Skip to main content

Data Processing Addendum

Effective Date: December 21, 2024

This Data Processing Addendum ("DPA") forms part of the Terms of Service ("Agreement") between Datalift, LLC, doing business as Admiral ("Admiral" or "Processor") and the customer identified in the Agreement ("Customer" or "Controller") and applies where and only to the extent that Admiral processes Personal Data on behalf of Customer in the course of providing the Service and such processing is subject to the Data Protection Laws.

1. Definitions

In this DPA, the following terms have the meanings set out below:

  • "Controller" means the entity that determines the purposes and means of processing Personal Data.
  • "Data Protection Laws" means all applicable laws and regulations relating to privacy, data protection, and data security, including without limitation the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act (as amended by the California Privacy Rights Act), and any implementing, derivative or related legislation, regulation and guidance.
  • "Data Subject" means the identified or identifiable individual to whom Personal Data relates.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Admiral on behalf of Customer in connection with the Service, as more particularly described in Annex A.
  • "Processing" means any operation or set of operations performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
  • "Processor" means the entity that processes Personal Data on behalf of the Controller.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as described in the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  • "Subprocessor" means any entity engaged by Admiral to process Personal Data on behalf of Customer.

2. Scope and Roles

2.1. Scope of DPA

This DPA applies to the processing of Personal Data by Admiral on behalf of Customer in the course of providing the Service. The subject matter, duration, nature and purpose of the processing, and the types of Personal Data and categories of Data Subjects are described in Annex A.

2.2. Roles and Responsibilities

The parties acknowledge and agree that with regard to the processing of Personal Data, Customer is the Controller and Admiral is the Processor. Customer shall, in its use of the Service, process Personal Data in accordance with the requirements of Data Protection Laws. Customer shall ensure that its instructions for the processing of Personal Data comply with Data Protection Laws, and that the processing of Personal Data in accordance with Customer's instructions will not cause Admiral to be in breach of the Data Protection Laws.

3. Admiral's Processing of Personal Data

3.1. Compliance with Instructions

Admiral shall process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law to which Admiral is subject. In such a case, Admiral shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Agreement (including this DPA) constitutes Customer's complete instructions to Admiral in relation to the processing of Personal Data.

3.2. Confidentiality

Admiral shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. Security of Processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Admiral shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as further described in Annex B. These measures include:

  • Encryption of Personal Data at rest and in transit
  • Measures to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • The ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures

4. Subprocessors

4.1. Authorized Subprocessors

Customer provides general authorization for Admiral to engage Subprocessors to process Personal Data. A current list of Subprocessors is available at our Subprocessors page.

4.2. Subprocessor Changes

Admiral shall provide Customer with at least thirty (30) days' prior written notice of the addition or replacement of any Subprocessor. If Customer has legitimate grounds relating to the protection of Personal Data to object to Admiral's appointment of a new Subprocessor, Customer shall notify Admiral promptly in writing within fifteen (15) days of receipt of Admiral's notice. In such event, the parties shall discuss Customer's concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Customer may terminate the affected Service by providing written notice to Admiral.

4.3. Subprocessor Obligations

Where Admiral engages a Subprocessor for carrying out specific processing activities on behalf of Customer, Admiral shall impose data protection obligations on such Subprocessor by way of a contract that provides substantially the same level of protection for Personal Data as those in this DPA. Admiral shall remain fully liable to Customer for the performance of any Subprocessor's obligations.

5. Data Subject Rights

5.1. Assistance with Data Subject Requests

Taking into account the nature of the processing, Admiral shall provide reasonable assistance to Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including rights of access, rectification, restriction, erasure, data portability, and objection. If a Data Subject sends a request to exercise any of their rights under Data Protection Laws directly to Admiral, Admiral will promptly forward the request to Customer, and Customer will be responsible for responding to such request.

5.2. Customer's Responsibilities

Customer is solely responsible for responding to Data Subject requests in accordance with applicable Data Protection Laws. Admiral will provide Customer with commercially reasonable assistance in responding to such requests, to the extent such assistance is technically feasible and does not require Admiral to disclose confidential information or access another customer's data.

6. Personal Data Breach

6.1. Notification

Admiral shall notify Customer without undue delay after becoming aware of any Personal Data breach affecting Customer's Personal Data. Such notification shall, to the extent possible, include:

  • A description of the nature of the Personal Data breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned
  • The likely consequences of the Personal Data breach
  • A description of the measures taken or proposed to be taken to address the Personal Data breach and, where appropriate, measures to mitigate its possible adverse effects
  • Contact details for further information

6.2. Assistance

Admiral shall provide Customer with reasonable cooperation and assistance in relation to any Personal Data breach, taking into account the nature of processing and the information available to Admiral.

