Data Processing Agreement
Effective Date: May 27, 2026
This Data Processing Agreement (“DPA”) forms part of the Service Level Agreement or other written agreement (“Principal Agreement”) between Aeopic LLC, a Texas limited liability company (“Processor”), and the client identified in the Principal Agreement (“Controller”). This DPA sets out the terms governing the processing of personal data by the Processor on behalf of the Controller.
1. Definitions
- “Personal Data” means any information relating to an identified or identifiable individual, as defined under applicable data protection laws including the Texas Data Privacy and Security Act (TDPSA).
- “Processing” means any operation performed on Personal Data, including collection, storage, use, modification, transmission, deletion, or destruction.
- “Controller” means the client entity that determines the purposes and means of processing Personal Data.
- “Processor” means Aeopic LLC, which processes Personal Data on behalf of the Controller.
- “Subprocessor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller. A current list is maintained at aeopic.com/legal/subprocessors.
- “Data Breach” means any unauthorized access, acquisition, use, or disclosure of Personal Data.
2. Scope and Purpose of Processing
The Processor shall process Personal Data only to the extent necessary to provide the services described in the Principal Agreement. The nature, purpose, and duration of processing, the types of Personal Data processed, and the categories of data subjects are as described in the Principal Agreement and any applicable statements of work.
The Processor shall not process Personal Data for any purpose other than as instructed by the Controller, unless required by applicable law. In such a case, the Processor shall inform the Controller of the legal requirement before processing, unless prohibited by law.
3. Categories of Data Processed
Depending on the services provided, the Processor may process the following categories of Personal Data on behalf of the Controller:
- Contact information (names, email addresses, phone numbers, mailing addresses)
- Account credentials (usernames, hashed passwords)
- Business records (invoices, appointment histories, project details)
- Communication data (messages, support tickets, chatbot interactions)
- Payment information (processed through PCI-compliant subprocessors; the Processor does not store payment card numbers)
- Usage data (platform access logs, feature usage, session data)
The Processor shall not process sensitive personal data (as defined by TDPSA) unless explicitly authorized in writing by the Controller, with appropriate additional safeguards in place.
4. Security Obligations
The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Access controls with role-based permissions and multi-factor authentication for administrative access
- Row-level security on database records where applicable
- Regular security assessments of infrastructure and subprocessors
- Secure development practices including code review and dependency monitoring
- Audit logging of administrative actions and data access events
5. Subprocessor Management
The Controller authorizes the Processor to engage the subprocessors listed at aeopic.com/legal/subprocessors. The Processor shall:
- Provide the Controller with at least 30 days written notice before engaging a new subprocessor
- Ensure each subprocessor is bound by data protection obligations no less protective than those in this DPA
- Remain fully liable for the acts and omissions of its subprocessors
- If the Controller objects to a new subprocessor within 30 days of notice, the parties shall work in good faith to resolve the objection. If resolution is not possible, the Controller may terminate the affected services without penalty.
6. Data Breach Notification
The Processor shall notify the Controller without undue delay, and in no event later than 72 hours, after becoming aware of a Data Breach affecting Personal Data processed under this DPA. The notification shall include:
- A description of the nature of the breach
- The categories and approximate number of data subjects and records affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its effects
- The name and contact information of the Processor’s point of contact for the incident
The Processor shall cooperate with the Controller in investigating and remediating the breach, and shall assist the Controller in meeting any notification obligations under applicable law.
7. Data Subject Rights Assistance
The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under applicable law, including the right to access, correct, delete, or port their Personal Data. The Processor shall:
- Promptly notify the Controller if it receives a request directly from a data subject
- Not respond to data subject requests directly unless authorized by the Controller
- Provide reasonable technical assistance to fulfill requests within the timeframes required by law
8. Data Return and Destruction
Upon termination of the Principal Agreement, or upon the Controller’s written request, the Processor shall:
- Return all Personal Data to the Controller in a commonly used, machine-readable format within 30 days
- Delete all copies of Personal Data from the Processor’s systems and subprocessor systems within 90 days, unless retention is required by applicable law
- Provide written confirmation of deletion upon the Controller’s request
9. Audit Rights
The Controller may audit the Processor’s compliance with this DPA up to once per year, with at least 30 days written notice. The Processor shall make available all information reasonably necessary to demonstrate compliance and shall allow for and contribute to audits conducted by the Controller or an independent auditor appointed by the Controller.
Where the Processor engages subprocessors with independent security certifications (SOC 2, ISO 27001, or equivalent), the Processor may provide the subprocessor’s audit reports in lieu of direct audit access to the subprocessor’s systems.
10. Liability and Indemnification
The Processor shall indemnify the Controller against any losses, claims, or damages arising from the Processor’s breach of this DPA, subject to the limitation of liability provisions in the Principal Agreement. Each party’s liability under this DPA is subject to the overall limitations and exclusions of liability set out in the Principal Agreement.
11. Term and Termination
This DPA shall remain in effect for the duration of the Principal Agreement and for as long as the Processor continues to process Personal Data on behalf of the Controller. The obligations of the Processor regarding data return, destruction, and confidentiality shall survive termination.
12. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the State of Texas, without regard to conflict of law principles. Any disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions of the Principal Agreement.
Contact Information
For questions about this Data Processing Agreement or to request execution of this DPA as an exhibit to your Service Level Agreement, contact: