Data Processing Addendum (DPA)

1. Scope

This DPA governs processing of personal data submitted to Control by or on behalf of customers where Lost Hills processes personal data as a processor/service provider.

2. Roles

Customer acts as controller/business (or processor acting on behalf of a controller). Lost Hills acts as processor/service provider and processes personal data only on documented instructions, unless otherwise required by law.

3. Processing Details

• Subject matter: provision of the Control SaaS platform
• Duration: term of services plus defined retention period
• Nature: storage, organization, retrieval, transmission, and deletion
• Data subjects: customer users, contacts, prospects, partners, and support contacts
• Data categories: identifiers, professional/contact data, usage logs, and support records

4. Security and Assistance

We implement appropriate technical and organizational measures and assist customers with data subject requests, security incidents, and impact assessments where required under applicable law.

5. Subprocessors and Transfers

We maintain a subprocessor list at /legal/subprocessors. For cross-border transfers, we apply appropriate safeguards, including Standard Contractual Clauses (SCCs) where applicable.

6. Audit and Return/Deletion

Upon reasonable request and subject to confidentiality controls, customers may request relevant compliance information. Upon termination, personal data is returned or deleted consistent with contractual commitments and legal obligations.