Data Processing Agreement
[ VERSION 1.1 // EFFECTIVE MARCH 31, 2026 ]
This Data Processing Agreement, including its exhibits and appendices (the "DPA" or "Addendum"), governs how Rogue Active Intelligence Inc. ("RogIQ," "Processor") processes personal data on behalf of its customers ("Customer," "Controller") in connection with the RogIQ platform and services (the "Platform"). This DPA is incorporated into and forms part of RogIQ's Terms of Service ("Agreement").
If you require a countersigned copy of this DPA, please contact [[email protected]].
1. Definitions
For the purpose of this DPA:
"Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Customer Personal Data, including where applicable: the EU General Data Protection Regulation (EU GDPR); the UK General Data Protection Regulation (UK GDPR); the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA); and any other applicable national, state, or provincial data protection laws.
"Contracted Processor" (also "Sub-processor") means any third party appointed by or on behalf of RogIQ to process Customer Personal Data in connection with the Services. See the Sub-processor List at [rogiq.com/sub-processors].
"Customer Data" means all data, including personal data, submitted to or processed on the Platform by or on behalf of Customer.
"Customer Personal Data" means personal data contained within Customer Data that RogIQ processes on behalf of Customer in connection with the Services.
"GDPR" means the EU GDPR and/or UK GDPR as applicable.
"Restricted Transfer" means any transfer of Customer Personal Data to a country not recognized as providing adequate protection under Applicable Data Protection Laws.
"Standard Contractual Clauses" or "SCCs" means the model data transfer clauses adopted by the European Commission and/or ICO from time to time for Restricted Transfers.
"Services" means the RogIQ Platform and associated services provided pursuant to the Agreement.
The terms "Controller," "Data Subject," "Personal Data," "Personal Data Breach," "Processing," "Processor," and "Supervisory Authority" shall have the meanings given to them under Applicable Data Protection Laws.
2. Scope and Applicability
2.1 Duration. This DPA takes effect as of the date Customer accepts the Agreement and continues for the duration of the Agreement.
2.2 Scope. This DPA applies to all Customer Personal Data processed by RogIQ in connection with the Services, regardless of country of origin.
2.3 Structure. This DPA includes:
- Exhibit A – Details of Processing;
- Exhibit A, Appendix I – Technical and Organizational Security Measures;
- Exhibit B – Jurisdiction-Specific Terms (EEA, UK, US, etc.);
- Exhibit B, Appendix I – Supplemental Clauses to SCCs.
3. Processing of Customer Personal Data
3.1 Roles. RogIQ acts as a Processor of Customer Personal Data. Customer acts as the Controller of Customer Personal Data (or as a Processor with RogIQ as Sub-processor, where Customer processes data on behalf of its own clients).
3.2 Processing Obligations. RogIQ shall:
- Comply with all Applicable Data Protection Laws in the processing of Customer Personal Data;
- Process Customer Personal Data only on Customer's documented instructions, including as set out in this DPA and the Agreement;
- Immediately inform Customer if, in RogIQ's reasonable opinion, an instruction violates Applicable Data Protection Laws;
- Not transfer Customer Personal Data to any third country without appropriate safeguards as set out in this DPA.
3.3 Details of Processing. All necessary details of processing are set forth in Exhibit A.
3.4 Customer Instructions. Customer instructs RogIQ to process Customer Personal Data as necessary to provide the Services, comply with applicable law, and as otherwise directed by Customer in writing.
4. Personnel
RogIQ shall take reasonable steps to ensure: (a) the reliability of personnel with access to Customer Personal Data; (b) that access is limited to personnel who need to know or access it for the purpose of providing the Services; and (c) that all such personnel are subject to confidentiality obligations.
5. Security of Processing
RogIQ shall implement and maintain the administrative, technical, and organizational security measures described in Appendix I to Exhibit A. These measures are designed to provide a level of security appropriate to the risks presented by the processing of Customer Personal Data.
6. Sub-processors
6.1 Authorized Sub-processors. Customer authorizes RogIQ to engage the sub-processors listed at [rogiq.com/sub-processors] ("Sub-processor List"). RogIQ shall maintain and update this list as sub-processors change.
6.2 New Sub-processors. Before appointing a new sub-processor, RogIQ will provide Customer with written notice (which may be by email or update to the Sub-processor List) and an opportunity to object within fourteen (14) days of notice.
6.3 Objections. If Customer objects to a new sub-processor and RogIQ cannot provide an alternative arrangement, Customer may terminate the affected Services upon written notice. If no objection is received within fourteen (14) days, Customer is deemed to have consented.
6.4 Sub-processor Obligations. RogIQ shall require each sub-processor to be bound by data protection obligations no less protective than those in this DPA, and shall remain liable to Customer for the acts and omissions of sub-processors.
7. Data Subject Rights
7.1 Assistance. Taking into account the nature of the processing, RogIQ shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, to enable Customer to respond to Data Subject rights requests.
7.2 Notification. RogIQ shall promptly notify Customer if it receives a Data Subject request relating to Customer Personal Data. RogIQ shall not respond to such requests except on Customer's documented instructions, unless required by applicable law.
