Legal

Data Processing Agreement

This agreement is between eConsent LLC and the client with regard to access and use of econsent.org and related services. Contact us with questions.

Introduction

This Data Processing Agreement (“DPA”) outlines the terms and responsibilities related to the processing of personal data by eConsent LLC (“Processor” or “eConsent”) on behalf of the customer (“Controller”), in accordance with the requirements of applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant privacy regulations.

Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, including collection, recording, storage, retrieval, use, disclosure, or deletion.
  • Data Subject: An identified or identifiable natural person whose personal data is processed by the Processor on behalf of the Controller.
  • Consent Data: Personal data processed through the eConsent platform in connection with the capture, certification, and verification of consumer consent, including but not limited to names, phone numbers, email addresses, IP addresses, device information, and session recordings.

Scope and Purpose

The purpose of this DPA is to ensure the lawful and compliant processing of Personal Data by eConsent, as instructed by the Controller, and to define the rights and obligations of both parties. This DPA applies to all Consent Data processed through the eConsent platform on behalf of the Controller.

Data Processing Terms

  1. Processing Instructions: eConsent agrees to process Personal Data only based on documented instructions from the Controller, unless required to do so by applicable law. The Controller instructs eConsent to process Consent Data for the purpose of providing consent capture, certification, verification, and retention services.

  2. Security of Processing: eConsent shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

    • Encryption of data in transit and at rest
    • Regular security assessments and penetration testing
    • Access controls and authentication mechanisms
    • Incident response and data breach notification procedures
    • Regular backups and disaster recovery capabilities

  3. Subprocessing: eConsent shall not engage another processor without prior written authorization from the Controller. Where authorized, eConsent shall ensure that any subprocessor is bound by data protection obligations no less protective than those set out in this DPA. A current list of subprocessors is available upon request.

  4. Data Subject Rights: eConsent shall assist the Controller in ensuring compliance with data subjects’ rights under applicable data protection laws, including the right to access, rectification, erasure, restriction of processing, data portability, and objection.

  5. Data Breach Notification: eConsent shall notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach affecting the Controller’s data.

  6. Confidentiality: eConsent shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

  7. Audits and Inspections: eConsent shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Data Retention

Consent Data is retained for the duration specified in the Controller’s service agreement and account settings. Upon expiration of the retention period or termination of services, eConsent shall securely delete the Controller’s Consent Data within 30 days, unless retention is required by applicable law.

International Data Transfers

Where Personal Data is transferred outside of the European Economic Area (EEA), eConsent shall ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as adopted by the European Commission or other legally recognized transfer mechanisms.

Duration and Termination

This DPA shall remain in effect for the duration of eConsent’s processing of Personal Data on behalf of the Controller. Upon termination, eConsent shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies unless applicable law requires further storage.

Governing Law

This DPA shall be governed by the laws of the State of California, United States, without regard to conflict of law principles.

Contact

For questions regarding this DPA, contact eConsent LLC at support@econsent.org.

See eConsent in action. Schedule a live demo
Schedule a demo