Data Processing Agreement (DPA)

1. Background and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between LAVT Supply ("Processor") and you, the customer ("Controller"), for the provision of the AV Management Suite platform ("Service").

This DPA governs the processing of Personal Data (as defined in the GDPR) by the Processor on behalf of the Controller in connection with the Service.

1.1 Definitions

• "GDPR" means the General Data Protection Regulation (EU) 2016/679
• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data
• "Data Subject" means the individual to whom Personal Data relates
• "Controller" means the entity that determines the purposes and means of processing Personal Data (you)
• "Processor" means the entity that processes Personal Data on behalf of the Controller (LAVT Supply)
• "Sub-processor" means any third-party processor engaged by the Processor

2. Data Processing Details

2.1 Nature and Purpose of Processing

The Processor will process Personal Data for the following purposes:

• Providing the AV Management Suite platform and its features
• Storing and managing customer, employee, and project data
• Facilitating time tracking, project management, and billing functions
• Enabling collaboration between team members
• Providing technical support and customer service
• Detecting and preventing fraud and security incidents

2.2 Types of Personal Data

The Processing may involve the following categories of Personal Data:

• Identity Data: Name, email address, phone number, employee number
• Contact Data: Addresses, phone numbers, email addresses
• Employment Data: Job title, department, labor rates, work hours
• Financial Data: Payment information (processed through Stripe)
• Technical Data: IP addresses, login data, browser information
• Location Data: GPS coordinates for mobile timesheet features
• Usage Data: How the Service is accessed and used
• Business Data: Project details, customer information, vendor data

2.3 Categories of Data Subjects

• Employees and contractors of the Controller
• Customers and contacts of the Controller
• Vendors and suppliers of the Controller
• End-users of the Controller's services

2.4 Duration of Processing

Processing will continue for the duration of the Service agreement and for 30 days following termination to allow for data export. Personal Data may be retained longer in anonymized form or as required by law.

3. Processor Obligations

3.1 Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. The Processor will inform the Controller if it believes an instruction violates applicable data protection laws.

3.2 Confidentiality

The Processor shall ensure that persons authorized to process Personal Data:

• Are subject to confidentiality obligations
• Receive appropriate training on data protection
• Only access Personal Data as necessary for their duties

3.3 Security Measures

The Processor implements appropriate technical and organizational measures including:

• Encryption of Personal Data in transit (TLS/SSL) and at rest
• Multi-tenant data isolation using PostgreSQL Row-Level Security
• Regular security testing and vulnerability assessments
• Access controls and authentication mechanisms (Azure AD, MFA)
• Comprehensive audit logging of all data access and modifications
• Regular backups with 30-day retention
• Employee security training and background checks
• Incident response procedures

3.4 Sub-processors

The Controller provides general authorization for the Processor to engage Sub-processors. Current Sub-processors are listed at /legal/subprocessors.

The Processor will:

• Maintain an up-to-date list of Sub-processors
• Provide 30 days' notice before engaging new Sub-processors
• Ensure Sub-processors are bound by data protection obligations equivalent to this DPA
• Remain liable for the acts and omissions of Sub-processors

4. Controller Obligations and Rights

4.1 Lawful Processing

The Controller warrants that:

• It has a lawful basis for processing Personal Data
• It has obtained necessary consents from Data Subjects
• Processing instructions comply with applicable data protection laws
• It has provided required privacy notices to Data Subjects

4.2 Data Subject Rights

The Processor will assist the Controller in responding to Data Subject rights requests, including:

• Right of Access: Providing copies of Personal Data
• Right to Rectification: Correcting inaccurate Personal Data
• Right to Erasure: Deleting Personal Data ("right to be forgotten")
• Right to Data Portability: Exporting Personal Data in machine-readable format
• Right to Restriction: Limiting processing of Personal Data
• Right to Object: Objecting to certain types of processing

The Controller remains responsible for responding to Data Subject requests within required timeframes. The Processor will provide reasonable assistance within 10 business days of request.

5. Data Breach Notification

In the event of a Personal Data breach, the Processor will:

• Notify the Controller without undue delay and within 72 hours of becoming aware
• Provide details of the nature of the breach, affected data, and potential consequences
• Describe measures taken or proposed to address the breach
• Provide regular updates as the investigation progresses
• Cooperate with the Controller's investigation and remediation efforts

The Controller remains responsible for determining whether to notify supervisory authorities and affected Data Subjects as required by law.

6. Data Protection Impact Assessments and Audits

6.1 Assistance with DPIAs

The Processor will provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) where required by law.

6.2 Audit Rights

The Controller may audit the Processor's compliance with this DPA:

• Upon reasonable notice (minimum 30 days)
• No more than once per year (unless required by supervisory authority)
• During business hours to minimize disruption
• Subject to confidentiality obligations

In lieu of on-site audits, the Processor may provide:

• SOC 2 Type II audit reports
• Third-party security certifications
• Written responses to standard audit questionnaires

7. International Data Transfers

Personal Data may be transferred to and processed in the United States and other countries where the Processor or its Sub-processors maintain facilities.

7.1 Transfer Mechanisms

For transfers from the EEA to countries without an adequacy decision, the parties rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Additional safeguards as may be required by applicable law

7.2 Data Localization (Enterprise)

Enterprise customers may request data localization options to store Personal Data in specific geographic regions. Contact sales@lavtsupply.com for availability and pricing.

8. Return and Deletion of Personal Data

Upon termination of the Service agreement, the Processor will:

• Provide the Controller with 30 days to export all Personal Data
• Delete or return all Personal Data as instructed by the Controller
• Delete existing copies unless retention is required by law
• Provide written certification of deletion upon request

Backup copies may persist for up to 90 days following deletion but will not be used for any other purpose.

9. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service, except as prohibited by applicable data protection laws.

The Processor shall indemnify the Controller against claims arising from the Processor's breach of this DPA, except to the extent caused by the Controller's instructions or actions.

10. Amendments and Contact

This DPA may be amended to reflect changes in applicable data protection laws. Material changes will be communicated with 30 days' notice.

For questions or requests related to this DPA: