Effective date: 2026-06-02
Data Processing Agreement
Codex Titan — RB ZILLA LLC Effective Date: June 2, 2026 Published at: https://www.codextitan.com/dpa
This Data Processing Agreement ("DPA") is entered into between RB ZILLA LLC, a limited liability company operating the Codex Titan platform ("Processor"), and the entity identified as the customer in the applicable Order Form or Terms of Service ("Controller"). This DPA forms part of, and is incorporated into, the Codex Titan Terms of Service ("Agreement"). In the event of a conflict between this DPA and the Agreement regarding data protection matters, this DPA prevails.
1. Definitions
For the purposes of this DPA, the following terms have the meanings set out below:
1.1 "Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under this DPA, including without limitation:
- The EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and any national implementing legislation;
- The UK General Data Protection Regulation (as retained in UK law by the European Union (Withdrawal) Act 2018) and the UK Data Protection Act 2018 ("UK GDPR");
- The California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code §§ 1798.100–1798.199.100) ("CCPA/CPRA");
- The Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) ("PIPEDA") and applicable Canadian provincial privacy legislation;
- The Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APP") contained therein;
- Any other applicable national, federal, state, or provincial data protection or privacy law.
1.2 "Data Controller" (or "Controller") means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For purposes of this DPA, the customer is the Data Controller.
1.3 "Data Processor" (or "Processor") means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Data Controller. For purposes of this DPA, RB ZILLA LLC is the Data Processor.
1.4 "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
1.5 "Personal Data" means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
1.6 "Processing" means any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.7 "Security Incident" means any confirmed or reasonably suspected unauthorized access to, acquisition of, use of, disclosure of, modification of, or destruction of Personal Data processed under this DPA, or any event that compromises the security, confidentiality, or integrity of such Personal Data.
1.8 "Service Provider" means, as defined under Cal. Civ. Code Section 1798.140(ag), a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by the CCPA/CPRA.
1.9 "Sub-processor" means any third-party data processor engaged by the Processor who receives Personal Data from the Processor for processing on behalf of the Controller.
1.10 "Supervisory Authority" means an independent public authority established under applicable data protection law, including a data protection authority established under GDPR Article 51, the UK Information Commissioner's Office, or any equivalent regulatory body under applicable law.
1.11 "Technical and Organizational Measures" means the security and operational safeguards implemented by the Processor to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure, as further described in Annex C of this DPA.
2. Scope and Purpose
2.1 Role of the Processor. The Processor processes Personal Data solely in its capacity as a Data Processor acting on behalf of the Controller. Where the CCPA/CPRA applies, the Processor acts as a Service Provider as defined in Cal. Civ. Code Section 1798.140(ag). The Processor does not determine the purposes or means of processing Personal Data and processes such data only in accordance with the Controller's documented instructions.
2.2 Relationship to the Agreement. This DPA supplements the Agreement and governs all processing of Personal Data by the Processor on behalf of the Controller in connection with the Codex Titan platform and services ("Services"). In the event of any conflict or inconsistency between this DPA and the Agreement with respect to data protection matters, this DPA prevails.
2.3 Processing Activities. The Processor processes Personal Data in connection with the following specific activities carried out in the course of providing the Services:
- Ticket management and support interactions: Receiving, storing, routing, and managing customer support tickets submitted by the Controller's end users, including associated metadata, conversation history, and attachments.
- AI-assisted triage, content generation, and compliance document generation: Transmitting support ticket content, user-submitted text, and extracted URL content to an authorized AI sub-processor for automated classification, suggested response generation, knowledge base article generation, FAQ generation, canned response generation, and automated generation of legal and compliance documents (including privacy policies and terms of service).
- Knowledge base, FAQ, and canned response delivery: Storing, organizing, retrieving, and serving knowledge base articles, frequently asked questions, and canned response templates created by or on behalf of the Controller.
- Bug tracking and feature request management: Receiving, storing, categorizing, and managing bug reports and feature requests submitted by the Controller's end users, including associated metadata and status updates.
- Consent configuration and consent event logging: Storing consent banner configurations, recording consent events (including categories granted or denied, timestamps, banner version identifiers, and Global Privacy Control signal status), and making consent logs available to the Controller.
- Data Subject Access Request (DSAR) intake and fulfillment: Providing intake forms and identity verification workflows for DSARs submitted by Data Subjects, logging DSAR events, and facilitating the Controller's fulfillment of such requests.
