Bonterms-derivative DPA. This Data Processing Addendum substantially follows the Bonterms Data Processing Addendum framework. It is incorporated by reference into the Terms of Service and applies whenever ElasticD3M, LLC processes Personal Data on Customer's behalf.
1. Definitions
Capitalized terms used but not defined here have the meanings given in the Terms of Service. For this DPA:
- "Applicable Data Protection Law" means the laws governing the processing of Personal Data applicable to the parties, including without limitation the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA"), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and analogous comprehensive U.S. state privacy laws; and where applicable, the EU General Data Protection Regulation (GDPR), UK Data Protection Act 2018, and Swiss Federal Act on Data Protection.
- "Personal Data" means information relating to an identified or identifiable natural person that ElasticD3M, LLC processes on Customer's behalf in connection with the Services.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- "Processing" has the meaning given in Applicable Data Protection Law.
- "Subprocessor" means any third party engaged by ElasticD3M, LLC to process Personal Data on its behalf.
2. Roles of the Parties
For Personal Data processed in connection with the Services: Customer is the "Controller" (or "Business" under CCPA/CPRA) and ElasticD3M, LLC is the "Processor" (or "Service Provider" under CCPA/CPRA). ElasticD3M, LLC will Process Personal Data only on documented instructions from Customer, including as set forth in the Terms of Service, this DPA, and via the configuration choices Customer makes within the Services (e.g., which clouds to connect, what intake answers to submit).
3. Categories of Personal Data and Data Subjects
| Category | Examples | Data Subjects |
|---|---|---|
| Identity / Contact | Name, business email, business phone, job title | Customer's employees and authorized representatives |
| Configuration metadata | IAM principal names, account IDs, resource ARNs, security-control settings, audit-log metadata | Indirectly: Customer's employees whose accounts appear in IAM/identity logs |
| Communications | Email content with ai4cmmc.ai mailboxes, support tickets | Customer's personnel corresponding with ElasticD3M |
Out of scope. ElasticD3M, LLC does not knowingly process Controlled Unclassified Information (CUI) payloads, sensitive Personal Data as defined by CPRA (precise geolocation, government identifiers, health information, etc.), customer-of-Customer Personal Data, or other regulated payloads. Customer agrees not to submit such data through the Services.
4. Subprocessors
ElasticD3M, LLC engages Subprocessors as listed in the Subprocessors List. Customer authorizes ElasticD3M, LLC to engage these Subprocessors and any future Subprocessors notified to Customer under this Section 4.
Change Notice. ElasticD3M, LLC will give Customer at least thirty (30) days' advance notice of any new Subprocessor that will process Customer Personal Data. Notice is given by updating the published Subprocessors List and emailing the primary account contact at the email on file. Customer may object to a new Subprocessor by written notice within thirty (30) days; if the parties cannot resolve the objection, Customer may terminate the affected portion of the Services and receive a pro-rata refund of unused prepaid fees.
ElasticD3M, LLC remains liable for its Subprocessors' compliance with this DPA.
5. Security Measures (Technical and Organizational Measures)
ElasticD3M, LLC implements the following technical and organizational measures designed to protect Personal Data:
- Access control: Role-based access control with least-privilege defaults; multi-factor authentication required for production access; named-individual access only (no shared credentials).
- Encryption: AES-GCM encryption at rest for sensitive data; TLS 1.2 or higher in transit; isolated production credential storage with a dedicated key-management service.
- Network security: Production systems run in a private VPC; ingress restricted to documented ports; outbound traffic restricted to documented destinations; periodic vulnerability scanning.
- Logging and monitoring: Signed audit logs for material database actions; centralized log aggregation with retention; alerting on anomalous access patterns.
- Personnel: All personnel are subject to confidentiality obligations; security-awareness training is provided.
- Incident response: Documented incident-response plan; Personal Data Breach notification to Customer within seventy-two (72) hours of confirmation.
- Resilience: Backup and recovery procedures tested at least annually; disaster-recovery plan documented.
- Vendor management: Subprocessor due diligence performed at onboarding and at least annually.
6. Data Subject Rights
ElasticD3M, LLC will reasonably assist Customer in responding to data subject requests under Applicable Data Protection Law, including requests to access, correct, delete, or limit Processing of Personal Data. Customer is responsible for receiving and responding to data subject requests; ElasticD3M, LLC's assistance is provided on Customer's instructions and at no additional charge for reasonable volumes.
7. Personal Data Breach Notification
ElasticD3M, LLC will notify Customer at the email address on file within seventy-two (72) hours of confirming a Personal Data Breach affecting Customer's Personal Data. The notification will include, to the extent then known: (a) the nature of the breach; (b) the categories and approximate number of affected data subjects and records; (c) the likely consequences; (d) the measures taken or proposed to address the breach; and (e) contact information for further questions.
8. Audit Rights
Upon Customer's reasonable written request (not more than once per twelve-month period, except after a confirmed Personal Data Breach), ElasticD3M, LLC will: (a) make available to Customer the latest available audit reports or attestations relevant to the Services (e.g., SOC 2 Type II when issued, or substantially equivalent third-party audit reports); and (b) respond in good faith to reasonable written information requests necessary for Customer to verify compliance with this DPA.
Customer's on-site audit rights are limited to circumstances where: (i) Customer has a reasonable basis to believe Subprocessor or ElasticD3M, LLC has materially breached this DPA, and (ii) the requested audit cannot be reasonably satisfied through available audit reports or written information. Any on-site audit will be conducted during business hours on at least thirty (30) days' advance written notice, by a mutually acceptable independent auditor bound by confidentiality, and at Customer's cost.
9. International Data Transfers
For Customers in jurisdictions where transfer mechanisms are required for Personal Data processed in the United States, ElasticD3M, LLC will provide Standard Contractual Clauses ("SCCs") or equivalent transfer mechanisms upon written request to privacy@elasticd3m.com. Absent such request, Customer authorizes ElasticD3M, LLC to process Personal Data in the United States.
10. Return or Deletion at Termination
Within thirty (30) days after termination of the Services, on Customer's written request, ElasticD3M, LLC will either: (a) return Customer's Personal Data in a commonly used machine-readable format (e.g., JSON or CSV exports of Customer-facing tables); or (b) delete Customer's Personal Data from production systems and confirm deletion in writing. Customer Personal Data may persist in routine database backups that are overwritten on a documented rotation (typically within one hundred eighty (180) days).
11. Liability
Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service, Section 13.
12. Order of Precedence
In the event of a conflict between this DPA and the Terms of Service, this DPA governs with respect to the Processing of Personal Data.
Effective Date: May 12, 2026 · Version: 1.0 (Bonterms-derivative)