Version 1.0
Effective Date: January 1, 2025
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Next Horizon Ventures LLC ("Processor") and the professional account holder ("Controller") who uses the Service to manage client data.
The Processor shall process Personal Data only for the purpose of providing the Service as described in the Terms of Service. The categories of Personal Data processed include client names, email addresses, uploaded documents, estate planning information, and vault access records. Processing activities include storage, encryption (when enabled), transmission, access control enforcement, and audit logging. The Processor shall not process Personal Data for any purpose other than providing the Service unless required by applicable law.
The Controller is responsible for ensuring that the processing of client Personal Data through the Service has a lawful basis. The Controller shall obtain all necessary consents from Data Subjects before uploading their information. The Controller shall comply with all applicable data protection laws and professional regulations. The Controller shall enable two-factor authentication on their account as required by the Service. The Controller is responsible for the accuracy and completeness of Personal Data provided to the Service.
The Processor shall process Personal Data only on documented instructions from the Controller (as implemented through the Service). The Processor shall ensure that personnel authorized to process Personal Data are bound by confidentiality obligations. The Processor shall implement appropriate technical and organizational security measures, including client-side encryption, row-level security, TLS encryption in transit, audit logging, and access controls. The Processor shall assist the Controller in responding to Data Subject requests. The Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data breach.
The Controller authorizes the Processor to engage the following Sub-Processors:
The Processor shall notify the Controller of any intended changes to Sub-Processors and provide the Controller an opportunity to object. Each Sub-Processor is bound by data protection obligations no less protective than those set out in this DPA.
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests for access, rectification, erasure, restriction, portability, and objection. The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject and shall not respond to such requests without the Controller's instructions, unless required by law.
The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach. The notification shall include the nature of the breach, categories of data affected, approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach. The Processor's full breach notification procedure is available at Breach Notification Procedure.
The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall make available all information necessary to demonstrate compliance and allow for audits and inspections conducted by the Controller or an independent auditor. Audits shall be conducted with reasonable notice and during normal business hours. The Processor may satisfy audit requests by providing relevant certifications, audit reports, or other documentation.
Upon termination of the Service agreement or at the Controller's request, the Processor shall delete or return all Personal Data processed on behalf of the Controller within 90 days, unless retention is required by applicable law. The Controller may export their data at any time during the term of the agreement. Encrypted data for which the Controller holds the keys may be exported in encrypted form.
This DPA shall be governed by the same governing law as the Terms of Service. Where GDPR applies, the Standard Contractual Clauses approved by the European Commission shall be incorporated by reference for transfers of Personal Data outside the EEA.