Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between Iora Technologies, Inc. ("Processor") and the customer ("Controller") for the use of the Iora Climate Intelligence platform.
1. Scope and Purpose
This DPA applies to the processing of personal data by Iora Technologies on behalf of the Controller in connection with the services provided through the Iora Climate Intelligence platform. The Processor shall process personal data only in accordance with the Controller's documented instructions.
2. Types of Data Processed
- Account information (names, email addresses)
- Organizational data (company details, operational data)
- Emissions and environmental data
- Usage analytics and platform interaction data
3. Sub-processors
The Processor may engage sub-processors to assist in providing the services. The Processor shall ensure that all sub-processors are bound by data protection obligations no less protective than those set out in this DPA. A current list of sub-processors is available upon request.
4. Data Transfers
Personal data may be transferred to and processed in countries outside the European Economic Area. The Processor shall ensure appropriate safeguards are in place, including Standard Contractual Clauses where required.
5. Security Measures
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, access controls, regular testing, and incident response procedures.
6. Data Subject Rights
The Processor shall assist the Controller in responding to data subject requests by appropriate technical and organizational measures, taking into account the nature of the processing.
7. Data Breach Notification
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, and the measures taken or proposed to address the breach.
8. Data Retention and Deletion
Upon termination of services, the Processor shall, at the Controller's choice, delete or return all personal data, and delete existing copies unless retention is required by applicable law.