← All Legal Documents GDPR

Data Processing Addendum

GDPR, CCPA, and international data transfer obligations

📅 Effective March 17, 2026 support@durand.life

Data Processing Addendum

This Data Processing Addendum (“DPA”) forms a part of the Agreement between Durand and Customer. This DPA is incorporated into the Agreement by reference and describes the Parties’ obligations regarding the Processing of Personal Information. Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name of and on behalf of its Authorized Affiliates, if and to the extent that Durand Processes Personal Information for such Authorized Affiliates that qualify as a Controller. Durand is acting as a Service Provider and Processor. All capitalized terms not defined shall have the meanings provided in the Agreement. In the event of a conflict between the terms of the Agreement and the DPA, this DPA shall prevail.

“Affiliates” means any legal entity controlling, controlled by or under common control with a party to this DPA, for so long as such Control relationship exists.

“Authorized Affiliates” means those certain Customer Affiliates that, if agreed upon by Durand, are authorized to utilize the Durand Services as Users pursuant to the Agreement.

“Applicable Data Protection Law(s)” means any applicable law, ordinance, statute, regulation, or other binding restriction to which the Personal Information is subject, including but not limited to Canada’s Personal Information Protection and Electronic Documents Act, S.C., 2000, ch. 5 (“PIPEDA”) and any provincial legislation deemed substantially similar to PIPEDA pursuant to the procedures set forth within PIPEDA, CCPA, GDPR, UK GDPR, Data Protection Act 2018 and Non-EU Data Protection Laws, and all amendments thereof. For the avoidance of doubt, only the Applicable Data Protection Laws governing the use of the Software and the relationship between the Parties shall apply.

“Control” means the ownership of more than 50% of the applicable entity or the ability in fact to direct the management decisions of such entity.

“Customer Personal Information” means Personal Information belonging to Customer that is processed by Durand in the course of providing the Durand Services under the Agreement.

“Data Controller” means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Information.

“Data Subject” has the meaning assigned to the term “data subject” or “consumer” under Applicable Data Protection Laws and shall include identified or identifiable natural persons to whom the Personal Information relates.

“GDPR” means the EU General Data Protection Regulation 2016/679.

“Non-EU Data Protection Laws” means all other applicable data protection laws, including but not limited to US state comprehensive privacy laws, including but not limited to the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any implementing regulations or guidance provided by the California Attorney General (“CCPA”), the Dubai International Financial Centre’s Data Protection Law No. 5 of 2020 (“DIFC DPL”), Thailand Personal Data Protection Act, B.E. 2562 (2019) (“PDPA”)and Australia’s Privacy Act of 1988 (“Privacy Act of 1988”), and all amendments to the CCPA, PIPEDA, DIFC DPL, Privacy Act of 1988, and similar legislation, as they may be enacted, from time to time.

“Personal Information” means any data provided by Customer or its Authorized Affiliates to Durand that identifies or, alone or in combination with any other data, could reasonably be used to identify, locate, or contact a natural person or household, or any other information that is considered “personal information,” “personal data,” or other similar terms under Applicable Data Protection Laws, but does not include data or information that is publicly available within the meaning of such section or that has been de-identified within the meaning of Applicable Data Protection Laws.

“Process” or “Processing” means any operation or set of operations that are performed upon Personal Information, whether or not by automatic means, such as collection, accessing, processing, use, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, transmittal, alignment or combination, blocking, erasure, destruction or otherwise used as set out in the Applicable Data Protection Laws.

“Security Incident” means any situation in which Durand confirms that Personal Information under its direct control has been accessed, acquired, disclosed, altered, lost, destroyed, or used by unauthorized persons in an unauthorized manner having a material impact on Customer or its Affiliates or on Data Subject rights.

“Sell”, “selling”, “sale”, or “sold” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Data Subject’s Personal Information to a third party for monetary or other valuable consideration.

“Share”, “sharing”, or “shared” means the provision of Personal Information to support targeted advertising across unaffiliated websites based on online behavioral profiling.

