This Data Protection Addendum applies to any processing of personal data DuoCircle performs on behalf of a Customer in connection with the DuoCircle Cloud Terms. Customers who require a counter-signed DPA may request one by emailing legal@duocircle.com. Most customers do not need a counter-signed copy. Acceptance of the Cloud Terms incorporates this DPA by reference.
DPA Setup
| Field | Value |
|---|---|
| Provider | DuoCircle LLC, 5965 Village Way, Suite 105-234, San Diego, CA 92130, United States |
| Provider Data Protection contact | legal@duocircle.com |
| Customer Data Protection contact | The data protection contact on Customer’s account, or, if not designated, Customer’s billing contact |
| Effective Date | The date Customer first accepted the Cloud Terms |
| Notification method for subprocessor changes | Update to /legal/subprocessors/ and email to the technical contact on the account |
| Notification window for new subprocessors | Thirty days before the new subprocessor begins processing personal data |
Schedule 1 – Description of Processing
| Item | Description |
|---|---|
| Subject matter | Provision of email security, authentication, deliverability, and routing services as set out in the Cloud Terms |
| Duration | The term of the Cloud Terms plus any retention period required by law |
| Nature and purpose | Receiving, scanning, filtering, authenticating, queuing, forwarding, archiving, and reporting on email and email metadata under Customer’s control, and providing related dashboards, alerts, and APIs |
| Categories of personal data | Email envelope and header data including sender, recipient, subject, and routing information; message bodies and attachments where the service requires content inspection; account holder names, business email addresses, and authentication credentials; usage logs |
| Categories of data subjects | Customer’s employees, contractors, alumni, students, customers, vendors, and any other party who sends or receives email through Customer’s mail flow |
| Special categories of data | None expected. Customer must not route data covered by HIPAA, PCI DSS Level 1 cardholder data, or comparable special-category regimes through services not specifically provisioned for that data class. Contact legal@duocircle.com before doing so. |
Schedule 2 – Technical and Organizational Security Measures
DuoCircle maintains an information security program aligned to the AICPA Trust Services Criteria for Security, Availability, Confidentiality, and Processing Integrity. SOC 2 Type II audits are performed annually by an independent CPA firm. Current controls are summarized at /legal/security/ and include:
- Encryption in transit using TLS 1.2 or higher for all customer-facing endpoints, and encryption at rest for databases, object storage, and backups using industry-standard ciphers
- Multi-factor authentication required for all production system access and for all administrative interfaces
- Role-based access controls with least-privilege defaults; quarterly access reviews
- Centralized logging, real-time alerting, and 24x7 on-call rotation
- Vulnerability scanning, dependency monitoring, and timely patching
- Independent penetration testing on a regular cadence
- Documented incident response procedures with named breach-notification responsibilities
- Background checks for employees with access to customer data, where permitted by law
- Mandatory annual security training for all personnel
- Vendor security review for any subprocessor with access to customer data
A current SOC 2 Type II report is available under NDA on request to legal@duocircle.com. The Bonterms Mutual NDA is published at /legal/mutual-nda/ for prospects who want to review the form before requesting the report.
Schedule 3 – Cross-Border Transfer Mechanisms
For transfers of personal data out of the EEA, the United Kingdom, and Switzerland to a third country that has not received an adequacy decision, the parties agree that the EU Commission Standard Contractual Clauses (Module Two, Controller to Processor) apply, with the United Kingdom Addendum where applicable and the Swiss Federal Data Protection Authority’s amendments where applicable. The optional clauses are deemed selected as follows:
- Module: Two (Controller to Processor)
- Docking clause: Selected
- Subprocessor authorization: Option Two, general written authorization, with the notice period and process set out above
- Audit clause: As set out in Schedule 2 and Section 9 of the Bonterms DPA
- Governing law of the SCCs: Republic of Ireland
- Forum for SCC disputes: Republic of Ireland
For onward transfers to subprocessors located in third countries, DuoCircle imposes equivalent terms via written agreement. Current subprocessors and their locations are listed at /legal/subprocessors/.
Schedule 4 – Region-Specific Terms
Region-specific addenda apply automatically to the extent the relevant data protection law governs Customer’s processing. This includes the UK GDPR for United Kingdom data subjects, the Swiss FADP for Swiss data subjects, the LGPD for Brazilian data subjects, the PIPL for People’s Republic of China data subjects, the CCPA and CPRA for California consumers, and equivalent state and national regimes. The Bonterms DPA Schedule 4 region-specific terms are incorporated as published.
Modifications to the standard form
The Bonterms DPA governs except as expressly modified by the DPA Setup, the Schedules, and the cross-border transfer mechanism designations above. There are no other modifications.
Earlier versions
Documents previously published as the DuoCircle Data Processing Agreement, the DuoCircle GDPR Privacy Policy, the DuoCircle Privacy Framework, and the DuoCircle Data Deletion Request page are superseded by this DPA together with the Privacy Notice and the Security Statement.
Questions about this document?
DuoCircle LLC, 5965 Village Way, Suite 105-234, San Diego, CA 92130. Email legal@duocircle.com for legal inquiries, or support@duocircle.com for everything else.