Data Processing Addendum
What this is. This Data Processing Addendum (the "DPA") supplements the written engagement agreement between Summit Solutions, LLC and a client (the "Agreement") when Summit processes personal data on behalf of that client. It is not a substitute for the Agreement. Where signed, it forms part of the Agreement and is binding on both parties.
If your business processes EU/EEA, UK, Swiss, or California personal data and you need Summit to commit to processor obligations under applicable law, sign and return this DPA with your Agreement (or ask Summit to do so).
1. Definitions
Capitalized terms not defined in this DPA have the meaning given in the Agreement or in applicable Data Protection Laws. As used here:
- "Client" means the entity that has entered into the Agreement with Summit.
- "Client Personal Data" means personal data that Summit processes on behalf of the Client in connection with the Agreement.
- "Data Protection Laws" means all laws and regulations applicable to the processing of Client Personal Data, including the EU General Data Protection Regulation (Regulation 2016/679, the "GDPR"), the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, the "CCPA"), and other applicable U.S. state privacy laws.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data.
- "Standard Contractual Clauses" or "SCCs" means the European Commission's standard contractual clauses for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), as supplemented by the UK International Data Transfer Addendum where applicable.
- "Subprocessor" means a third party engaged by Summit to process Client Personal Data.
- Terms such as "controller," "processor," "data subject," "personal data," and "processing" have the meanings given in the GDPR. For CCPA purposes, Summit is a "service provider" and Client is a "business."
2. Roles of the parties
With respect to Client Personal Data, the Client is the controller and Summit is the processor (or service provider under CCPA). Summit will process Client Personal Data only on behalf of and on the documented instructions of the Client, including as set out in the Agreement, this DPA, and Schedule 1.
Where Summit determines the purposes and means of processing for its own internal business operations (for example, billing, recordkeeping, or improving its own services using properly de-identified data), Summit acts as an independent controller for those limited activities, and this DPA does not govern that processing.
3. Scope, nature, and purpose of processing
The subject matter, nature, purpose, duration, categories of data subjects, and categories of Client Personal Data are set out in Schedule 1.
4. Client obligations
The Client represents and warrants that:
- It has provided all required notices and obtained all required consents and other lawful bases to enable Summit to process Client Personal Data as contemplated by the Agreement and this DPA;
- Its instructions to Summit comply with Data Protection Laws; and
- It has the right to disclose Client Personal Data to Summit for the purposes set out in the Agreement.
5. Summit's obligations
Summit will:
- Process on instructions. Process Client Personal Data only on the Client's documented instructions, including with regard to transfers to third countries, unless Summit is required to process by applicable law (in which case Summit will inform the Client of that requirement before processing, unless the law prohibits such notice on important grounds of public interest);
- Confidentiality. Ensure that personnel authorized to process Client Personal Data are subject to written commitments of confidentiality;
- Security. Implement and maintain appropriate technical and organizational measures to protect Client Personal Data, as described in Schedule 3;
- Subprocessors. Engage Subprocessors only as permitted under Section 7 and Schedule 2;
- Data-subject requests. Taking into account the nature of the processing, provide reasonable assistance to enable the Client to respond to requests from data subjects exercising rights under Data Protection Laws;
- Cooperation. Provide reasonable assistance with the Client's obligations relating to security, breach notification, data protection impact assessments, and prior consultations with supervisory authorities, taking into account the nature of the processing and information available to Summit;
- Return / deletion. At the Client's choice, return or delete all Client Personal Data on termination, as set out in Section 11; and
- Information. Make available to the Client, on reasonable written request, the information necessary to demonstrate compliance with this DPA, subject to Section 9.
6. CCPA — Service-provider terms
For Client Personal Data subject to the CCPA, Summit certifies that it will not:
- Sell or share (as those terms are defined under the CCPA) Client Personal Data;
- Retain, use, or disclose Client Personal Data outside the direct business relationship between Summit and Client, or for any commercial purpose other than performing the services specified in the Agreement;
- Retain, use, or disclose Client Personal Data for any purpose other than the specific purpose set out in the Agreement, except as permitted by the CCPA; or
- Combine Client Personal Data with personal information Summit receives from another party, except as permitted by the CCPA.
Summit will comply with applicable obligations under the CCPA and will provide the Client with the same level of privacy protection as required by the CCPA. The Client may take reasonable and appropriate steps to ensure Summit uses Client Personal Data in a manner consistent with the CCPA, and may, upon notice, stop and remediate unauthorized use of personal information.
