Data Processing Agreement

Last updated: February 4, 2025

Summary

This Data Processing Agreement (DPA) governs how Modio LLC processes your Business Data as a data processor under GDPR. Key points:

You (the Customer) are the data controller for your Business Data
Modio LLC (Your Radar) is the data processor acting on your instructions
We process data only to provide the Service you requested
We use sub-processors (Render, Resend) with appropriate safeguards
We will notify you of data breaches within 72 hours
You can request data deletion at any time

1. Parties and Scope

This Data Processing Agreement ("DPA") is entered into by and between:

Controller: The customer who has agreed to the Your Radar Terms of Service ("Customer," "you," or "Controller")
Processor: Modio LLC, an Oregon limited liability company ("Modio," "we," "us," or "Processor")

This DPA applies to the processing of Personal Data contained within your Business Data that we process on your behalf when providing the Your Radar service ("Service").

This DPA is incorporated into and forms part of the Terms of Service. By using the Service, you agree to this DPA.

Scope Clarification

This DPA covers processing where you are the data controller and we act as your data processor. Specifically, it applies to:

Business Data you store in the Service (ventures, notes, cash payments)
Revenue data retrieved from your connected third-party accounts
Any Personal Data contained within the above

This DPA does not apply to Account Data (your email, password, session data), for which Modio LLC is the independent data controller as described in our Privacy Policy.

2. Definitions

Terms not defined here have the meanings given in the Terms of Service or GDPR.

"Business Data" means data you create, store, or retrieve through the Service, including ventures, cash payment records, revenue data, and related information.
"Data Protection Laws" means GDPR, UK GDPR, and other applicable data protection laws.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"GDPR" means the General Data Protection Regulation (EU) 2016/679.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4 of the GDPR.
"Processing" means any operation performed on Personal Data, as defined in Article 4 of the GDPR.
"Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
"SCCs" means the Standard Contractual Clauses approved by the European Commission for international data transfers.
"Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
"UK GDPR" means the GDPR as incorporated into UK law by the Data Protection Act 2018.

3. Subject Matter and Duration

3.1 Subject Matter

The Processor will process Personal Data contained within the Controller's Business Data to provide the Your Radar service as described in the Terms of Service.

3.2 Duration

This DPA is effective from the date you accept the Terms of Service and continues until:

Your account is terminated or deleted, or
The Processor no longer processes Personal Data on your behalf

Certain obligations (confidentiality, data deletion certification) survive termination.

4. Nature and Purpose of Processing

4.1 Nature of Processing

The Processor performs the following processing operations:

Collection: Receiving Business Data you submit or authorize us to retrieve
Storage: Storing Business Data in our database systems
Retrieval: Displaying Business Data in your dashboard
Aggregation: Combining revenue data from multiple sources
Deletion: Removing Business Data upon your request

4.2 Purpose of Processing

Processing is performed solely to:

Provide the revenue tracking and dashboard features of the Service
Store and display your business ventures and cash payment records
Generate historical snapshots for trend analysis
Enable data export functionality

4.3 No Other Processing

The Processor will not:

Process Personal Data for any purpose other than providing the Service
Sell Personal Data to third parties
Use Personal Data for automated decision-making or profiling
Combine your Personal Data with data from other customers for marketing purposes

See Annex I for detailed processing specifications.

5. Processor Obligations

The Processor agrees to the following obligations under Article 28 of the GDPR:

5.1 Documented Instructions

The Processor will process Personal Data only on documented instructions from the Controller, including:

This DPA and its Annexes
The Terms of Service
Settings and configurations you apply within the Service
Any additional written instructions you provide

If the Processor believes an instruction infringes Data Protection Laws, we will inform you before processing (unless prohibited by law from doing so).

5.2 Confidentiality

The Processor ensures that persons authorized to process Personal Data:

Have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
Process Personal Data only as required for their job functions
Have received appropriate training on data protection obligations

5.3 Security

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption of Personal Data at rest and in transit
Access controls and authentication mechanisms
Regular testing and evaluation of security measures
Measures to ensure ongoing confidentiality, integrity, availability, and resilience

See Annex II for detailed security measures.

5.4 Sub-processor Requirements

The Processor will:

Not engage a Sub-processor without prior authorization (see Section 7)
Impose equivalent data protection obligations on all Sub-processors
Remain liable for Sub-processor compliance

5.5 Data Subject Rights

The Processor will assist the Controller in responding to Data Subject requests under GDPR Articles 15-22, including requests for:

Access to Personal Data
Rectification of inaccurate data
Erasure ("right to be forgotten")
Restriction of processing
Data portability
Objection to processing

Given the nature of the Service, you can fulfill most Data Subject requests directly through your account controls. If you need assistance, contact adrian@modio.tv.

5.6 Compliance Assistance

The Processor will assist the Controller with:

Data Protection Impact Assessments (DPIAs) where required
Prior consultation with supervisory authorities where required
Demonstrating compliance with GDPR obligations

Reasonable costs for assistance beyond standard support may be charged at our then-current rates.

5.7 Data Breach Notification

See Section 9 for breach notification procedures.

