Data Processing Addendum (DPA)

This Addendum forms part of the Terms of Service and applies when Dash4Sec processes Customer Content that contains personal data. The customer is the controller and Dash4Sec is the processor, acting in accordance with the customer's documented instructions and applicable law (LGPD and, where applicable, GDPR).

Nature and purpose: provision of the maturity/compliance and TPRM platform. Duration: the term of the contract. Types of data: user and contact registration data, and data entered by the customer into environments, evidence, questionnaires and suppliers. Data subjects: the customer's users, contacts and supplier respondents.

Dash4Sec: (a) processes data only in accordance with the customer's instructions and to provide the Service; (b) ensures the confidentiality of those who access the data; (c) adopts appropriate security measures; (d) assists the customer in responding to data subject rights and in security obligations; and (e) deletes or returns the data at the end, except for legal retention.

The customer authorizes the use of the sub-processors listed in the Privacy Policy (hosting, Stripe, Resend, Cloudflare Turnstile and Anthropic). We will keep those sub-processors under equivalent protection obligations and will communicate material changes.

In the event of a security incident involving personal data, we will notify the customer without undue delay, with the available information to support it in fulfilling its legal obligations (including notification to the ANPD and to data subjects, where required).

Where there is an international transfer by sub-processors, the safeguards of the Standard Contractual Clauses (SCC) and other mechanisms permitted by the LGPD and the GDPR apply.