“Service Provider” means an entity that processes information on behalf of Customer and to which Customer discloses a Data Subject’s Personal Information for a business purpose pursuant to a written contract.

“Sub-Processor(s)” means any third-party service provider of Durand and to whom Durand provides or makes available Personal Information for Processing to be carried out on behalf of Customer or its Authorized Affiliates. For clarity, Sub-processors do not include Third-Party Services with whom Customer or its Authorized Affiliates directs Durand to interact with or disclose Personal Information. Durand may disclose Personal Information to such Third-Party Services, and Durand shall have no responsibility for the use of any Personal Information by any such third parties.

Annex I: Description of Transfers

Categories of data subjects whose personal data is transferred

Data exporter may submit Personal Information into the Durand Service, the extent of which is determined and controlled solely by the data exporter, and which may include, but is not limited to Personal Information relating to the following categories of data subjects:

Data exporter’s employees, contractors, patients, representatives, agents, and other individuals whom data exporter allows and is permitted to use the Durand Service, as well as Personal Information relating to the data exporter’s customers, partners, patients, users, vendors, and other categories as otherwise contemplated by the Agreement.

Categories of personal data transferred

Data exporter may submit Personal Information to the Durand Services, the extent of which is determined and controlled solely by data exporter, and which may include, but is not limited to the following Personal Information:

First and last name, contact information such as address, telephone number, and email address, IP address, user identifier, and other categories as otherwise contemplated by the Agreement.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Any special categories of personal data or sensitive Personal Information, in the sole discretion of data exporter, which may be included in an Input or otherwise Customer Data submitted into the Durand Services or contained in an Output generated by the Durand Services. Notwithstanding the foregoing, no PCI-DSS-related data (except to enter in its payment information for the Durand Services), or other sensitive data types shall be submitted to Durand or into the Durand Services (protected health information may be submitted). If Customer ignores the foregoing restrictions, Customer is fully responsible for such data and Durand disclaims all liability relating to any claims involving such data.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous basis until termination or expiration of the Agreement.

Nature of the processing

The performance of the Durand Services pursuant to the Agreement.

Purpose(s) of the data transfer and further processing

The performance of the Durand Services pursuant to the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For the duration of the Agreement until it is deleted in accordance with the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As stated above, and as may be further detailed in the Sub-Processor Table made available and updated by Durand from time to time.

ANNEX II: Security Measures

TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Durand’s information security program, as established through its Information Security Policy’s internal controls and procedures, is designed to ensure: (i) Customer Data Durand processes is protected against accidental, unlawful, or unauthorized loss, access, or disclosure; (ii) reasonably foreseeable risks relating to security and unauthorized access are identified and protected against; and (iii) security risks are minimized by implementing, maintaining, and regularly assessing such controls.

Access Controls

Durand has instituted access control management policies: (i) governing the security of Durand’s information, networks, applications, and systems aimed to prevent unauthorized access to such items; and (ii) relating to Durand’s networks, applications, and systems to ensure only authorized users access appropriate information based on their role and to prevent unauthorized access to the same.

Encryption and Key Management

All encryptions for data and relating to key management shall be end-to-end and be performed in accordance with industry standards. The below represents Durand’s encryption methods for at-rest and in-transit data.

Asset Management

Durand has instituted policies that appropriately identify and classify its assets to ensure their security and integrity. Protection levels are established pursuant to the corresponding asset’s importance and exposure to sensitive information, and are designed to prohibit unauthorized disclosures, loss, damage, or destruction of information in relation to the asset.

Contingency Planning

Durand has instituted redundancy controls to eliminate single points of failure and minimize the impact of possible physical and environmental risks. It has also established a Business Continuity and Disaster Recovery Plan, which it tests regularly, to help ensure the Durand Services’ continuity.

Security Incident Response

Durand has instituted policies to minimize a security incident’s impact, including as it relates to the availability and confidentiality of the Durand Services. These policies help Durand to efficiently respond, mitigate, handle, and communicate issues relating to a security incident.

Risk Management

Security Controls