8. Personal Data Breaches
8.1 Notification. If RogIQ discovers, is notified of, or has reason to suspect a Personal Data Breach affecting Customer Personal Data, RogIQ will notify Customer without undue delay (and where feasible, within 72 hours of discovery).
8.2 Breach Response. Upon notification, RogIQ shall: (a) describe the nature of the breach, including categories and approximate number of affected data subjects and records; (b) describe the likely consequences of the breach; (c) describe measures taken or proposed to address the breach; (d) provide ongoing updates as more information becomes available; and (e) use commercially reasonable efforts to investigate, mitigate, and remediate the breach.
8.3 No Fault Admission. RogIQ's notification of a breach does not constitute an acknowledgment of fault or liability.
9. Data Protection Assessments and Prior Consultation
RogIQ shall provide Customer with reasonable assistance, information, and documentation to support Customer in conducting data protection impact assessments (DPIAs) and consulting with Supervisory Authorities, where required by Applicable Data Protection Laws.
10. Deletion or Return of Customer Personal Data
10.1 During Services. RogIQ provides Customer with the technical means within the Platform to export, access, and delete Customer Personal Data.
10.2 Upon Termination. Following termination of the Agreement, RogIQ shall, upon Customer's written request, delete or return Customer Personal Data in a commonly used format, and certify such deletion in writing.
10.3 Sub-processors. RogIQ shall also cause sub-processors to delete or return Customer Personal Data upon termination.
10.4 Retention Exceptions. RogIQ may retain Customer Personal Data that has been archived to back-up systems for a reasonable period following the scheduled deletion of that data in production systems, provided that such data remains subject to the protections in this DPA and is deleted in accordance with RogIQ's backup retention schedules.
11. Audit Rights
RogIQ shall allow Customer (or an independent auditor appointed by Customer) to conduct audits or inspections of RogIQ's processing activities to verify compliance with this DPA, subject to reasonable advance written notice (at least 30 days), mutually agreed scheduling, and execution of a confidentiality agreement. Audit costs are borne by Customer unless an audit reveals a material breach of this DPA.
12. Jurisdiction-Specific Terms
To the extent RogIQ processes Customer Personal Data subject to the laws of specific jurisdictions, the terms in Exhibit B apply and are incorporated herein by reference.
13. Restricted Transfers
13.1 Restricted Transfers from EEA/UK/Switzerland. Restricted Transfers of Customer Personal Data shall be conducted pursuant to appropriate safeguards as set forth in Exhibit B, including Standard Contractual Clauses where applicable.
13.2 EU-U.S. Data Privacy Framework. To the extent applicable, RogIQ participates in the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, which provide additional transfer mechanisms for data transfers from the EEA, UK, and Switzerland.
13.3 Updated SCCs. If relevant authorities adopt updated SCCs, the parties agree to cooperate in good faith to execute updated agreements to remain compliant.
14. No Sale of Customer Personal Data
RogIQ acknowledges and confirms that it does not receive Customer Personal Data as consideration for any service or other benefit. RogIQ does not "sell" Customer Personal Data as defined under Applicable Data Protection Laws.
15. Amendment
RogIQ may update this DPA to reflect changes in applicable law or regulatory guidance, providing Customer with reasonable advance notice. If Customer objects to a material change, the parties shall work together in good faith to reach a mutually acceptable resolution. The most current version of this DPA is hosted at [rogiq.com/dpa].
16. Liability
Subject to the limitations set forth in the Agreement, each party's liability under this DPA is subject to the liability caps and exclusions in the Agreement.
17. General Terms
17.1 Contact. Parties shall use the following contacts for data protection matters:
- RogIQ Data Protection Contact: [[email protected]]
- Customer Data Protection Contact: As specified in Customer's Platform Account.
17.2 Priority. In the event of conflict between this DPA and the Agreement, the terms of this DPA shall control with respect to data protection matters.
17.3 Severability. If any provision of this DPA is found to be invalid, the remaining provisions shall remain in full force and effect.
