← All Legal Documents

Data Processing Addendum (DPA)

Effective Date: September 1, 2025

This Data Processing Addendum ("DPA") forms part of and is subject to the Master Services Agreement, Terms and Conditions, or other written agreement (the "Agreement") between Rising Orchards LLC d/b/a IgorBox ("Processor" or "IgorBox") and the customer that is a party to the Agreement ("Controller" or "Customer").

1. Scope and Roles

  • This DPA applies to IgorBox’s processing of Personal Data on behalf of Customer in providing the Services.
  • Customer is the Controller and IgorBox is the Processor with respect to such Personal Data. Where IgorBox determines the purposes and means of processing, IgorBox acts as an independent Controller.

2. Processing Instructions

  • IgorBox will process Personal Data only on documented instructions from Customer, including with respect to international transfers, unless required by applicable law.
  • If IgorBox is required by law to process Personal Data, it will inform Customer before processing (unless prohibited by law).
  • If IgorBox reasonably believes an instruction violates applicable law or IgorBox security policies, IgorBox will notify Customer and may suspend performance of that instruction until the parties agree on lawful, compliant alternatives.

3. Confidentiality and Personnel

  • IgorBox ensures that persons authorized to process Personal Data are bound by appropriate confidentiality obligations and receive appropriate training.

4. Security

  • IgorBox implements appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. A description of such measures is provided in Annex B.

5. Subprocessors

  • Customer authorizes IgorBox to engage subprocessors to provide the Services. IgorBox will enter into a written agreement with each subprocessor imposing data protection obligations no less protective than those in this DPA.
  • IgorBox maintains a current list of subprocessors in Annex C. Customer may subscribe to updates or periodically review the list.
  • IgorBox will provide notice of new subprocessors by updating Annex C and/or via email notice to the contact on file. If Customer has a reasonable, documented objection relating to data protection, Customer must notify IgorBox within 10 days of notice. The parties will work in good faith to resolve the objection; if unresolved, Customer may terminate the affected Services as its sole and exclusive remedy.

6. International Transfers

  • Where IgorBox transfers Personal Data outside the EEA, UK, or Switzerland to a country without an adequate level of protection, IgorBox will ensure appropriate safeguards, such as the EU Standard Contractual Clauses (Module 2) and the UK Addendum, as applicable.

7. Assistance and Data Subject Requests

  • Taking into account the nature of processing, IgorBox will assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfillment of Customer’s obligations to respond to data subject requests under applicable data protection laws.
  • If IgorBox receives a request directly from a data subject, IgorBox will promptly notify Customer and direct the data subject to Customer unless otherwise required by law.
  • Customer must submit data subject requests to IgorBox via help@igorbox.com. IgorBox will use reasonable efforts to support Customer’s response. IgorBox may refuse or charge a reasonable fee for requests that are manifestly unfounded, excessive, or repetitive, to the extent permitted by law.

8. Personal Data Breach

  • IgorBox will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide information to assist Customer in meeting its breach notification obligations. Where feasible, IgorBox aims to provide an initial notice within 72 hours. Notifications may be provided in phases as information becomes available.

9. Audits and Security Documentation

  • Upon reasonable prior written notice and subject to confidentiality and security obligations, IgorBox will make available information reasonably necessary to demonstrate compliance with this DPA, such as a security overview, relevant policies and procedures, and executive summaries of independent assessments (e.g., penetration tests) if available.
  • Where required by applicable law or by a competent regulator, Customer may conduct (or appoint a mutually agreed independent third party to conduct) an audit of IgorBox’s relevant policies, procedures, and controls no more than once in any 12‑month period (or following a Personal Data Breach), during normal business hours, without undue disruption.
  • Audits will not include intrusive testing of production systems (e.g., vulnerability scans or penetration tests) and will not permit access to other customers’ data or IgorBox confidential information unrelated to the Services. Customer bears its own audit costs and will reimburse IgorBox for its reasonable time and materials spent to support the audit.
  • As an alternative to onsite or direct audits, IgorBox may satisfy audit requests by providing responses to industry‑standard security questionnaires and/or third‑party attestations when available.

10. Deletion or Return

  • Upon termination of the Services, IgorBox will, at Customer’s choice, delete or return Personal Data and delete existing copies unless storage is required by law. IgorBox will complete deletion of active copies within 30 days and will overwrite backups on a rolling schedule such that Personal Data is purged from backups within 90 days thereafter. IgorBox may retain minimal logs, billing records, and security copies to the extent required for legitimate business purposes or legal obligations.

11. Liability and Order of Precedence

  • Each party’s liability under this DPA is subject to the limitations of liability in the Agreement. In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to data protection matters.

12. Miscellaneous

  • If any provision of this DPA is held invalid, the remainder shall remain in full force. This DPA may be executed electronically.

13. Data Location and Hosting

  • As of the Effective Date, IgorBox hosts and stores Customer Personal Data in the United States and does not maintain production data storage in other countries.
  • If Customer Personal Data originates from outside the United States (e.g., EEA/UK/Switzerland), such access from or storage in the United States constitutes an international transfer and will be safeguarded per Section 6 (e.g., EU Standard Contractual Clauses and UK Addendum, as applicable).
  • IgorBox will provide advance notice before materially changing primary data hosting regions outside the United States and will update Annex C accordingly.

14. Costs and Cooperation

  • Except where otherwise required by applicable law, substantial assistance by IgorBox with Customer’s compliance obligations under data protection laws (including responses to data subject requests, DPIAs, consultations with authorities, or audits beyond standard questionnaire responses) will be provided on a reasonable time-and-materials basis at IgorBox’s then-current rates.

Annex A – Details of Processing

  • Subject matter: Processing of Personal Data in connection with provision of the Services.
  • Duration: For the term of the Agreement and as otherwise required by law.
  • Nature and purpose: Hosting, storage, transmission, analytics, and other processing necessary to provide and improve the Services.
  • Types of Personal Data: Identifiers (e.g., names, emails, IPs), account data, device telemetry (pseudonymous), support communications, and any other data submitted by Customer.
  • Categories of data subjects: Customer’s users, employees, contractors, and end users as determined by Customer.

Annex B – Technical and Organizational Measures (TOMs)

  • Access control: Role‑based access, MFA for privileged accounts, least privilege.
  • Data security: Encryption in transit (TLS) and at rest where applicable; key management practices.
  • Network security: Segmentation, firewalls, WAF, DDoS protections where applicable.
  • Secure development: Code review, dependency scanning, vulnerability management.
  • Monitoring & logging: Centralized logging, security alerting, incident response procedures.
  • Business continuity: Regular backups, redundancy where appropriate, disaster recovery planning.
  • Vendor management: Security and privacy review of subprocessors.
  • Employee practices: Security awareness training, confidentiality obligations.

Annex C – Subprocessors

IgorBox uses the following subprocessors to deliver the Services (examples; update as applicable):

  • Cloud infrastructure: e.g., AWS, GCP, or Azure (hosting, storage, networking)
  • Email delivery/support: e.g., SendGrid/Customer.io/Zendesk (transactional communications, support)
  • Analytics/monitoring: e.g., Sentry/Datadog (service telemetry, error tracking)
  • Payment processing: e.g., Stripe (billing)

For the current list, contact help@igorbox.com.

Locations: As of the Effective Date, IgorBox and its primary infrastructure providers host and process Customer Personal Data in the United States.

This document is maintained at github.com/RisingOrchards/legal

IgorBox® is a Registered Trademark of Rising Orchards, LLC.

© 2026 Rising Orchards, LLC

Legal

build: f4febf0