Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Auctera LLC ("Processor") and the customer ("Controller") and sets forth the parties' obligations with respect to the processing of Personal Data under applicable data protection laws, including the GDPR.

2. Definitions

Personal Data: Information relating to an identified or identifiable natural person
Processing: Any operation performed on Personal Data
Controller: The entity that determines the purposes and means of Processing
Processor: The entity that Processes Personal Data on behalf of the Controller
Sub-processor: Any Processor engaged by Auctera to Process Personal Data
GDPR: General Data Protection Regulation (EU) 2016/679

3. Scope and Roles

Auctera acts as a Processor of Personal Data on behalf of the Controller. This DPA applies to all Processing of Personal Data carried out in connection with the Services.

4. Controller Responsibilities

The Controller shall:

Comply with all applicable data protection laws
Ensure it has all necessary rights and consents to provide Personal Data to Auctera
Provide clear instructions for Processing Personal Data
Ensure that Processing instructions comply with applicable laws

5. Processor Responsibilities

Auctera shall:

Process Personal Data only on documented instructions from the Controller
Ensure that authorized personnel are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Assist the Controller in responding to data subject requests
Notify the Controller of any Personal Data breaches without undue delay
Delete or return Personal Data upon termination of Services
Make available information necessary to demonstrate compliance

6. Sub-processors

The Controller provides general authorization for Auctera to engage Sub-processors. Auctera shall:

Maintain a list of current Sub-processors
Notify the Controller of any changes to Sub-processors
Ensure Sub-processors provide equivalent data protection guarantees
Remain fully liable for any Sub-processor's acts or omissions

View our current list of Sub-processors at /trust/subprocessors

7. Security Measures

Auctera implements appropriate technical and organizational measures, including:

Encryption of data in transit and at rest
Regular security testing and vulnerability assessments
Access controls and authentication mechanisms
Incident response and breach notification procedures
Regular employee training on data protection
Physical security of data centers

8. Data Subject Rights

Auctera will assist the Controller in fulfilling data subject requests, including:

Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object

9. Data Transfers

Personal Data may be transferred to and processed in countries outside the EEA. Auctera ensures appropriate safeguards are in place, including:

Standard Contractual Clauses approved by the European Commission
Adequacy decisions where applicable
Other legally approved transfer mechanisms

10. Audits and Compliance

Auctera shall make available to the Controller information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

11. Data Breach Notification

In the event of a Personal Data breach, Auctera shall notify the Controller without undue delay and provide:

Description of the nature of the breach
Categories and approximate number of data subjects affected
Likely consequences of the breach
Measures taken or proposed to address the breach

12. Data Retention and Deletion

Upon termination of Services, Auctera shall, at the Controller's choice, delete or return all Personal Data and delete existing copies, unless legally required to retain the data.