DATA PROCESSING AGREEMENT

        Effective Date: 1 March 2026

        Last Updated: 1 March 2026

        1. INTRODUCTION AND PURPOSE

        This Data Processing Agreement ("DPA") is entered into between RheoData, LLC ("RheoData," "Processor") and the client identified in the applicable order form or Statement of Work ("Client," "Controller"), and is incorporated by reference into the RheoData Terms of Sale. This DPA governs the processing of Personal Data by RheoData on behalf of Client in connection with the delivery of RheoData's software, data analytics products, and professional services (collectively, "Services").

        In the event of a conflict between this DPA and the Terms of Sale, this DPA shall control with respect to data processing matters.

        2. DEFINITIONS

        As used in this DPA:

        "Applicable Data Protection Law" means all federal, state, and local laws and regulations applicable to the processing of Personal Data under this DPA, including but not limited to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), and any other applicable U.S. state privacy laws, as each may be amended from time to time.

        "Controller" means the party that determines the purposes and means of the processing of Personal Data (Client).

        "Data Breach" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by RheoData.

        "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

        "Personal Data" means any information relating to an identified or identifiable natural person that is provided by Client to RheoData, or that RheoData accesses, collects, or processes in connection with the performance of the Services.

        "Processing" (and its derivatives) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, transmission, or deletion.

        "Processor" means the party that processes Personal Data on behalf of the Controller (RheoData).

        "Sub-processor" means any third party engaged by RheoData to process Personal Data in connection with the Services.

        "Supervisory Authority" means any governmental authority with jurisdiction over the processing of Personal Data under Applicable Data Protection Law.

        3. SCOPE AND NATURE OF PROCESSING

        3.1 Role of the Parties. Client is the Controller and RheoData is the Processor with respect to Personal Data processed under this DPA. RheoData shall process Personal Data only on documented instructions from Client, including for the purposes set forth in this DPA and any applicable Statement of Work.

        3.2 Details of Processing. The subject matter, duration, nature, and purpose of processing, as well as the categories of Personal Data and Data Subjects, are described in Exhibit A attached to this DPA. In the absence of a completed Exhibit A, RheoData shall process only the Personal Data necessary to perform the Services.

        3.3 Compliance with Instructions. RheoData shall not process Personal Data for any purpose other than as set forth in Client's documented instructions or as required by applicable law. If RheoData believes that an instruction from Client violates Applicable Data Protection Law, RheoData shall promptly notify Client.

        4. RHEODATA'S OBLIGATIONS

        4.1 Confidentiality. RheoData shall ensure that all personnel authorized to process Personal Data are subject to binding confidentiality obligations with respect to such data.

        4.2 Security. RheoData shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration, or destruction, taking into account the nature of the data and the risks involved. Such measures include, at minimum:

        • Encryption of Personal Data in transit and at rest;
        • Access controls and authentication protocols;
        • Regular security assessments and vulnerability testing;
        • Incident response and business continuity procedures;
        • Employee security training.

        4.3 Data Breach Notification. In the event of a confirmed Data Breach involving Client's Personal Data, RheoData shall notify Client without undue delay, and in no event later than seventy-two (72) hours after becoming aware of the breach. Such notification shall include, to the extent available: (a) the nature of the breach; (b) the categories and approximate number of Data Subjects affected; (c) the categories and approximate volume of Personal Data affected; (d) the likely consequences of the breach; and (e) the measures taken or proposed to address the breach and mitigate its effects. RheoData shall cooperate with Client in any required notifications to Supervisory Authorities or affected Data Subjects.

        4.4 Data Subject Rights. RheoData shall assist Client, through appropriate technical and organizational measures, in fulfilling Client's obligations to respond to Data Subject requests to exercise rights under Applicable Data Protection Law, including rights of access, correction, deletion, restriction, and portability. RheoData shall promptly forward any Data Subject requests it receives directly to Client and shall not respond to such requests without Client's authorization, except as required by law.

        4.5 Data Protection Impact Assessments. Upon Client's reasonable request, RheoData shall provide such information and assistance as is reasonably necessary for Client to carry out data protection impact assessments or prior consultations with Supervisory Authorities, as required by Applicable Data Protection Law.

        4.6 Records of Processing. RheoData shall maintain records of processing activities carried out on behalf of Client as required by Applicable Data Protection Law and shall make such records available to Client upon reasonable request.

        5. CLIENT'S OBLIGATIONS

        5.1 Lawful Basis. Client represents and warrants that it has a valid legal basis for processing Personal Data and for instructing RheoData to process Personal Data on its behalf under this DPA.

        5.2 Accuracy of Data. Client is responsible for the accuracy, quality, and legality of all Personal Data it provides to RheoData. Client shall ensure that Personal Data is accurate and up to date to the extent necessary for the purposes for which it is processed.

        5.3 Compliance. Client shall comply with all Applicable Data Protection Laws in connection with its use of the Services and its instructions to RheoData.

        5.4 Notification. Client shall promptly notify RheoData of any changes to its instructions that may impact RheoData's processing activities.

