Data Processing Addendum

This page summarizes the structure of the DPA that attaches to every institutional MSA with Elitesgen, Inc.. Use it to plan your privacy review before the executable DPA arrives.

1. Parties and scope

The DPA governs our processing of Customer personal data in connection with the Services provided under the MSA. It supplements the MSA and, where required by applicable law (for example, GDPR or UK GDPR), operates as the controller-processor agreement.

2. Processing roles

The Customer is typically the Controller; Elitesgen, Inc. is the Processor. Where a Customer routes data through a Subprocessor of its own, we remain the Processor to the Customer and do not take on Controller obligations outside our documented processing. Sub-processor relationships we hold are disclosed on /trust/data-processing.

3. Data categories and data subjects

Categories typically include identity and contact data, account and cohort metadata, product interaction signals, and any personal data a Customer specifies on the Order Form (e.g., PHI under a BAA, education records under FERPA). Data subjects include the Customer's administrators and the end users authorized to access the Services.

4. Processing purposes

We process personal data to operate the Services, produce the outcome reports the Order Form promises, maintain security and integrity, and meet legal obligations. Processing outside those purposes requires written Customer instruction or a specific legal basis.

5. Sub-processors

Our full sub-processor list is published at /trust/data-processing and updated within 14 days of any change. Customers who subscribe to the change list receive the update directly.

6. Data subject rights

We support Customer-facing data subject rights (access, portability, correction, deletion, objection) by providing the tooling in the platform and by cooperating with requests that require our assistance. Customers remain the first point of contact for their end users; we backstop the tooling.

7. International transfers

Where personal data moves across borders, transfers execute under Standard Contractual Clauses or an equivalent mechanism. EU data residency is available on Enterprise engagements and reduces the frequency of cross-border transfers at the data layer.

8. Security measures

The DPA cross-references the security practices documented at /trust/security: SSO-first access, least-privilege IAM with quarterly review, encryption in transit and at rest, field-level encryption for sensitive personal data, and independently tested incident response.

9. Incident notification

We notify affected Customers of a personal-data breach without undue delay and in any event within 72 hours of our awareness. Notification includes what is known at that point and is updated as investigation progresses. Post-mortems for customer-impacting incidents publish within 60 days.

10. Audit rights

Customers may exercise audit rights under applicable law. Where appropriate, we meet those rights through third-party audit reports (SOC 2 Type II once issued, pen test reports, controls matrix) under mutual NDA. Customer-specific on-site audits are available for Enterprise engagements, scoped to scale.

11. Data return and deletion on termination

On termination, Customer Data is returned in a documented export format and deleted from the production environment within 30 days, with backups purging on the next rotation. Certificates of deletion are available on request.

12. Liability and warranties

DPA liability ties into the MSA's liability framework, with the carve-outs and supercaps specific to data-protection obligations preserved. Nothing in the DPA reduces protections required by applicable law.

Request the executable DPA

Pre-contract DPA is available to prospective customers. Write to privacy@elitesgen.com. A BAA (for PHI) or a FERPA addendum (for education records) attaches where relevant.