- Email notifications and engagement tracking: Sending transactional and notification emails on behalf of the Controller via an authorized email sub-processor, including tracking delivery confirmation via tracking pixels and recording open timestamps and recipient IP address at time of open.
- Product analytics and error monitoring: Collecting and processing usage events, session data, and error telemetry to support platform operation, performance monitoring, and product improvement, subject to applicable consent requirements.
- URL content extraction for AI-powered content generation: Fetching and processing content from URLs provided by the Controller or its users for the purpose of generating AI-assisted content within the Services.
2.4 Controller Instructions. The Controller instructs the Processor to process Personal Data for the purposes described in Section 2.3 and Annex A. The Controller may issue additional documented instructions in writing. The Processor processes Personal Data only in accordance with such instructions, except where required to do so by applicable law, in which case the Processor notifies the Controller before such processing unless prohibited by law.
3. Annex A — Data Processing Details
| Item | Description |
|---|---|
| Data Subjects | The Controller's customers; end users of the Controller's products or services; visitors to the Controller's website or support portal. |
| Personal Data Categories | Identity data: names, usernames, account identifiers. Contact data: email addresses, phone numbers. Technical data: IP addresses, device identifiers, browser type and version, operating system, session tokens. Usage data: support ticket content, bug report content, feature request content, knowledge base interaction data, DSAR submission content, consent event records, product analytics events, error telemetry. Financial data: billing-related identifiers processed by the payment sub-processor (card type, last four digits, billing address). Email engagement data: open timestamps, approximate geolocation derived from IP address at time of email open. Consent data: consent actions (categories granted or denied), timestamps, banner version identifiers, Global Privacy Control (GPC) signal status. AI processing inputs: text content submitted for AI triage and content generation; URLs provided for content extraction and AI-powered content generation. |
| Processing Purposes | As enumerated in Section 2.3: ticket management and support interactions; AI-assisted triage, content generation, and compliance document generation; knowledge base, FAQ, and canned response delivery; bug tracking and feature request management; consent configuration and consent event logging; DSAR intake and fulfillment; email notifications and engagement tracking; product analytics and error monitoring; URL content extraction for AI-powered content generation. |
| Nature of Processing | Collection, storage, retrieval, organization, use, automated analysis (including AI/ML inference), disclosure by transmission to authorized Sub-processors, and erasure. |
| Duration of Processing | For the term of the Agreement, plus a post-termination data export window of 30 days, after which Personal Data is deleted in accordance with Section 11. |
4. Processor Obligations
The Processor agrees to the following obligations in accordance with GDPR Article 28(3):
4.1 Processing on Instructions Only. The Processor processes Personal Data only on documented instructions from the Controller, including the instructions set out in this DPA and the Agreement. If the Processor is required by applicable law to process Personal Data beyond those instructions, the Processor notifies the Controller of that legal requirement before processing, unless the applicable law prohibits such notification on grounds of public interest.
4.2 Confidentiality. The Processor ensures that all persons authorized to process Personal Data under this DPA have committed to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel who require such access to perform the Services.
4.3 Security Measures. The Processor implements and maintains appropriate Technical and Organizational Measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32 and as further described in Annex C of this DPA.
4.4 Assistance with Data Subject Rights. The Processor assists the Controller, by appropriate technical and organizational measures, in fulfilling the Controller's obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including the rights described in Section 6 of this DPA.
4.5 Assistance with DPIAs and Prior Consultation. The Processor assists the Controller in ensuring compliance with the obligations set out in GDPR Articles 35 and 36, including data protection impact assessments and prior consultation with Supervisory Authorities, taking into account the nature of processing and the information available to the Processor.
4.6 Data Return and Deletion. Upon termination or expiry of the Agreement, the Processor deletes or returns all Personal Data to the Controller in accordance with Section 11 of this DPA, and deletes existing copies unless applicable law requires retention.
4.7 Demonstration of Compliance. The Processor makes available to the Controller information necessary to demonstrate compliance with the obligations set out in GDPR Article 28, and allows for and contributes to audits conducted by the Controller or a qualified auditor mandated by the Controller, in accordance with Section 12 of this DPA.
4.8 Notification of Unlawful Instructions. The Processor immediately informs the Controller if, in the Processor's opinion, an instruction from the Controller infringes Applicable Data Protection Laws. The Processor is not required to follow an instruction that would cause the Processor to violate applicable law.