        6. SUB-PROCESSORS

        6.1 Authorization. Client provides general authorization for RheoData to engage Sub-processors to assist in the delivery of the Services. RheoData maintains a current list of Sub-processors, available upon written request to info@rheodata.com.

        6.2 Sub-processor Obligations. RheoData shall impose data protection obligations on all Sub-processors that are no less protective than those set forth in this DPA. RheoData shall remain liable to Client for the acts and omissions of its Sub-processors to the same extent RheoData would be liable if performing the services directly.

        6.3 Changes to Sub-processors. RheoData shall provide Client with reasonable advance notice of any intended changes to its Sub-processor list, including additions or replacements. If Client reasonably objects to the use of a new Sub-processor on data protection grounds, Client shall notify RheoData in writing within fourteen (14) days of receiving notice. The parties shall work in good faith to resolve such objection. If no resolution is reached, Client may terminate the affected Services upon thirty (30) days written notice without penalty.

        7. DATA RETENTION AND DELETION

        7.1 Retention Period. RheoData shall retain Personal Data only for as long as necessary to perform the Services or as required by applicable law.

        7.2 Deletion or Return. Upon termination or expiration of the applicable Services, or upon Client's written request, RheoData shall, at Client's election, securely delete or return all Personal Data in its possession, and certify in writing that such deletion or return has been completed within thirty (30) days. RheoData may retain Personal Data to the extent required by applicable law, in which case RheoData shall notify Client of such retention and continue to protect such data in accordance with this DPA.

        8. INTERNATIONAL DATA TRANSFERS

        RheoData shall not transfer Personal Data to any country or territory outside the United States without Client's prior written consent, unless such transfer is required by applicable law, in which case RheoData shall notify Client of the requirement prior to transfer (unless prohibited by law from doing so). Any approved international transfers shall be subject to appropriate safeguards as required by Applicable Data Protection Law.

        9. AUDITS AND COMPLIANCE

        9.1 Upon Client's written request, RheoData shall make available to Client all information reasonably necessary to demonstrate compliance with this DPA.

        9.2 Client may, no more than once per calendar year and upon at least thirty (30) days prior written notice, conduct or commission an audit of RheoData's data processing practices related to the Services, at Client's expense. RheoData shall cooperate with such audits. RheoData may require any third-party auditor to execute a confidentiality agreement prior to participating in such audit.

        9.3 RheoData may satisfy its audit obligations through the provision of current third-party security certifications or audit reports (e.g., SOC 2 Type II) where applicable.

        10. CCPA / U.S. STATE PRIVACY LAW PROVISIONS

        10.1 To the extent that Client is a "Business" and RheoData is a "Service Provider" under the CCPA or equivalent designations under other applicable U.S. state privacy laws, RheoData shall:

        • Process Personal Data only for the business purposes described in this DPA and the applicable order or SOW;
        • Not sell or share Personal Data as those terms are defined under Applicable Data Protection Law;
        • Not retain, use, or disclose Personal Data for any purpose outside the scope of the Services, including for RheoData's own commercial purposes;
        • Notify Client if RheoData determines it can no longer meet its obligations under Applicable Data Protection Law;
        • Cooperate with Client to enable Client to respond to consumer rights requests under applicable state privacy laws.

        11. LIMITATION OF LIABILITY

        Each party's liability under this DPA shall be subject to the limitations set forth in the RheoData Terms of Sale. Nothing in this DPA shall limit either party's liability with respect to a Data Subject's rights or claims under Applicable Data Protection Law, to the extent such limitation is not permitted by law.

        12. TERM AND TERMINATION

        This DPA shall remain in effect for the duration of RheoData's processing of Personal Data on behalf of Client under the Terms of Sale or any applicable SOW. This DPA shall automatically terminate upon the expiration or termination of all applicable agreements between the parties, subject to any survival provisions herein. Sections 7, 9, 10, and 11 shall survive termination of this DPA.

        13. GOVERNING LAW

        This DPA shall be governed by the laws of the State of Georgia, consistent with the Terms of Sale, without regard to its conflict of law principles.

        14. ENTIRE AGREEMENT

        This DPA, together with the RheoData Terms of Sale and any applicable SOW or order form, constitutes the entire agreement between the parties with respect to the processing of Personal Data and supersedes all prior agreements or representations relating to the same subject matter.

         

        EXHIBIT A — DETAILS OF DATA PROCESSING

        Subject Matter Processing of Personal Data in connection with RheoData's software, data analytics, and professional services.

        Duration For the term of the applicable agreement(s) between the parties.

        Nature of Processing Collection, storage, analysis, transmission, and deletion of Personal Data as required to deliver the Services.

        Purpose of Processing Performance of the Services as described in the applicable order form or Statement of Work.

        Categories of Personal Data May include names, email addresses, job titles, business contact information, and any other data provided by Client in connection with the Services.

        Categories of Data Subjects Client's employees, contractors, customers, or other individuals whose Personal Data is submitted to RheoData in connection with the Services.

        Special Categories of Data None, unless expressly agreed in writing by both parties.

         

        For questions regarding this Data Processing Agreement, please contact RheoData at info@rheodata.com

        Links
        Contact us

        hello@rheodata.com

        ©RheoData2026. All Rights Reserved.