Data Processing Addendum
Effective 2026-05-28. This DPA forms part of the Terms of Service.
1. Definitions
"Customer" is the entity that has registered for the Midslate service. "Personal Data" has the meaning given in applicable data-protection law (GDPR/UK GDPR/CCPA/etc.). "Sub-processor" means any third party engaged by Midslate Inc. to process Personal Data on Customer's behalf.
2. Roles
Customer is the data controller; Midslate Inc. is the data processor. Midslate Inc. processes Personal Data only on documented instructions from Customer (the Service's ordinary operation constitutes such instructions).
3. Security measures
- Encryption in transit (TLS 1.2+) for all network traffic.
- Encryption at rest for all production databases.
- Row-level security on multi-tenant data.
- Role-based access controls; least-privilege by default.
- Audit log retention configurable per tenant; default 5 years.
4. Sub-processors
Current sub-processors: the cloud provider hosting our infrastructure, our email-delivery provider, our payment processor, and our monitoring provider. A current list with addresses is available on request to legal@example.test.
5. Data subject rights
Midslate Inc. provides the Service's admin dashboard endpoints (/admin/erasure, /admin/export) so Customer can fulfill data-subject requests directly. Midslate Inc. will assist with any request Customer cannot resolve via the dashboard alone within reasonable timeframes.
6. International transfers
Personal Data is processed in the region Customer selected at signup. Cross-region transfers, when required for support or infrastructure operations, rely on the EU Standard Contractual Clauses (or equivalent UK IDTA) plus the supplementary measures described in this DPA.
7. Incident notification
Midslate Inc. will notify Customer of a confirmed Personal Data Breach without undue delay, and in any event within 72 hours of confirming the breach.
8. Audit + assistance
Midslate Inc. maintains SOC 2 Type II evidence on request (NDA may apply). On reasonable notice, Customer may audit Midslate Inc.'s compliance with this DPA once per twelve-month period.
9. Return + deletion
At Customer's request and on contract termination, Midslate Inc.returns Personal Data via the Service's data-export endpoint and deletes Customer's data within 30 days, subject to the 7-day grace period of the tenant-deletion ceremony.
10. Contact
Questions about this DPA: legal@example.test.