EXHIBIT A — DETAILS OF PROCESSING
A. List of Parties
| RogIQ (Processor) | Customer (Controller) | |
|---|---|---|
| Name | Rogue Active Intelligence Inc. | As specified in Platform Account |
| Address | [ADDRESS], [CITY, STATE ZIP] | As specified in Platform Account |
| Data Protection Contact | [[email protected]] | As specified in Platform Account |
| Role | Processor (or Sub-processor) | Controller (or Processor) |
| Data Transfer Role | Data Importer | Data Exporter |
B. Details of Processing
| Subject Matter | Provision of the RogIQ Platform and Services as described in the Agreement |
| Nature and Purpose | RogIQ processes Customer Personal Data as necessary to provide the Services, including hosting, storage, AI feature processing, analytics, and communication services |
| Retention Period | Duration of the Agreement; post-termination per Section 10 |
| Categories of Data Subjects | Customer's employees, contractors, and end-user contacts as determined by Customer |
| Categories of Personal Data | Any Customer Personal Data submitted to the Platform by Customer, which may include names, email addresses, phone numbers, company information, behavioral data, and communications |
| Special Categories | Not anticipated; Customer must notify RogIQ before submitting any special categories of personal data |
| Transfer Frequency | Continuous during the term of the Agreement |
EXHIBIT A, APPENDIX I — TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
RogIQ implements and maintains the following technical and organizational measures (TOMs):
| Security Measure | Description |
|---|---|
| Encryption at Rest | All personal data at rest is encrypted using AES-256 encryption |
| Encryption in Transit | All personal data in transit is encrypted using TLS 1.2 or higher |
| Access Controls | Role-based access controls; access to personal data limited to authorized personnel on a need-to-know basis |
| Authentication | Multi-factor authentication required for administrative access; password policies enforced |
| Availability and Resilience | Platform hosted on redundant cloud infrastructure; uptime monitoring; automated alerting |
| Backup and Recovery | Regular automated backups with point-in-time recovery capabilities |
| Vulnerability Management | Regular vulnerability scanning; annual penetration testing; patch management program |
| Logging and Monitoring | Audit logs maintained for user actions and access events; security information and event monitoring (SIEM) |
| Incident Response | Documented incident response plan; security incident notification procedures |
| Physical Security | Physical infrastructure managed by certified cloud providers with industry-standard physical security controls |
| Data Minimization | Minimum necessary data collection; users can omit optional personal data fields |
| Vendor Management | Sub-processors required to maintain equivalent security standards; contractual data protection obligations |
| Personnel Training | Regular security awareness training for all personnel with access to personal data |
| Data Portability and Erasure | Customers can export personal data from within the Platform; deletion tools available |
EXHIBIT B — JURISDICTION-SPECIFIC TERMS
1. European Economic Area (EEA)
Definitions. "EEA" means the European Economic Area. "EU GDPR" means Regulation (EU) 2016/679. "EU SCCs" means the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914.
Restricted Transfers. For Restricted Transfers from the EEA, RogIQ shall rely on one or more of the following mechanisms: (a) EU SCCs; (b) adequacy decision; (c) EU-U.S. Data Privacy Framework; or (d) another approved lawful transfer mechanism.
SCCs Incorporation. This DPA incorporates by reference the EU SCCs (Module 2: Controller to Processor, or Module 3: Processor to Sub-processor, as applicable). Where the EU SCCs apply, the terms of Appendix I to Exhibit B (Supplemental Clauses) also apply.
2. United Kingdom
Definitions. "UK GDPR" means the UK General Data Protection Regulation. "UK Transfer Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK ICO.
Restricted Transfers. For Restricted Transfers from the UK, RogIQ shall apply the EU 2021 SCCs as supplemented by the UK Transfer Addendum, or another approved UK transfer mechanism, including the UK Extension to the EU-U.S. DPF where applicable.
3. Switzerland
For Restricted Transfers from Switzerland, RogIQ shall apply the EU 2021 SCCs adapted for Swiss requirements, or rely on the Swiss-U.S. DPF where applicable.
4. United States (CCPA/CPRA)
Applicability. This Section 4 applies to the processing of Customer Personal Data subject to U.S. state data protection laws, including CCPA/CPRA.
Processing Restrictions. RogIQ shall not: (a) sell or share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data outside the scope of the Services or as required by law; or (c) combine Customer Personal Data with personal data from other sources except as permitted by law.
Business Purpose. Customer discloses Customer Personal Data to RogIQ solely for valid business purposes as described in the Agreement and this DPA, and not as a "sale" under CCPA/CPRA.
5. Australia
Processing of Customer Personal Data subject to the Australian Privacy Act 1988 shall comply with the Australian Privacy Principles.
6. Canada
Processing of Customer Personal Data subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) or applicable provincial privacy legislation shall comply with those laws.
EXHIBIT B, APPENDIX I — SUPPLEMENTAL CLAUSES TO SCCS
These supplemental clauses provide additional safeguards for Data Subjects when personal data is transferred to the United States.
1. Surveillance Law Representations. RogIQ represents that, as of the date of this DPA: (a) it has not received any national security orders, FISA Section 702 directives, or similar demands that would require disclosure of Customer Personal Data; and (b) it has no reason to believe it is currently targeted for such surveillance.
2. No Backdoors. RogIQ certifies that it has not: (a) created backdoors or similar programming for government agencies; (b) created or changed its business processes in a manner that facilitates government access to Customer Personal Data outside normal legal process; and (c) national law or government policy does not require it to maintain backdoors.
3. Response to Government Requests. If RogIQ receives a legally binding request for Customer Personal Data from a government authority, it shall: (a) verify the legality and validity of the request; (b) notify Customer promptly to the extent permitted by law; (c) challenge the request through available legal mechanisms before disclosure; and (d) disclose only the minimum data necessary if required to comply.
4. Termination Right. Customer may terminate this DPA and the Agreement if RogIQ is required to take any action that violates these supplemental clauses and cannot provide an adequate remedy.