Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") governs the processing of personal data by Datums Space in connection with the Platform services provided to your organization (the "Customer"). This DPA is incorporated into and forms part of the Datums Space Terms of Service.

1. Purpose & Scope of Processing

Datums Space operates as a local-first platform. For offline sandbox operations, Datums Space does not act as a data processor as no personal data is transmitted to or processed by our systems. This DPA applies solely if, and to the extent that, the Customer explicitly enables and configures Cloud Sync Scopes or uses the hosted enterprise consoles.

Under this agreement, the Customer acts as the Data Controller, and Datums Space acts as the Data Processor. The details of the processing operations are described in Customer-defined workspace synchronization parameters.

2. Processor Obligations

When acting as a Data Processor, Datums Space agrees to:

• Process on Instruction: Process Personal Data only on documented instructions from the Customer, including with respect to transfers of Personal Data to third countries.
• Confidentiality: Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks.

3. Technical & Organizational Measures (TOMs)

Processor implements and maintains the following security and compliance measures:

• Client-Side Isolation: Executing code sandbox runtimes in separate browser threads to ensure clean context separation.
• Zero-Trust Anonymization: Enabling local-first PII redaction and HIPAA PHI encryption rules within the Customer's browser prior to executing cloud sync triggers.
• Secure Transmission: Syncing metrics and metadata utilizing secure TLS 1.3 encryption protocols.
• Authentication Controls: Securing cloud scopes through unique authorization tokens and organization-level Firebase security rules.

4. Sub-processors

Customer agrees that Processor may engage sub-processors to assist in hosting and sync services. Processor's current authorized sub-processors list includes:

1. Google Firebase / Google Cloud Platform: Hosting, authentication, metadata synchronization services, and database backups.

Processor will notify Customer of any planned changes to sub-processors, giving Customer the opportunity to object to such changes.

5. Audits & Compliance Reviews

Datums Space shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

6. Termination & Deletion

Upon termination of workspace synchronization scopes or Customer request, all synchronized database metrics and cache logs will be permanently deleted from the cloud hosting environments within 30 days, unless applicable law requires continued retention.

7. Contact

If you have any questions regarding this Data Processing Agreement or our sub-processors list, please contact us at dpa@datums.space.