Exposure Watch Data Processing Addendum
Effective date: June 15, 2026
Company: Exposure Watch, Inc.
This Data Processing Addendum ("DPA") forms part of the Terms of Service or other agreement between Exposure Watch and Customer. It applies when Exposure Watch processes personal data on behalf of Customer as a processor, service provider, or similar role under applicable privacy laws.
This DPA is not a HIPAA Business Associate Agreement. Customer must not submit PHI or patient data to the Service unless Exposure Watch has signed a separate BAA.
1. Roles
Customer is the controller/business for Customer Personal Data. Exposure Watch is the processor/service provider for Customer Personal Data processed to provide the Service. Exposure Watch is an independent controller/business for personal data it processes for its own website, sales, billing, security, legal, and business purposes.
2. Definitions
"Customer Personal Data" means personal data in Customer Data that Exposure Watch processes on behalf of Customer through the Service, such as authorized-user information, alert-recipient contact information, notification settings, and account activity.
"Privacy Laws" means privacy and data-protection laws applicable to the processing, including applicable U.S. state privacy laws, GDPR, UK GDPR, and similar laws to the extent they apply.
"Security Incident" means unauthorized access to, acquisition of, or disclosure of Customer Personal Data processed by Exposure Watch. Security Incident does not include unsuccessful attempts or routine security events that do not compromise Customer Personal Data.
3. Processing instructions
Exposure Watch will process Customer Personal Data only to:
- provide, secure, support, maintain, and improve the Service;
- process documented Customer instructions;
- prevent or address security, fraud, misuse, and legal risk;
- comply with law; and
- perform obligations under the agreement.
Customer's instructions are the agreement, Orders, account settings, documented support requests, and lawful written instructions.
4. Customer obligations
Customer will:
- provide required notices and obtain required consents from Authorized Users and alert recipients;
- ensure it has a lawful basis for processing and for instructing Exposure Watch;
- keep Customer Personal Data accurate and current;
- not submit PHI or prohibited sensitive data;
- respond to individual rights requests where Customer is the controller/business; and
- use the Service in compliance with Privacy Laws.
5. Exposure Watch obligations
Exposure Watch will:
- process Customer Personal Data according to Customer's documented instructions;
- maintain appropriate administrative, technical, and organizational safeguards;
- ensure personnel authorized to process Customer Personal Data are subject to confidentiality obligations;
- notify Customer without undue delay after confirming a Security Incident affecting Customer Personal Data;
- provide reasonable assistance for rights requests, DPIAs, and regulatory inquiries, taking into account the nature of processing;
- delete or return Customer Personal Data at termination as described in the agreement, unless retention is required by law or backup cycles; and
- make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality and security limits.
6. Security measures
Exposure Watch will maintain a security program appropriate to the nature of Customer Personal Data and the Service, including as applicable:
- access controls and least-privilege authorization;
- encryption in transit and at rest where supported;
- logging and monitoring;
- vulnerability management and patching;
- backups and restoration procedures;
- incident-response procedures;
- personnel confidentiality and access review;
- vendor/subprocessor review;
- secure software development practices; and
- administrative safeguards for customer support and operations.
Exposure Watch publishes only security controls that are implemented and maintains this DPA as controls evolve.
7. Subprocessors
Customer authorizes Exposure Watch to use subprocessors to provide the Service. Exposure Watch will maintain a subprocessor list and require subprocessors to protect Customer Personal Data under terms materially protective as this DPA.
Exposure Watch will provide notice of new subprocessors where required by applicable law or enterprise agreement. Customer may object to a new subprocessor on reasonable privacy/security grounds. If the parties cannot resolve the objection, Customer may terminate the affected Service as its exclusive remedy.
8. Cross-border transfers
If Customer Personal Data is transferred internationally and Privacy Laws require a transfer mechanism, the parties will use an appropriate mechanism such as standard contractual clauses or another lawful transfer basis.
9. U.S. state privacy service-provider terms
Exposure Watch will not sell Customer Personal Data or share it for cross-context behavioral advertising. Exposure Watch will not retain, use, or disclose Customer Personal Data outside the business purposes of providing the Service, except as permitted by Privacy Laws. Exposure Watch will not combine Customer Personal Data with personal data from other sources except as permitted by Privacy Laws.
10. PHI exclusion
Customer must not submit PHI. If Customer submits PHI without a signed BAA, Customer remains responsible for the submission. Exposure Watch may delete or quarantine the data and will not be deemed a business associate merely because Customer violated the agreement.
11. Audit
Upon reasonable written request, no more than once annually unless required by law or following a Security Incident, Exposure Watch will provide existing security summaries, certifications, policies, or questionnaire responses reasonably necessary to evaluate compliance. On-site audits require a separate written agreement and must not compromise security or other customers' data.
12. Order of precedence
If this DPA conflicts with the Terms, this DPA controls for processing of Customer Personal Data.