7. Subprocessors
The Client provides general written authorization for Summit to engage the Subprocessors listed in Schedule 2. Summit will:
- Impose data-protection obligations on each Subprocessor that are no less protective than those in this DPA;
- Remain liable for the acts and omissions of its Subprocessors with respect to Client Personal Data, as if they were Summit's own;
- Notify the Client of any intended addition or replacement of a Subprocessor with at least thirty (30) days' prior notice (by email to the Client's designated contact), giving the Client an opportunity to object on reasonable data-protection grounds. If the Client objects, the parties will work in good faith to resolve the objection; if not resolved, the Client may terminate the affected services with pro-rata refund of prepaid fees.
8. International data transfers
Summit is located in the United States and processes Client Personal Data in the United States. To the extent Summit's processing of Client Personal Data involves a transfer of personal data subject to the GDPR, UK GDPR, or Swiss data protection law to a country that is not the subject of an adequacy decision, the parties agree that the Standard Contractual Clauses (Module Two — controller-to-processor) are incorporated into this DPA by reference and apply to such transfers. The optional clauses apply as follows:
- Clause 7 (docking) — applies;
- Clause 9 (Subprocessors) — Option 2 (general written authorization) applies, with a notice period of thirty (30) days as set out in Section 7;
- Clause 11 (redress) — the optional language is not selected;
- Clause 17 — governed by the laws of Ireland;
- Clause 18 — disputes resolved before the courts of Ireland;
- Annex I, II, and III of the SCCs are populated by Schedules 1, 3, and 2 of this DPA, respectively.
For transfers from the United Kingdom, the SCCs are supplemented by the UK Information Commissioner's International Data Transfer Addendum issued under section 119A of the UK Data Protection Act 2018. For transfers from Switzerland, references in the SCCs are adjusted as required by the Swiss Federal Data Protection and Information Commissioner.
9. Audits and information
Summit will make available to the Client, on at least thirty (30) days' written notice and no more than once per twelve (12) months (except as required by a supervisory authority or following a Personal Data Breach), information reasonably necessary to demonstrate Summit's compliance with this DPA. This may take the form of completed security questionnaires, written responses, or summaries of relevant policies. On-site audits are not contemplated; where a regulator requires an on-site audit, the parties will cooperate in good faith to satisfy that requirement. The Client will treat all such information as Summit's Confidential Information.
10. Personal data breach notification
Summit will notify the Client of a Personal Data Breach affecting Client Personal Data without undue delay, and in any event within seventy-two (72) hours of Summit becoming aware of the breach. The notification will include, to the extent reasonably available at the time, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to mitigate the breach. Summit will provide updates as additional information becomes available.
11. Term, return, and deletion
This DPA applies for the term of the Agreement and for as long as Summit processes Client Personal Data. On termination or expiry of the Agreement, Summit will, at the Client's election communicated in writing within sixty (60) days, either return all Client Personal Data to the Client or delete it from Summit's systems. If the Client does not provide written instructions within that sixty (60)-day period, Summit will delete Client Personal Data from its active systems. Summit may retain Client Personal Data in archived or backup systems for the period required by applicable law or our standard backup-retention cycle, subject to continued application of the protections in this DPA.
12. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Where the Agreement contains a cap on liability, that cap applies on an aggregate basis to both the Agreement and this DPA combined, and not separately to each.
13. Order of precedence; conflicts
In the event of a conflict between this DPA and the Agreement with respect to Client Personal Data, this DPA controls. In the event of a conflict between this DPA and the SCCs, the SCCs control with respect to processing subject to GDPR or UK GDPR.
14. Governing law
This DPA is governed by the same law as the Agreement, except that the SCCs are governed by the law specified in Section 8. Disputes will be resolved as set out in the Agreement, except as required by the SCCs or by applicable Data Protection Laws.
15. Changes
Summit may update this DPA from time to time to reflect changes in law or Summit's processing practices, provided that any change that materially decreases Summit's obligations will not take effect with respect to an active Agreement without the Client's written consent. Schedule 2 may be updated by notice in accordance with Section 7.
16. Contact
Summit Solutions, LLC
Houston, Texas, United States
Email: summitsolutionsag@gmail.com
Phone: Blake — 281-845-1501 · Nich — 832-963-9545
Description of processing
Subject matter and duration
Summit's processing of Client Personal Data is performed in connection with the services described in the Agreement (operation of the Client's lead generation system, including paid acquisition management, server-side tracking, attribution, CRM operations, and reporting). Processing continues for the term of the Agreement and any return-and-deletion period thereafter.
Nature and purpose of processing
Summit processes Client Personal Data to: configure and operate the Client's advertising and tracking platforms; ingest, attribute, and report on leads and conversions; integrate the Client's CRM and revenue systems; produce dashboards and analyses for the Client; and otherwise perform the services described in the Agreement.