4.9 Automated Decision-Making Assistance. The Processor assists the Controller in meeting its obligations with respect to automated decision-making under GDPR Article 22, including by providing the mechanisms described in Section 7 of this DPA.
5. Annex B — Sub-Processor List
The Controller provides general authorization for the Processor to engage the following Sub-processors. The Processor notifies the Controller at least 14 days in advance of engaging any new Sub-processor or making material changes to existing Sub-processor arrangements. The Controller may object to a new Sub-processor within 7 days of receiving such notice. If the parties cannot resolve the objection, the Controller may terminate the affected portion of the Services without penalty. The Processor remains fully liable for the performance of each Sub-processor's obligations under this DPA.
Emergency Sub-Processor Changes. Where a Sub-processor change is necessitated by a service disruption, security incident, or discontinuation of a Sub-processor's service, the Processor may make the change immediately and will notify the Controller as soon as reasonably practicable and in no event later than 5 business days after the change. The Controller retains the right to object within 7 days of receiving such notice.
| Sub-Processor | Processing Activity | Data Categories | Location |
|---|---|---|---|
| Google Cloud / Firebase | Cloud infrastructure hosting; database storage; authentication services; file storage | All personal data categories processed under this DPA, including identity data, contact data, technical data, usage data, AI processing inputs, consent data, and email engagement data | United States |
| PostHog | Product analytics (consent-gated dashboard events); server-side telemetry including AI operation metadata (model used, token counts, latency — no prompt content) | Technical data (IP address, device identifiers, session tokens); usage data (product events, feature interaction data); AI operation metadata | United States |
| Stripe | Payment processing; subscription and billing management | Identity data (name); contact data (email address, billing address); financial data (card type, last four digits of card number, billing postal code) | United States |
| Resend | Transactional and notification email delivery; tracking pixels for delivery confirmation | Contact data (recipient email address); notification subject and body; email engagement data (open timestamps, recipient IP address at time of open) | United States |
| Anthropic | AI-assisted support ticket triage; AI content generation for knowledge base articles, FAQs, and canned responses; AI compliance document generation (privacy policies, terms of service); URL content extraction for AI-powered content generation | AI processing inputs (text content submitted for triage and content generation; URLs provided for content extraction); support ticket content; user-submitted text | United States |
| Cloudflare | Content delivery network (CDN); DDoS protection; TLS termination; edge caching; DNS management; server-side tag management (Zaraz) on the marketing site; processing at globally distributed edge nodes | Technical data (IP addresses, request metadata, browser identifiers, page interaction data); all data in transit through the CDN | Global (edge nodes worldwide) |
| Slack Technologies, LLC (a Salesforce company) | Notification delivery — relays support events (new tickets, escalations, resolutions, customer feedback) to the Controller's selected Slack channel. Optional; engaged only when the Controller activates the integration. | Identity data (requester name and email, included only for non-anonymous tickets); support interaction content (ticket subject ≤100 characters, first end-user message excerpt ≤300 characters, escalation reason ≤300 characters, feedback comment ≤300 characters); assigned Authorized User name; feedback type and score; ticket/feedback identifiers; dashboard deep link | United States |
| Sentry | Application error monitoring and performance tracing; configured with sendDefaultPii: false to prevent capture of personally identifiable information |
Error telemetry (stack traces, error messages, request metadata); no PII captured by configuration | United States |
Note on Marketing-Site-Only Services. Google Analytics, Google Ads, and Cloudflare Zaraz (a Cloudflare tag management capability) operate exclusively on the Codex Titan marketing website (codextitan.com) and do not process Personal Data submitted by the Controller or its end users through the Codex Titan platform API or dashboard. These services are not Sub-processors with respect to the Controller's customer data and are disclosed here for transparency only.
Sub-Processor Contracts. The Processor ensures that each Sub-processor is bound by a written contract imposing data protection obligations equivalent to those set out in this DPA. The Processor remains liable to the Controller for the Sub-processor's performance of those obligations.
6. Data Subject Rights
6.1 Assistance Obligation. The Processor assists the Controller in fulfilling its obligations to respond to Data Subject rights requests under Applicable Data Protection Laws, including requests for: access to Personal Data; rectification of inaccurate Personal Data; erasure of Personal Data; portability of Personal Data; restriction of processing; and objection to processing.
