Legal
Data Processing Addendum (DPA)
Effective Date: January 1, 2026 | Last Updated: March 1, 2026
This DPA forms part of the agreement between customer and SSSi where SSSi processes personal data on behalf of customer in xpdOffice.
Roles and Scope
For customer platform data, customer acts as Controller and SSSi acts as Processor or Service Provider (where applicable). Processing is limited to delivering, securing, and supporting contracted services.
Subprocessors
- Subprocessors are used for hosting, communications, support tooling, and security operations
- Subprocessors are contractually required to apply protections equivalent to this DPA
- Enterprise customers receive advance notice of material subprocessor changes
Security and Assistance
- Security controls align to NIST and CMMC frameworks
- SSSi assists customers with data subject rights requests
- SSSi supports breach notification obligations and investigations
Return and Deletion
Upon termination, customer may export data within 30 days and production data is deleted within 90 days after export confirmation, unless longer retention is legally required.