Data Processing Addendum (DPA)

This DPA supplements our Terms of Service and governs how we process Customer Personal Data on your behalf, including roles, processing instructions, security, subprocessors, international transfers, and your audit/assistance rights.

Back to HomePrivacy Policy

1) Definitions

“Applicable Privacy Laws” includes EU/UK GDPR, Swiss DPA, CCPA/CPRA and other U.S. state laws, Brazil LGPD, and similar regulations. “Customer Personal Data” is personal data we process on your behalf. “Restricted Transfer” is a transfer from the EEA/UK/CH to a country without adequacy. “SCCs” are the EU 2021/914 controller-to-processor clauses (as updated).

2) Processing of Personal Data

  • Roles: Customer is Controller/Business; Creator Compass is Processor/Service Provider.
  • Instructions & Purpose: We process only per your documented instructions to provide the Services, including valuation, forecasting, and analytics (the “Permitted Purpose”).
  • Restrictions: No “sale” of data or use for cross-context behavioral advertising; no use beyond the Permitted Purpose except where required by law.

3) International Transfers

For Restricted Transfers, we implement appropriate safeguards such as SCCs, the UK Addendum, or other lawful mechanisms; venue for disputes follows EU/UK/Swiss provisions as applicable.

4) Confidentiality & Security

Authorized personnel are bound by confidentiality. We maintain industry-standard TOMs, including encryption in transit/at rest, access controls, monitoring, and regular security audits.

5) Subprocessors

You authorize use of Subprocessors to support the Permitted Purpose. We flow down equivalent data protection obligations and remain liable for their performance. A current list is available on request (or via a posted URL).

6) Data Subject Requests

We provide reasonable assistance so you can respond to requests to access, correct, delete, or port personal data in accordance with Applicable Privacy Laws.

7) DPIAs & Audits

Upon request, we provide information to demonstrate compliance and support DPIAs and regulatory inquiries. Audits are limited to one per year (unless required by law) with reasonable notice.

8) Personal Data Breaches

We notify you without undue delay after becoming aware of a confirmed breach involving Customer Personal Data and cooperate to mitigate and meet notification obligations.

9) Deletion or Return of Data

Upon termination, we will delete or return Customer Personal Data (at your election), unless retention is required by law. Backups are securely deleted per our retention schedule.

10) Precedence

If there is a conflict between this DPA and the Agreement, this DPA controls for processing of Customer Personal Data.

Effective Date

Last updated:

Related docs: Terms of Service, Privacy Policy, Cookie Policy, and Accessibility Statement.

Back to HomeContact Legal
Compass