Legal Information

Data Processing Agreement

Enterprise standards for GDPR, CCPA, and SOC2 compliance

Last Updated: October 15, 2025

A Note on Compliance: We act as a Data Processor for our enterprise clients. This Data Processing Agreement (DPA) is an addendum to your primary service contract. It clearly delineates our technical responsibilities regarding the ingestion, storage, and erasure of your end-user data.

1. Roles and Responsibilities

Under GDPR and CCPA terminology:

  • You are the Data Controller: You dictate exactly what data is collected from your customers and why it is collected.
  • Acadify is the Data Processor: We build the databases, configure the AWS/GCP buckets, and write the backend logic that physically stores and routes that data on your behalf. We will never use this data for our own commercial purposes.

2. Cryptographic Security Standards

As your Processor, we implement the following technical measures by default across all client infrastructure:

  • Encryption at Rest: All databases (PostgreSQL, MongoDB) and object storage (S3) are encrypted using AES-256.
  • Encryption in Transit: All API traffic and database connections are secured via TLS 1.2 or higher.
  • Access Control: We enforce Zero Trust architecture. Only the specific engineers assigned to your sprint have temporary, MFA-protected access to your staging databases. Production access is heavily restricted and logged.

3. Authorized Subprocessors

We do not run physical server racks in a basement; we leverage elite cloud infrastructure. By signing with Acadify, you authorize our use of the following core Subprocessors, all of whom adhere to strict SOC2/GDPR compliance:

  • Amazon Web Services (AWS) - Cloud Infrastructure
  • Google Cloud Platform (GCP) - Data Warehousing & LLM APIs
  • Anthropic / OpenAI - External Inference Engines (Opt-In only)
  • Cloudflare - DNS routing and DDoS mitigation

4. Breach Notification Protocol

In the highly unlikely event of a verified data breach impacting your specific infrastructure, our incident response team guarantees a direct technical notification to your primary point of contact within 48 hours. We will provide forensic logs, an impact radius assessment, and an immediate patch strategy.

5. The Right to Erasure

When our contract concludes, we don't keep backups of your data laying around. Upon written request, Acadify will cryptographically wipe all staging data, code backups, and database dumps related to your project from our internal development machines within 15 days, providing a certificate of destruction if required.

Execution

This DPA is legally binding upon the execution of your primary Master Service Agreement (MSA). If your legal team requires a custom, manually signed DPA addendum, please forward the documentation to:

Legal Compliance:
legal@acadifysolution.com

Back to Home