336-886-3282[email protected]
37 YEARS OF TRUSTED SERVICE
PDC Software Logo

Data Processing Agreement

Last updated: October 15, 2025

1. Definitions and Interpretation

This Data Processing Agreement (“DPA”) is entered into between PDC Software (“Processor”, “we”, “us”, or “our”) and the customer (“Controller”, “you”, or “your”) and forms part of the Master Services Agreement.

In this DPA:

  • “Data Protection Laws” means all applicable laws and regulations relating to data protection and privacy, including the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA), and any other applicable privacy laws
  • “Personal Data” means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws
  • “Processing” means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction
  • “Data Subject” means the individual to whom Personal Data relates
  • “Sub-processor” means any third party engaged by the Processor to process Personal Data
  • “Security Incident” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data

2. Processing of Personal Data

2.1 Scope and Purpose

The Processor shall process Personal Data only for the purposes of providing the Services as described in the Master Services Agreement and in accordance with the Controller's documented instructions.

2.2 Categories of Data

The types of Personal Data processed may include:

  • Contact information (names, email addresses, phone numbers)
  • Account credentials and authentication data
  • Business information (company name, job title, department)
  • Technical data (IP addresses, device information, usage logs)
  • Financial information (for billing purposes)
  • Any other data provided by the Controller in connection with the Services

2.3 Duration of Processing

Processing shall continue for the duration of the Master Services Agreement, unless otherwise agreed in writing or required by applicable law.

3. Rights and Obligations of the Controller

3.1 Instructions

The Controller shall ensure that its instructions for the processing of Personal Data comply with Data Protection Laws. The Controller is solely responsible for the accuracy, quality, and legality of Personal Data and the means by which it acquired Personal Data.

3.2 Lawful Basis

The Controller warrants that it has established and will maintain appropriate lawful bases for processing Personal Data and sharing it with the Processor.

3.3 Necessary Consents

The Controller shall obtain and maintain all necessary consents and rights to permit the processing of Personal Data by the Processor as contemplated by this DPA.

4. Obligations of the Processor

4.1 Compliance

The Processor shall process Personal Data in compliance with:

  • The terms of this DPA
  • The Controller's documented instructions
  • Applicable Data Protection Laws

4.2 Confidentiality

The Processor shall ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Technical and Organizational Measures

The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data, which may include:

  • Encryption of Personal Data in transit using industry-standard protocols
  • Encryption of sensitive Personal Data at rest where technically appropriate
  • Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
  • Capability to restore availability and access to Personal Data in a timely manner following an incident
  • Processes for regularly reviewing and evaluating the effectiveness of security measures
  • Access controls and authentication mechanisms appropriate to the risk
  • Network security measures and monitoring
  • Physical security measures for facilities housing Personal Data
  • Security awareness training for personnel with access to Personal Data

The specific technical and organizational measures implemented will be appropriate to the risk presented by the processing and the nature of the Personal Data to be protected.

4.4 Data Subject Rights

The Processor shall assist the Controller by implementing appropriate technical and organizational measures to fulfill the Controller's obligations to respond to Data Subject requests exercising their rights under Data Protection Laws, including:

  • Right of access
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to restriction of processing
  • Right to data portability
  • Right to object

5. Sub-processing

5.1 Authorized Sub-processors

The Controller provides general authorization for the Processor to engage Sub-processors to process Personal Data, provided that:

  • The Processor maintains an up-to-date list of Sub-processors
  • The Processor notifies the Controller of any intended changes at least 30 days in advance
  • The Controller has the right to object to the addition or replacement of Sub-processors
  • The Processor ensures Sub-processors are bound by data protection obligations no less protective than this DPA

5.2 Current Sub-processors

The current list of approved Sub-processors is maintained and available at: pdcsoftware.com/legal/sub-processors

Categories of sub-processors we may engage include:

  • Cloud infrastructure and hosting providers
  • Productivity and collaboration platforms
  • Security and threat protection services
  • Backup and disaster recovery providers
  • Network and infrastructure security providers
  • Customer relationship management systems
  • IT service management platforms

5.3 Liability for Sub-processors

The Processor shall remain fully liable to the Controller for the performance of any Sub-processor's obligations.