Categories of data subjects
- The Client's prospects and leads (individuals who interact with the Client's ads, landing pages, forms, or other entry points);
- The Client's customers (where customer data is provided to Summit for retention, lookalike, or revenue-attribution purposes);
- The Client's authorized personnel who access systems Summit operates on the Client's behalf.
Categories of personal data
- Identifiers: name, email address, phone number, IP address, device identifiers, advertising identifiers, account identifiers;
- Form submissions and inquiry content from the Client's landing pages or forms;
- Marketing and conversion data: ad impressions, clicks, conversion events, UTM parameters, lead-source attribution;
- Commerce data (where applicable): purchase events, order values, products purchased, refund/dispute events;
- CRM data the Client elects to integrate, including lead/customer records, stage, notes, and assignment;
- Authentication and access information for the Client's authorized personnel.
Sensitive categories of personal data (such as health, financial account credentials, or government-issued identifiers) are not intended to be processed under the Agreement. If the Client provides sensitive data, it must do so in writing and Summit may decline to process it.
Frequency of processing
Continuous, for the term of the Agreement.
Approved subprocessors
Summit engages the following Subprocessors to assist in providing the services. Summit will keep this list current and provide updates by notice to the Client as set out in Section 7.
| Subprocessor | Purpose | Location |
|---|---|---|
| Google LLC (Google Workspace, Google Analytics 4, Google Tag Manager) | Internal communications; analytics, tag management, and conversion measurement set up on Client systems where authorized by the Client. | United States |
| Meta Platforms, Inc. (Meta Conversion API, Meta Pixel) | Conversion measurement, attribution, and audience syndication configured on Client systems where authorized by the Client. | United States |
| Zoom Video Communications, Inc. | Scheduling of meetings between Summit and Client personnel via Zoom Scheduler, and hosting of the video meetings themselves. Processes scheduling-related contact data and any audio/video/chat content generated during a meeting. | United States |
| Stripe, Inc. | Processing of Client billing and payment for Summit's services. Stripe acts as an independent controller for payment-card data. | United States |
| Vercel Inc. | Hosting and content delivery for Summit's marketing website. Vercel processes standard request metadata (IP, user-agent, referrer) in connection with serving the site. Planned future host for the Summit Console application following migration from Railway. | United States |
| Railway Corporation | Application hosting for the Summit Console as currently deployed. Railway processes request metadata and Summit Console application data in connection with serving the application. Migration to Vercel is planned. | United States |
| Supabase, Inc. | Managed Postgres database and backend services used to store and operate Client data within the Summit Console (including lead, customer, and reporting records). | United States (AWS us-east-2, Ohio) |
Where a Subprocessor in the table above operates as an independent controller for certain processing (for example, Google's or Meta's processing of identifiers in their own advertising platforms, or Stripe's processing of payment-card data), that processing is governed by the third party's own terms, not by this DPA.
Technical and organizational measures
Summit maintains the following technical and organizational measures, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to data subjects.
Access control
- Least-privilege access to systems holding Client Personal Data; access granted only to personnel with a documented business need.
- Unique user accounts; shared accounts prohibited.
- Multi-factor authentication required for access to administrative interfaces, advertising platforms, hosting consoles, and email.
- Periodic review of access rights; removal of access on personnel changes or role changes within a reasonable period.
Encryption
- Encryption in transit (TLS 1.2 or higher) for connections to applications and platforms used to process Client Personal Data.
- Encryption at rest for Client Personal Data stored in Summit-managed systems, using industry-standard ciphers.
Network and infrastructure security
- Use of reputable cloud infrastructure providers with mature security practices.
- Network segmentation and firewall controls.
- Vendor-managed platforms patched and updated on the vendor's release cadence; Summit-managed applications patched on a regular schedule.
Application security
- Secure-development practices for the Summit Console, including code review, input validation, parameterized database access, and output encoding.
- Dependency vulnerability scanning in the development pipeline.
Personnel
- Personnel with access to Client Personal Data are bound by written confidentiality obligations.
- Awareness training on data protection and security practices, refreshed on a regular cadence.
Logging and monitoring
- Logging of administrative and authentication events on Summit-managed systems.
- Review of logs and alerts for indicators of compromise.
Backup and resilience
- Periodic backups of production data for the Summit Console, retained in accordance with Summit's backup-retention schedule.
- Documented procedures for restoring availability and access to Client Personal Data in a timely manner following a physical or technical incident.
Incident management
- Defined incident-response process, including identification, containment, eradication, recovery, and notification.
- Notification of Personal Data Breaches as set out in Section 10.
Vendor management
- Evaluation of Subprocessors' security practices before engagement.
- Imposition of contractual data-protection obligations on Subprocessors consistent with this DPA.