Data Processing Agreement

"Controller" means the entity that determines the purposes and means of processing Personal Data, which is you, the Customer.

"Processor" means the entity that processes Personal Data on behalf of the Controller, which is PermitNetworks.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by PermitNetworks in connection with the Services.

"Sub-processor" means any third party engaged by PermitNetworks to process Personal Data on behalf of the Customer.

"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

This Data Processing Agreement ("DPA") applies to all Personal Data processed by PermitNetworks on behalf of the Customer in connection with the authorization platform Services.

PermitNetworks processes Personal Data solely for the purpose of providing the Services as described in the Terms of Service. This includes evaluating authorization requests, enforcing policies, generating audit logs, and providing analytics through the dashboard.

The categories of Personal Data processed may include: agent identifiers, user identifiers contained in authorization requests, IP addresses, email addresses, and any metadata included in policy evaluation contexts by the Customer.

PermitNetworks shall process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law.

PermitNetworks shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

PermitNetworks shall implement and maintain the technical and organizational security measures described in Section 5 of this DPA.

PermitNetworks shall not engage another processor without prior specific or general written authorization of the Customer. In the case of general written authorization, PermitNetworks shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors.

The Customer provides general authorization for PermitNetworks to engage sub-processors. The current list of sub-processors is available at permitnetworks.com/legal/sub-processors and includes:

Amazon Web Services (AWS) -- cloud infrastructure and data storage, located in the United States and European Union.

Cloudflare -- edge network and DDoS protection, globally distributed.

Stripe -- payment processing, located in the United States.

PermitNetworks will notify the Customer at least 30 days before adding or replacing a sub-processor. The Customer may object to a new sub-processor within 14 days of notification. If no resolution is reached, the Customer may terminate the affected Services.

PermitNetworks implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.3). Logical isolation of Customer data within the authorization platform. Role-based access controls for all internal systems with mandatory multi-factor authentication.

Regular security assessments, penetration testing, and vulnerability scanning. Incident response procedures with defined notification timelines. Business continuity and disaster recovery capabilities with defined RPO and RTO targets.

PermitNetworks maintains SOC 2 Type II compliance and will provide audit reports to Enterprise customers upon request under NDA.

PermitNetworks shall assist the Customer in responding to requests from Data Subjects exercising their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection.

If PermitNetworks receives a request directly from a Data Subject, it shall promptly notify the Customer and shall not respond to the request without the Customer's instructions, unless required by law.

The Customer may use the dashboard and API to access, export, and delete Personal Data processed by PermitNetworks. Bulk deletion requests can be submitted to privacy@permitnetworks.com.

PermitNetworks processes data primarily in the United States and the European Union. For Enterprise customers, data residency options are available.

Where Personal Data is transferred outside the European Economic Area, PermitNetworks relies on the EU-U.S. Data Privacy Framework or, where applicable, Standard Contractual Clauses (SCCs) as approved by the European Commission.

PermitNetworks will cooperate with the Customer to implement any additional transfer mechanisms required by applicable law.

This DPA shall remain in effect for the duration of the Customer's use of the Services. Upon termination of the Services, PermitNetworks shall delete or return all Personal Data within 30 days, unless retention is required by applicable law.

The Customer may request a copy of all Personal Data in a structured, commonly used, machine-readable format prior to termination.

Obligations under this DPA that by their nature should survive termination shall continue to apply, including confidentiality, security, and cooperation obligations.