6. International Data Transfers

6.1 Transfer Mechanisms

Any transfer of Personal Data outside the EEA or to an international organization shall be subject to appropriate safeguards as required by Data Protection Laws, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions
  • Binding Corporate Rules
  • Other valid transfer mechanisms under applicable law

6.2 Transfer Impact Assessment

The parties shall conduct and document transfer impact assessments as required to ensure that data transfers comply with the requirements of Data Protection Laws.

7. Security Incidents and Data Breaches

7.1 Notification

The Processor shall notify the Controller without undue delay after becoming aware of a Security Incident affecting Personal Data. Where feasible, such notification shall be made within 72 hours of the Processor becoming aware of the incident. If notification within 72 hours is not feasible, the Processor shall provide reasons for the delay along with the notification.

7.2 Information to be Provided

The notification shall include:

  • Description of the nature of the Security Incident
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of Personal Data records affected
  • Likely consequences of the Security Incident
  • Measures taken or proposed to address the Security Incident
  • Contact details for more information

7.3 Assistance

The Processor shall cooperate with and assist the Controller in complying with its obligations under Data Protection Laws with respect to Security Incidents, including notifications to supervisory authorities and Data Subjects.

8. Audits and Inspections

8.1 Right to Audit

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

8.2 Audit Process

Audits shall be conducted:

  • Upon reasonable notice of at least 30 days
  • During regular business hours
  • No more than once per year, unless required by Data Protection Laws or following a Security Incident
  • Subject to confidentiality obligations
  • At the Controller's expense

8.3 Third-Party Certifications

The Controller agrees to accept third-party certifications and audit reports (such as SOC 2, ISO 27001) in lieu of requesting an audit, where appropriate.

9. Data Retention and Deletion

9.1 Retention Period

The Processor shall retain Personal Data only for as long as necessary to provide the Services and fulfill the purposes outlined in this DPA, unless a longer retention period is required by law.

9.2 Deletion or Return

Upon termination of the Services or upon the Controller's request, the Processor shall, at the Controller's option:

  • Delete all Personal Data and certify such deletion; or
  • Return all Personal Data to the Controller in a commonly used format

9.3 Exceptions

The Processor may retain Personal Data to the extent required by applicable law, provided that the Processor ensures the confidentiality of such Personal Data and that such Personal Data is only processed as necessary for the purpose specified in the applicable law.

10. Liability and Indemnification

10.1 Limitation of Liability

Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Master Services Agreement.

10.2 Indemnification

Each party shall indemnify the other against all damages, losses, and expenses arising from claims by Data Subjects or supervisory authorities due to the indemnifying party's breach of this DPA or applicable Data Protection Laws.

11. General Provisions

11.1 Amendments

This DPA may only be amended by written agreement of both parties. However, the Processor may update the terms of this DPA to reflect changes in Data Protection Laws by providing reasonable notice to the Controller.

11.2 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

11.3 Governing Law

This DPA shall be governed by the same law as the Master Services Agreement, except where Data Protection Laws require otherwise.

11.4 Order of Precedence

In the event of any conflict between this DPA and the Master Services Agreement, this DPA shall prevail with respect to the processing of Personal Data.

12. Standard Contractual Clauses

Where required for international data transfers, the parties agree to execute the Standard Contractual Clauses approved by the European Commission, which shall be incorporated by reference and form an integral part of this DPA.

13. Contact Information

For matters relating to this Data Processing Agreement:

PDC Software Data Protection Officer

Email: [email protected]

Phone: (336) 886-3282

Address: 1208 Eastchester Drive, Suite 131

High Point, NC 27265

Appendix 1: Processing Details

Nature and Purpose of Processing

The Processor will process Personal Data as necessary to provide technology services, including but not limited to:

  • Managed IT services and 24/7 monitoring
  • PDC Software Suite operations (quoting, sales, accounting, operational control)
  • Security services including endpoint protection and threat detection
  • Backup and disaster recovery services
  • Cloud infrastructure management
  • User support and helpdesk services
  • AI transformation and automation services
  • M&A technology due diligence and integration

Categories of Data Subjects

  • Employees of the Controller
  • Contractors and consultants
  • End users of Controller's services
  • Other individuals whose data is processed through the Services

Technical and Organizational Measures

Detailed security measures are available at: pdcsoftware.com/security

Support

Need IT Help?

Our IT experts are standing by to answer your questions.

Quick Call - No Time Wasted

By booking, you agree to receive a call from our team

or
Call Now: (336) 886-3282