# Data Processing Agreement (DPA) **Customer:** _________________________________ **Effective Date:** _____________________________ **Provider:** Spartan Solutions LLC, operating SpartanOS ("Provider", "we", "us") This Data Processing Agreement ("DPA") forms part of the SpartanOS Terms of Service entered into between Customer and Provider (the "Agreement") and governs Provider's processing of Personal Data on behalf of Customer. If there is a conflict between this DPA and the Agreement, this DPA controls to the extent of the conflict. --- ## 1. Definitions - **"Personal Data"** means any information relating to an identified or identifiable natural person, processed by Provider on Customer's behalf in the SpartanOS platform. - **"Processing"** means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion. - **"Data Subject"** means the individual whose Personal Data is processed — typically Customer's contacts, leads, policy holders, and agents. - **"Sub-processor"** means a third party engaged by Provider to process Personal Data on Provider's behalf (current list at https://spartan-os.com/subprocessors). - **"Applicable Data Protection Laws"** includes the GDPR, the CCPA/CPRA, the NAIC Insurance Data Security Model Law, the TCPA, and any other privacy or data security law applicable to the Processing under this DPA. ## 2. Roles of the Parties - Customer is the **Controller** (or, where applicable, a Processor acting on behalf of its own customer) of Personal Data Processed in the platform. - Provider is the **Processor** acting on Customer's documented instructions. Provider does not sell Personal Data, does not share Personal Data for cross-context behavioral advertising, and does not use Personal Data for any purpose other than providing the SpartanOS service to Customer. ## 3. Customer Instructions Provider will Process Personal Data only on documented instructions from Customer, which include: - the Agreement and this DPA; - Customer's configuration of the platform (e.g. enabled integrations, automation rules, retention preferences); - written instructions delivered to Provider via support@spartan-os.com. If Provider believes an instruction violates Applicable Data Protection Laws, Provider will inform Customer. ## 4. Categories of Data and Data Subjects | Category | Examples | Data Subjects | |---|---|---| | Identity | name, email, phone, address, DOB, SSN (encrypted) | Customer's contacts, leads | | Policy | policy number, premium, carrier, status, persistency events | Customer's policy holders | | Communication | SMS bodies, voice transcripts, email metadata | Contacts and agents | | Account | email, hashed password, role, audit log entries | Customer's agents | | Billing | last-4 of card (Stripe-tokenized; full card never reaches Provider) | Customer's billing contact | ## 5. Security Measures Provider implements the technical and organizational measures listed in Schedule A. Customer acknowledges these measures are appropriate to protect the Personal Data processed under this DPA. See https://spartan-os.com/security for the production controls list. ## 6. Sub-processors Customer authorizes Provider to engage the Sub-processors listed at https://spartan-os.com/subprocessors. Provider: - imposes data protection obligations no less protective than this DPA on every Sub-processor; - remains liable for the Sub-processor's performance; - gives Customer at least 30 days' notice of any new or replacement Sub-processor (via the page above and email to the billing contact). Customer may object on reasonable data-protection grounds within that window; if the parties cannot agree, Customer may terminate the Agreement with refund of pre-paid unused fees. ## 7. International Transfers Where Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) by reference, with Provider as the data importer. ## 8. Data Subject Rights Customer is responsible for handling Data Subject requests (access, rectification, deletion, portability, opt-out). Provider will, on request, assist Customer with technical means appropriate to the request, including: - exporting a Data Subject's records to CSV/JSON; - redacting or deleting Personal Data on Customer's instruction; - providing audit-log entries proving compliance with the request. ## 9. Personal Data Breach Notification If Provider becomes aware of a Personal Data Breach affecting Customer's data, Provider will notify Customer without undue delay and in any case within 72 hours of discovery. The notification will include: - the nature of the Breach, categories and approximate number of Data Subjects and records affected; - the likely consequences of the Breach; - the measures taken or proposed to address the Breach and mitigate harm. Provider will assist Customer in meeting Customer's own notification obligations under Applicable Data Protection Laws. ## 10. Audit Provider will, on Customer's reasonable request and no more than once per year, provide Customer with: - a copy of Provider's most recent third-party security audit report (e.g. SOC 2) when available; - written responses to Customer's reasonable security questionnaires; - a summary of penetration test results from the past 12 months. If reports are insufficient, Customer may conduct an audit at Customer's expense, on at least 30 days' notice, during business hours, and subject to reasonable confidentiality obligations. ## 11. Return and Deletion On termination of the Agreement: - Provider keeps Customer's tenant in read-only mode for 30 days, during which Customer may export all Personal Data; - after 30 days, Provider deletes Personal Data from primary production storage; - backups containing Personal Data are subject to a rolling 90-day expiry, after which they are securely deleted; - Provider may retain Personal Data to the extent required by law and only for the period required, after which it is deleted. ## 12. Liability The liability of each party under this DPA is governed by the Limitation of Liability section of the Agreement. ## 13. Order of Precedence This DPA supplements the Agreement. In any conflict between this DPA and the Agreement on the subject of Personal Data Processing, this DPA controls. --- ## Schedule A — Technical and Organizational Security Measures A current, machine-readable list of controls is published at https://spartan-os.com/security. Highlights: **Encryption.** TLS 1.3 in transit; AES-256 at rest for all production storage; AES-256-GCM field-level encryption for SSN, Twilio auth tokens, and OAuth refresh tokens. **Access control.** Bcrypt password hashing (cost 12); optional TOTP 2FA; account lockout after repeated failed sign-ins; force-logout-on-password-change; role-based access (Owner / Admin / Agent); session-version JWT invalidation. **Tenant isolation.** Every database query is scoped by an agencyId derived from the authenticated session — never from client input. Twilio sub-accounts and billing customers are partitioned per tenant. **Application hardening.** Strict Content-Security-Policy; HSTS preload; X-Frame-Options; Cross-Origin-Opener-Policy; signed-webhook verification on every Twilio, Stripe, and Vapi callback; per-user and per-IP rate limiting on authentication, AI, and billing endpoints. **Logging and monitoring.** Immutable per-tenant audit log; PII-scrubbed error tracking (Sentry); production access logs retained for 90 days. **Backups and continuity.** Continuous WAL backups with point-in-time recovery on Postgres; encrypted backups stored in a separate region; RPO ≤ 1 hour, RTO ≤ 4 hours. **Vendor management.** Each Sub-processor signs a DPA before processing any Customer data. The Sub-processor list is public at /subprocessors. --- ## Signatures **Customer** Name: _________________________________ Title: _________________________________ Signature: _____________________________ Date: __________________________________ **Provider — Spartan Solutions LLC** Name: _________________________________ Title: _________________________________ Signature: _____________________________ Date: __________________________________