6.2 Data Portability Format. Upon request by the Controller, the Processor provides Personal Data exports in a structured, commonly used, machine-readable format (JSON or CSV) to facilitate the Controller's compliance with data portability obligations.
6.3 Direct Requests from Data Subjects. If the Processor receives a request directly from a Data Subject purporting to exercise rights under Applicable Data Protection Laws, the Processor notifies the Controller promptly and without undue delay. The Processor does not respond directly to such requests unless expressly authorized in writing by the Controller to do so.
6.4 DSAR Infrastructure. The Processor maintains DSAR handling infrastructure, including intake forms, identity verification workflows, and audit logging, which is made available to the Controller to facilitate the Controller's fulfillment of Data Subject rights requests.
6.5 Timely Cooperation. The Processor responds to the Controller's requests for assistance under this Section within a timeframe that allows the Controller to meet applicable statutory deadlines for responding to Data Subject requests.
7. Automated Decision-Making
7.1 Scope. The Codex Titan platform uses AI/ML inference provided by Anthropic to perform automated analysis of support ticket content, generate suggested responses, and produce compliance documents. This Section addresses the Processor's obligations with respect to such automated processing in accordance with GDPR Article 22 and Applicable Data Protection Laws.
7.2 Controller Responsibility. The Controller is responsible for determining whether any AI-assisted processing performed through the Services constitutes automated decision-making with legal or similarly significant effects on Data Subjects under GDPR Article 22 or equivalent provisions of Applicable Data Protection Laws. The Controller is responsible for implementing any required safeguards, including providing appropriate notices to Data Subjects and obtaining any required consents.
7.3 Processor Support Mechanisms. To support the Controller's compliance obligations, the Processor:
- (a) provides mechanisms to disable AI-assisted processing on a per-item or tenant-wide basis, allowing the Controller to exclude specific data from AI processing;
- (b) makes AI-generated outputs available for human review before any action is taken, and does not take automated actions with legal or similarly significant effects on Data Subjects without human oversight unless the Controller expressly configures the Services to do so;
- (c) identifies AI-generated content within the platform interface so that the Controller and its personnel can distinguish AI-generated outputs from human-authored content.
7.4 No Training on Controller Data. The Processor's AI sub-processor (Anthropic) does not use API inputs submitted through the Codex Titan platform for the purpose of training or improving its AI models, in accordance with Anthropic's API usage policies. The Processor does not grant any AI sub-processor rights to use Controller Personal Data for model training purposes.
7.5 Data Minimization for AI Processing. The Processor transmits only the minimum data necessary to perform the requested AI function to the AI sub-processor. The Processor does not transmit API keys, administrative credentials, billing data, financial data, or Personal Data unrelated to the specific AI processing task to any AI sub-processor.
8. Annex C — Security Measures
The Processor implements and maintains the following Technical and Organizational Measures:
Technical Measures
8.1 Encryption at Rest. All Personal Data stored within the Codex Titan platform is encrypted at rest using AES-256 or an equivalent industry-standard encryption algorithm.
8.2 Encryption in Transit. All Personal Data transmitted between clients and the Codex Titan platform, and between the platform and Sub-processors, is encrypted in transit using TLS 1.2 or higher.
8.3 Access Controls. Access to systems processing Personal Data is governed by role-based access controls (RBAC) implementing the principle of least privilege. Access rights are reviewed at least annually and when personnel changes occur, and revoked promptly upon personnel departure or role change.
8.4 Multi-Tenant Data Isolation. The platform enforces logical separation of Controller data at the database level. Tenant identifiers are derived exclusively from authenticated session context and are never accepted from user-supplied input, preventing cross-tenant data access.
8.5 API Authentication. API keys are stored as SHA-256 hashes; plaintext keys are never stored after initial generation. All platform endpoints require token-based authentication. Unauthenticated requests are rejected.
8.6 Rate Limiting. Rate limiting is applied to all API endpoints to mitigate abuse, credential stuffing, and denial-of-service attacks.
8.7 DDoS Protection. The platform is protected against distributed denial-of-service attacks through Cloudflare's network-layer and application-layer DDoS mitigation services.
8.8 Audit Logging. The platform maintains audit logs recording actor identity, action performed, resource affected, source IP address, and timestamp for all significant operations involving Personal Data. Audit logs are retained for a minimum period consistent with applicable legal requirements.
