πŸ“„ Data Processing Agreement

GDPR-Compliant Data Processing Terms

Effective: October 25, 2025

Purpose: This Data Processing Agreement (DPA) governs the processing of personal data by CarbonCore.Earth as required under GDPR Article 28 and other applicable data protection laws.

1. Definitions

Data Controller
You (the customer using CarbonCore services)
Data Processor
CarbonCore.Earth
Personal Data
Any information relating to identified or identifiable natural persons
Processing
Any operation performed on personal data (collection, storage, use, disclosure)
Sub-processor
Third-party service providers engaged by CarbonCore to process personal data

2. Scope and Applicability

This DPA applies when CarbonCore processes personal data on behalf of customers, including:

3. Data Processing Principles

CarbonCore.Earth commits to processing data in accordance with the following principles:

Lawfulness

Process data only according to documented instructions from Controller

Purpose Limitation

Use data only for specified and legitimate purposes

Data Minimization

Collect only data that is necessary and adequate

Accuracy

Maintain accurate and up-to-date records

Storage Limitation

Retain data only as long as necessary

Security

Implement appropriate technical and organizational measures

4. Data Processor Obligations

4.1 Processing Instructions

CarbonCore shall:

4.2 Confidentiality

CarbonCore ensures that persons authorized to process personal data:

4.3 Security Measures

CarbonCore implements the following technical and organizational measures:

Security Measure Implementation
Encryption AES-256 for data at rest, TLS 1.3 for data in transit
Access Control Role-based permissions, multi-factor authentication
Monitoring 24/7 security monitoring, intrusion detection systems
Audit Logs Comprehensive logging of all data access and modifications
Testing Regular penetration testing, security audits
Backup Encrypted daily backups with disaster recovery procedures

4.4 Sub-processors

CarbonCore may engage the following sub-processors:

Sub-processor Service Location
Amazon Web Services (AWS) Cloud infrastructure and hosting US-East-1 (Virginia)
Paypal Payment processing United States
AWS SES / SendGrid Email delivery services United States
Google Analytics Platform analytics and monitoring United States

Sub-processor Changes: Controller consents to current sub-processors. CarbonCore will provide 30 days' notice before engaging new sub-processors or changing existing ones. Controller may object during this period.

5. Data Subject Rights

CarbonCore assists Controller in responding to data subject requests for:

πŸ” Right to Access

Provide data copies within 30 days of request

✏️ Right to Rectification

Correct inaccurate or incomplete data

πŸ—‘οΈ Right to Erasure

Delete data (subject to legal obligations)

⏸️ Right to Restriction

Limit processing upon request

πŸ“¦ Right to Portability

Provide data in machine-readable format

πŸ›‘ Right to Object

Stop processing for specific purposes

6. Data Breach Notification

In case of a personal data breach, CarbonCore will:

  1. Notify Controller within 48 hours of becoming aware of the breach
  2. Provide description of breach including categories and approximate number of affected data subjects
  3. Detail measures taken to address breach and mitigate harm
  4. Recommend steps Controller should take to minimize adverse effects
  5. Cooperate fully with Controller's breach response and notification obligations

7. Data Protection Impact Assessment

CarbonCore provides reasonable assistance for:

8. International Data Transfers

Personal data may be transferred to and processed in:

United States

Mechanism: AWS infrastructure uses Standard Contractual Clauses (SCCs) approved by EU Commission, supplemented with additional safeguards.

European Economic Area (EEA)

Mechanism: Processing within EEA when possible to minimize international transfers.

9. Audit and Compliance

Controller may:

Audit Costs: First audit per year is free. Additional audits are at Controller's expense unless breach is discovered.

10. Data Deletion and Return

Upon termination or expiry of services, CarbonCore will:

  1. Delete or return all personal data within 90 days
  2. Exception: Data retained for legal/regulatory compliance purposes only
  3. Blockchain data: Remains immutable (inherent to technology)
  4. Certification: Provide written confirmation of secure deletion upon request

11. Liability and Indemnification

Each party is liable for damages caused by GDPR violations attributable to them:

12. Term and Termination

This DPA:

13. Contact for DPA Matters

Data Protection Officer:

πŸ“§ Email: dpo@carboncore.earth
πŸ“§ Legal: legal@carboncore.earth
πŸ“§ Privacy: privacy@carboncore.earth

Acceptance: By using CarbonCore.Earth services, you acknowledge and accept the terms of this Data Processing Agreement as an integral part of our Terms of Service. This DPA is binding on both parties.