of the Agreement, or upon the Controller's written request, TTXLab shall:

• Provide the Controller with a reasonable period (not less than 30 days) to export Personal Data from the Service.
• Delete all Personal Data processed on behalf of the Controller, including all copies, within 90 days of the end of the export period, unless retention is required by Applicable Data Protection Law.
• Upon the Controller's request, certify in writing that deletion has been completed.

Backup copies stored in automated backup systems will be deleted in accordance with the backup retention cycle (typically within 30 days of the primary deletion).

11. Audit rights

TTXLab shall make available to the Controller, upon reasonable request and subject to confidentiality obligations, all information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the GDPR.

The Controller (or an independent third-party auditor appointed by the Controller) may conduct audits and inspections of TTXLab's processing activities, subject to the following conditions:

• The Controller shall provide at least 30 days' prior written notice of an audit request.
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt TTXLab's operations.
• Audits shall be limited to once per 12-month period, unless required by a supervisory authority or following a Personal Data Breach.
• The Controller shall bear the costs of any audit, unless the audit reveals material non-compliance by TTXLab.
• TTXLab may satisfy audit requests by providing relevant certifications, audit reports (such as SOC 2 reports when available), or equivalent documentation.

12. Duration and termination

This DPA shall remain in effect for the duration of the Agreement and for as long as TTXLab processes Personal Data on behalf of the Controller. Obligations that by their nature should survive termination (including data deletion, breach notification, and confidentiality) shall continue to apply after termination.

13. Contact

For questions about this DPA or to exercise any rights described herein, please contact:

TTXLab
Data Protection Contact
Email: support@ttxlab.com
Address: 600 1st Ave Ste 330, PMB 533227, Seattle, WA 98104-2246

For related documentation, see our Privacy Policy, Terms of Service, and Trust Center.