8.9 Error Monitoring Configuration. Application error monitoring (Sentry) is configured with sendDefaultPii: false to prevent the capture of personally identifiable information in error reports and stack traces.
Organizational Measures
8.10 Need-to-Know Access. Access to Personal Data is restricted to personnel who require such access to perform their job functions. Personnel are informed of their data protection obligations.
8.11 Confidentiality Obligations. All personnel and contractors with access to Personal Data are bound by confidentiality obligations, either contractually or by operation of law.
8.12 Security Assessments. The Processor reviews its Technical and Organizational Measures periodically and when material changes to the platform or threat landscape occur, to identify and remediate vulnerabilities.
8.13 Incident Response. The Processor maintains incident response procedures appropriate to the scale and nature of its processing activities for detecting, containing, investigating, and notifying Security Incidents in accordance with Section 9 of this DPA.
9. Data Breach Notification
9.1 Notification Timeline. Upon becoming aware of a Security Incident affecting Personal Data processed under this DPA, the Processor notifies the Controller without undue delay and in no event later than 72 hours after becoming aware of the Security Incident.
9.2 Notification Content. The Processor's notification includes, to the extent then known:
- (a) a description of the nature of the Security Incident, including the categories and approximate number of Data Subjects affected and the categories and approximate volume of Personal Data records affected;
- (b) the name and contact details of the Processor's data protection contact;
- (c) a description of the likely consequences of the Security Incident;
- (d) a description of the measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects.
9.3 Phased Notification. Where all required information is not available within the 72-hour period, the Processor provides an initial notification with the information then available and supplements it with additional information as it becomes available, without undue further delay.
9.4 Cooperation. The Processor cooperates fully with the Controller in meeting the Controller's notification obligations to Supervisory Authorities and affected Data Subjects under GDPR Articles 33 and 34 and equivalent provisions of Applicable Data Protection Laws.
9.5 Documentation. The Processor documents all Security Incidents, including those that do not trigger a notification obligation, in sufficient detail to demonstrate compliance with this Section and to support any regulatory inquiry.
10. International Data Transfers
The following table sets out the safeguards applicable to transfers of Personal Data from the Controller's jurisdiction to the United States, where the Processor and most Sub-processors are located.
| Transfer Scenario | Applicable Safeguard |
|---|---|
| EU/EEA to United States | Standard Contractual Clauses adopted by the European Commission (Decision 2021/914/EU), Module Two (Controller to Processor), incorporated by reference into this DPA. |
| United Kingdom to United States | UK International Data Transfer Agreement (IDTA) issued by the UK Information Commissioner's Office, or the UK Addendum to the EU SCCs, as applicable. |
| Canada to United States | Processing conducted in accordance with PIPEDA requirements, including contractual protections ensuring comparable protection to that provided under PIPEDA. |
| Australia to United States | Reasonable steps taken in accordance with Australian Privacy Principle 8 (APP 8) to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to the transferred information. |
10.1 No Transfer Without Safeguards. The Processor does not transfer Personal Data to any country or territory outside the Controller's jurisdiction without ensuring that an adequate level of protection is in place through one of the mechanisms described above, or with the Controller's prior written consent.
10.2 Sub-Processor Transfers. Where Sub-processors process Personal Data outside the Controller's jurisdiction, the Processor ensures that Sub-processor agreements incorporate the EU SCCs, UK IDTA, or equivalent transfer mechanisms as required by Applicable Data Protection Laws.
10.3 Edge Node Processing. Cloudflare and Cloudflare Zaraz process data at globally distributed edge nodes as part of CDN and tag management operations. The Processor ensures that Cloudflare's data processing agreements and applicable transfer mechanisms cover such edge processing. The Controller acknowledges that CDN operations inherently involve routing data through geographically distributed infrastructure.
11. Data Return and Deletion
11.1 Data Return. Upon termination or expiry of the Agreement, or upon the Controller's written request at any time, the Processor makes available to the Controller an export of all Personal Data processed under this DPA in a structured, commonly used, machine-readable format (JSON or CSV).
11.2 Export Window. The Controller may request a data export at any time during the term of the Agreement and for a period of 30 days following the effective date of termination or expiry ("Export Window").
11.3 Deletion After Export Window. Following the expiration of the Export Window, the Processor deletes all Personal Data processed under this DPA, including all copies held by the Processor and its Sub-processors, unless applicable law requires retention of specific data for a defined period. Where retention is required by law, the Processor retains only the minimum data required and notifies the Controller of the retention obligation.
