Data Processing Addendum

This DPA forms part of the agreement between Customer and Sonar Genius. It applies whenever we process personal data on Customer's behalf.

1. Roles

Customer is the controller; Sonar Genius is the processor.

2. Scope of processing

We process email content and metadata for the authorized mailboxes, limited to correspondence with domains on the client allowlist, to deliver the service.

3. Sub-processors

A current list is available on request. We give prior notice of changes and an opportunity to object.

4. International transfers

Where required, we rely on Standard Contractual Clauses and additional safeguards.

5. Security measures

Encryption in transit and at rest, access controls, audit logging, secure SDLC, and incident response procedures. Full TOMs available on request.

6. Data subject requests

We will assist Customer in responding to access, correction, and deletion requests.

7. Breach notification

We will notify Customer without undue delay after becoming aware of a personal data breach.

8. Deletion

On termination, we delete or return personal data within 30 days, except where retention is required by law.

To execute a countersigned DPA, contact legal@sonargenius.com.