5.8 Deletion and Return

See Section 11 for data deletion and return procedures.

6. Controller Obligations

The Controller agrees to:

6.1 Lawful Processing

Ensure there is a lawful basis for all Personal Data processed through the Service
Comply with all applicable Data Protection Laws
Provide any required notices to and obtain any required consents from Data Subjects

6.2 Instructions

Ensure all instructions given to the Processor comply with Data Protection Laws
Not instruct the Processor to process Personal Data in ways that would violate applicable laws

6.3 Accuracy

Ensure Personal Data provided to the Processor is accurate and up to date
Promptly notify the Processor of any changes or corrections needed

6.4 Security

Use strong, unique passwords for your account
Protect your integration API credentials
Promptly report any suspected unauthorized access

7. Sub-processors

7.1 Authorization

The Controller provides general authorization for the Processor to engage Sub-processors to perform specific processing activities, subject to the requirements in this Section.

7.2 Current Sub-processors

The Controller acknowledges and authorizes the Sub-processors listed in Annex III as of the effective date of this DPA.

7.3 New Sub-processors

Before engaging a new Sub-processor, the Processor will:

Update the Sub-processor list at this page (see Annex III)
Notify the Controller by email at least 30 days before the new Sub-processor begins processing
Provide information about the processing to be performed

7.4 Objection Right

If you object to a new Sub-processor, you may:

Notify us in writing within 14 days of our notification
Provide reasonable grounds for your objection

We will work with you in good faith to address your concerns. If we cannot resolve the objection, you may terminate your account without penalty.

7.5 Sub-processor Agreements

The Processor ensures that all Sub-processors are bound by written agreements that impose data protection obligations no less protective than those in this DPA.

7.6 Liability

The Processor remains fully liable for the acts and omissions of its Sub-processors.

8. International Transfers

8.1 Transfer Locations

Personal Data may be transferred to and processed in the United States, where our hosting infrastructure is located.

8.2 Transfer Mechanisms

For transfers of Personal Data from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on:

Standard Contractual Clauses (SCCs): The European Commission's SCCs for Controller-to-Processor transfers (Module Two)
UK International Data Transfer Agreement: For transfers from the UK
Swiss-U.S. Data Privacy Framework: Where applicable

8.3 SCCs Incorporation

Where applicable, the SCCs are incorporated by reference into this DPA. For the purposes of the SCCs:

Module Two (Controller to Processor) applies
Clause 7 (Docking clause): Not applicable
Clause 9(a) (Sub-processor authorization): Option 2 (General written authorization) applies, with 30 days' notice
Clause 11 (Redress): Optional language is not included
Clause 17 (Governing law): The laws of the EU Member State where the Controller is established, or Ireland if Controller is not in the EEA
Clause 18 (Forum): The courts of the same jurisdiction

8.4 Additional Safeguards

The Processor implements supplementary measures including:

Encryption of Personal Data in transit and at rest
Access controls limiting who can access Personal Data
Contractual commitments from Sub-processors regarding government access requests

8.5 Copies of Transfer Mechanisms

Upon request, we will provide copies of the applicable transfer mechanisms. Contact adrian@modio.tv.

9. Data Breach Notification

9.1 Notification Timeline

The Processor will notify the Controller of a Personal Data Breach without undue delay and in any event within 72 hours of becoming aware of the breach.

9.2 Notification Content

The notification will include, to the extent known:

A description of the nature of the breach, including categories and approximate number of Data Subjects and records affected
Name and contact details of the Processor's point of contact
Likely consequences of the breach
Measures taken or proposed to address the breach and mitigate its effects

9.3 Additional Information

If it is not possible to provide all information at once, the Processor will provide information in phases without undue delay.

9.4 Assistance

The Processor will cooperate with the Controller and provide reasonable assistance to:

Investigate the breach
Meet the Controller's obligations to notify supervisory authorities and Data Subjects
Take steps to mitigate the breach's effects

9.5 Documentation

The Processor will document all Personal Data Breaches, including facts, effects, and remedial actions taken.

9.6 Contact for Breach Notifications

Breach notifications will be sent to the email address associated with your account. Ensure your contact information is current.

10. Audits

10.1 Audit Rights

The Controller has the right to verify the Processor's compliance with this DPA through:

Requesting and reviewing relevant documentation, policies, and certifications
Submitting written questions or audit questionnaires
Conducting or commissioning an on-site audit (with reasonable notice)

10.2 Audit Process

For audits:

The Controller must provide at least 30 days' written notice
Audits must be conducted during normal business hours
Audits must not unreasonably disrupt the Processor's operations
The Controller (or auditor) must sign a confidentiality agreement
The Controller bears all costs of the audit

10.3 Information Provision

The Processor will make available all information necessary to demonstrate compliance with Article 28 GDPR, including:

Security policies and procedures
Sub-processor agreements (redacted as needed)
Results of security assessments or penetration tests (where available)

10.4 Frequency

The Controller may conduct audits no more than once per calendar year, unless a Personal Data Breach has occurred or a supervisory authority requires an audit.