11.4 Certification of Deletion. Upon the Controller's written request, the Processor provides written certification that all Personal Data has been deleted in accordance with this Section. The Processor will provide such certification within 30 business days of the request, in a form determined by the Processor (which may be a standardized attestation).
11.5 Residual Backup Data. Personal Data contained in backup systems is deleted within a reasonable period following the expiration of the Export Window, not to exceed 90 days, subject to the technical constraints of the backup infrastructure.
11.6 Consent Event Logs. Consent event logs are retained in accordance with the applicable plan-tier retention schedule during the term of the Agreement. Following the Export Window, consent event logs are deleted unless retention is required by applicable law or regulatory obligation.
12. Audit Rights
12.1 Audit Mechanism. The Processor satisfies its audit obligations under GDPR Article 28(3)(h) by making available to the Controller, upon written request and no more than once per calendar year, one or more of the following (at the Processor's election):
- (a) a completed industry-standard security questionnaire (such as SIG Lite, CAIQ, or equivalent) addressing the Processor's Technical and Organizational Measures;
- (b) a summary of the Processor's most recent penetration test or vulnerability assessment, with findings and remediation status;
- (c) a current SOC 2 Type II report or equivalent third-party security certification, if available; or
- (d) other documentation reasonably sufficient to demonstrate the Processor's compliance with this DPA.
12.2 Extended Audit. If the documentation provided under Section 12.1 does not reasonably address the Controller's compliance concerns, the Controller may request an extended audit of the Processor's systems, processes, and security controls, subject to the following conditions:
- (a) the Controller provides at least 60 days' prior written notice specifying the scope of and reason for the audit;
- (b) the audit is conducted by a qualified, independent third-party auditor selected by the Controller and approved by the Processor (such approval not to be unreasonably withheld), bound by written confidentiality obligations;
- (c) the audit is limited in scope to the Processor's compliance with this DPA and does not extend to other customers' data, proprietary source code, or trade secrets;
- (d) the audit is conducted remotely via secure screen share, documented evidence review, and structured interviews, unless the Processor agrees in writing to an alternative format;
- (e) the audit is conducted during normal business hours in a manner that does not unreasonably disrupt the Processor's operations;
- (f) the Processor may require up to 30 days to compile and provide requested documentation; and
- (g) Processor personnel cooperation is limited to a reasonable scope, not to exceed 16 hours of personnel time per audit.
12.3 Frequency. Audits under this Section (whether documentary under Section 12.1 or extended under Section 12.2) are conducted no more than once per calendar year, unless a confirmed Security Incident affecting the Controller's data has occurred that reasonably necessitates an additional audit.
12.4 Cost Allocation. The Controller bears all costs of any audit conducted under this Section, including fees of any third-party auditor. If an audit reveals material non-compliance by the Processor with its obligations under this DPA, the Processor bears the reasonable costs of the audit.
12.5 Confidentiality of Findings. All audit findings, reports, and related information are treated as confidential information of the Processor and are used by the Controller solely for the purpose of verifying compliance with this DPA.
12.6 Multi-Controller Efficiency. Where multiple Controllers request audits during the same period, the Processor may satisfy those requests with a single audit report or set of documentation provided to all requesting Controllers, provided the report addresses each Controller's reasonable concerns.
13. CCPA/CPRA Service Provider Obligations
To the extent the CCPA/CPRA applies to the processing of Personal Data under this DPA, the Processor makes the following commitments:
13.1 Service Provider Status. The Processor acts as a Service Provider as defined in Cal. Civ. Code Section 1798.140(ag) with respect to Personal Data received from the Controller. The Processor processes such Personal Data solely for the business purposes specified in this DPA and the Agreement.
13.2 No Sale or Sharing. The Processor does not sell or share Personal Data received from the Controller, as those terms are defined in Cal. Civ. Code Sections 1798.140(ad) and 1798.140(ah). The Processor does not sell Personal Data for monetary or other valuable consideration, and does not share Personal Data for cross-context behavioral advertising purposes.
13.3 Limitation on Use and Disclosure. The Processor does not retain, use, or disclose Personal Data received from the Controller for any purpose other than performing the Services specified in this DPA and the Agreement, as permitted by Cal. Civ. Code Section 1798.140(ag)(1). The Processor does not use such Personal Data for its own commercial purposes outside the scope of the Services.
13.4 No Combining Personal Data. The Processor does not combine Personal Data received from the Controller with Personal Data received from or collected in connection with other sources, except as permitted under the CCPA/CPRA, including as necessary to perform the Services.
13.5 Assistance with Consumer Rights. The Processor assists the Controller in responding to consumer rights requests submitted by California residents, including requests for access, deletion, correction, and opt-out of sale or sharing of Personal Data, in accordance with the CCPA/CPRA and Section 6 of this DPA.
13.6 Certification of Compliance. The Processor certifies that it understands and will comply with the restrictions set out in this Section 13. If the Processor determines that it can no longer meet its obligations under the CCPA/CPRA, the Processor notifies the Controller immediately, and the Controller may take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
14. Liability
14.1 General Limitation. Each party's liability under this DPA is subject to the limitations and exclusions set out in the Agreement, including any caps on aggregate liability.
14.2 Mandatory Liability. Nothing in this DPA or the Agreement limits or excludes either party's liability for breaches of Applicable Data Protection Laws to the extent that such liability cannot be limited or excluded under applicable law, including liability arising from GDPR Article 82 (right to compensation) or equivalent provisions.
14.3 Allocation Between Parties. Where both the Controller and the Processor are responsible for damage caused by processing in breach of Applicable Data Protection Laws, each party is liable for the damage attributable to its own breach. A party is exempt from liability if it proves that it was not in any way responsible for the event giving rise to the damage.
15. Term and Termination
15.1 Term. This DPA takes effect on the date the Agreement becomes effective and remains in force for as long as the Processor processes Personal Data on behalf of the Controller under the Agreement.
15.2 Termination. This DPA terminates automatically upon termination or expiry of the Agreement, subject to the post-termination obligations set out in this DPA.
15.3 Survival. The following Sections survive termination or expiry of this DPA: Section 4.2 (Confidentiality), Section 7.4 (No Training on Controller Data), Section 7.5 (Data Minimization for AI Processing), Section 9 (Data Breach Notification), Section 11 (Data Return and Deletion), Section 12 (Audit Rights), Section 13 (CCPA/CPRA Service Provider Obligations), and Section 14 (Liability).
16. Governing Law
16.1 General. This DPA is governed by the same governing law and jurisdiction as the Agreement, unless required otherwise by Applicable Data Protection Laws.
16.2 Multi-Regime Interpretation. To the extent the GDPR applies to processing under this DPA, the relevant provisions of this DPA are interpreted in accordance with GDPR requirements and the guidance of competent Supervisory Authorities. To the extent the CCPA/CPRA applies to processing under this DPA, the relevant provisions are interpreted in accordance with California law and the regulations of the California Privacy Protection Agency.
16.3 Severability. If any provision of this DPA is found to be invalid or unenforceable under applicable law, the remaining provisions continue in full force and effect. The parties negotiate in good faith to replace any invalid or unenforceable provision with a valid provision that achieves, to the greatest extent possible, the same purpose.
17. Contact and Data Protection Information
17.1 Processor Contact Details.
RB ZILLA LLC 116 E Main St, Suite 201, Rock Hill, SC 29730, United States Email: [email protected] Website: https://www.codextitan.com
17.2 Data Protection Officer. RB ZILLA LLC has assessed its processing activities under GDPR Article 37. Based on the nature, scope, context, and purposes of its processing, RB ZILLA LLC is not required to appoint a Data Protection Officer under GDPR Article 37(1). Data protection inquiries may be directed to the privacy contact email above.
17.3 Controller Responsibilities. The Controller is responsible for designating its own data protection contact and, where required by Applicable Data Protection Laws, appointing a Data Protection Officer. The Controller provides the Processor with current contact details for data protection communications upon request.
17.4 DPA Availability. This Data Processing Agreement is published at https://www.codextitan.com/dpa. Prior versions are available upon request.
17.5 Amendments. The Processor may update this DPA from time to time to reflect changes in Applicable Data Protection Laws, Sub-processor arrangements, or processing activities. The Processor provides the Controller with at least 30 days' prior written notice of material changes to this DPA. Continued use of the Services following the effective date of any amendment constitutes the Controller's acceptance of the updated DPA. If the Controller objects to a material amendment, the Controller may terminate the Agreement in accordance with its terms.