11. Data Return and Deletion

11.1 During the Term

During the term of the agreement, you can:

Export your Business Data at any time through the Service's export features
Delete specific data through the Service's interface

11.2 Upon Termination

Upon termination of your account:

Data Export: You may export your data before account deletion
Deletion: All Personal Data associated with your account will be permanently deleted through our cascading deletion process
Timeline: Deletion is typically completed within 30 days of account termination

11.3 Backup Retention

Personal Data may be retained in encrypted backups for up to 90 days as part of disaster recovery procedures. After this period, all copies will be deleted.

11.4 Certification

Upon request, we will provide written certification that all Personal Data has been deleted in accordance with this DPA.

11.5 Exceptions

The Processor may retain Personal Data to the extent required by applicable law, provided that:

We notify you of such requirement (unless prohibited)
We limit processing to what is required by law
We protect the confidentiality of retained data

12. Liability

12.1 Each Party's Liability

Each party is liable for damages caused by its breach of this DPA or Data Protection Laws, in accordance with Article 82 GDPR.

12.2 Limitations

The limitations of liability in the Terms of Service apply to this DPA, except to the extent prohibited by applicable law.

12.3 Indemnification

Each party agrees to indemnify the other for fines, penalties, and damages arising from the indemnifying party's breach of this DPA or Data Protection Laws.

13. General Provisions

13.1 Governing Law

This DPA is governed by the laws of the State of Oregon, USA, except where Data Protection Laws require otherwise (e.g., for SCCs, see Section 8.3).

13.2 Conflict

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.

13.3 Amendments

We may update this DPA to reflect changes in Data Protection Laws or our processing activities. Material changes will be notified as described in the Terms of Service.

13.4 Severability

If any provision of this DPA is found unenforceable, the remaining provisions remain in effect.

13.5 Contact

For questions about this DPA, contact: adrian@modio.tv

Annex I: Processing Details

A. Categories of Data Subjects

Personal Data may relate to the following categories of Data Subjects:

Controller's business contacts (names in venture records)
Controller's vendors and suppliers (names in cash payment records)
Controller's customers (to the extent included in revenue data or notes)

B. Categories of Personal Data

Category	Data Elements	Sensitivity
Venture Data	Business names, descriptions, notes (may contain contact names)	Standard
Cash Payments	Vendor/recipient names, payment amounts, dates	Standard
Revenue Data	Aggregated transaction data (typically no individual personal data)	Standard
Notes and Descriptions	Free-text fields that may contain personal data at Controller's discretion	Varies

Special Categories: The Service is not designed to process special category data (Article 9 GDPR). Controller should not submit such data.

C. Processing Operations

Operation	Description	Frequency
Collection	Receiving data via web interface or API integrations	User-initiated or daily (integrations)
Storage	Persisting data in PostgreSQL database	Continuous
Retrieval	Displaying data in dashboard	User-initiated
Aggregation	Combining revenue from multiple sources	Daily
Deletion	Removing data upon request or account termination	As requested

D. Duration of Processing

Processing continues for the duration of the Controller's use of the Service. Data is retained until account deletion or specific deletion request.

Annex II: Technical and Organizational Measures

The Processor implements the following security measures:

A. Access Control

User authentication via email/password with bcrypt-12 password hashing
Session tokens generated with cryptographically secure random bytes
Session tokens stored as SHA-256 hashes (never in plaintext)
Sessions expire after 7 days
HttpOnly, Secure, SameSite=Strict cookie configuration
Rate limiting on authentication endpoints (5 requests/minute)

B. Encryption

In Transit: TLS/HTTPS for all communications
At Rest: Integration credentials encrypted with AES-256-GCM
Key Management: Encryption keys stored in environment variables, separate from data
Unique IVs: Each encryption operation uses a unique initialization vector

C. Data Integrity

PostgreSQL database with ACID compliance
Parameterized queries to prevent SQL injection
Input validation on all user-submitted data
Referential integrity enforced via foreign keys with CASCADE delete

D. Availability and Resilience

Hosted on Render with managed infrastructure
Database backups (managed by hosting provider)
Daily revenue data snapshots for historical preservation

E. Monitoring and Logging

Session activity logging (IP address, user agent, timestamps)
Failed authentication attempt tracking
Application error logging

F. Personnel Security

Access to production systems limited to authorized personnel
Principle of least privilege applied
Confidentiality obligations in place

G. Incident Response

Documented incident response procedures
72-hour breach notification commitment
Post-incident review and remediation

H. Data Deletion

Account deletion triggers cascading deletion of all user data
Automated expiration of temporary tokens (sessions, password resets)
Integration credentials deleted when disconnected

Annex III: Sub-processors

As of the effective date, the following Sub-processors are authorized:

Sub-processor	Purpose	Location	Data Processed
Render	Web hosting and PostgreSQL database	USA	All data stored in the Service
Resend	Transactional email delivery	USA	Email addresses (for authentication emails only)

Sub-processor Policies

Updates

The current list of Sub-processors is maintained at: this page (Annex III above)

Last updated: February 4, 2025