7. Data Protection Impact Assessment and Prior Consultation

Admiral shall provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities to the extent required under Data Protection Laws and to the extent Customer does not otherwise have access to the relevant information.

8. Deletion or Return of Personal Data

Upon termination or expiration of the Agreement, Admiral shall, at Customer's choice and subject to the terms of the Agreement, delete or return to Customer all Personal Data processed pursuant to this DPA, and delete existing copies unless applicable law requires storage of the Personal Data. Customer acknowledges that if Customer does not export its data before the date of termination, Admiral may delete such data in accordance with the Agreement.

9. Audit Rights

Admiral shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer. Customer acknowledges that Admiral is regularly audited by independent third-party auditors. Upon request, Admiral shall make available to Customer (subject to confidentiality obligations) a summary copy of its audit report(s) or certifications (e.g., SOC 2 Type II report) so that Customer can verify Admiral's compliance with this DPA.

10. International Data Transfers

10.1. Data Transfer Mechanism

To the extent that Admiral processes Personal Data protected by GDPR that has been transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to a jurisdiction that has not been recognized by the European Commission, the UK Information Commissioner's Office, or the Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data, the parties agree that the transfer shall be governed by the Standard Contractual Clauses, which are incorporated herein by reference and deemed executed by the parties.

10.2. Module and Roles

For the purposes of the Standard Contractual Clauses, Customer is the data exporter and Admiral is the data importer. The parties agree to comply with Module Two (Controller-to-Processor) of the Standard Contractual Clauses. For purposes of Clause 7 (docking clause), the optional docking clause does not apply. For purposes of Clause 9(a) (use of sub-processors), the parties select Option 2 (general written authorization). For purposes of Clause 11(a) (redress), the optional language does not apply. For purposes of Clause 17 (governing law), the parties select the law of Ireland. For purposes of Clause 18(b) (choice of forum and jurisdiction), the parties select the courts of Ireland.

10.3. Supplementary Measures

Admiral implements and maintains appropriate technical and organizational measures to ensure an adequate level of protection for Personal Data, as set out in Annex B (Security Measures).

11. Liability and Indemnification

Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Agreement. For the avoidance of doubt, Admiral's total liability for all claims arising out of or related to this DPA shall not exceed the liability cap set forth in the Agreement.

12. Term and Termination

This DPA shall commence on the effective date of the Agreement and shall continue until the termination or expiration of the Agreement. Upon termination or expiration of the Agreement, the provisions of this DPA relating to the deletion or return of Personal Data and confidentiality shall survive.

13. General Provisions

13.1. Order of Precedence

In the event of any conflict or inconsistency between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail to the extent of such conflict or inconsistency with respect to the processing of Personal Data.

13.2. Entire Agreement

This DPA, together with the Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior or contemporaneous understandings or agreements, written or oral, regarding such subject matter.

13.3. Amendments

Admiral may update this DPA from time to time to reflect changes in business practices, technology, or legal requirements. If Admiral makes material changes to this DPA, Admiral will notify Customer in accordance with the notice provisions in the Agreement.

Annex A: Details of Processing

Subject Matter

The processing of Personal Data as necessary to provide the Service pursuant to the Agreement.

Duration

The duration of the Agreement, plus the period from expiration or termination of the Agreement until deletion of all Personal Data by Admiral.

Nature and Purpose of Processing

Admiral will process Personal Data for the purpose of providing the Service to Customer in accordance with the Agreement, including:

  • Hosting and storing Customer Data
  • Providing infrastructure provisioning and Kubernetes deployment services
  • Processing Customer inquiries and providing technical support
  • Monitoring and improving the Service
  • Detecting, preventing, and responding to security incidents

Types of Personal Data

Personal Data processed may include:

  • Contact information (name, email address, phone number)
  • Account credentials (username, encrypted password)
  • Company information (company name, job title)
  • User-generated content (infrastructure configurations, application manifests, environment variables)
  • Technical information (IP addresses, browser type, device information)
  • Usage data (features accessed, timestamps, actions performed)
  • Billing information (when processed as part of the Service)

Categories of Data Subjects

Data Subjects may include:

  • Customer's employees, contractors, and authorized users
  • Customer's customers, partners, or end-users (if included in User Submissions)
  • Prospective customers and sales contacts

Annex B: Security Measures

Admiral implements and maintains appropriate technical and organizational security measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures include:

Technical Measures

  • Encryption: Personal Data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3 or higher
  • Access Controls: Role-based access control (RBAC) limiting access to Personal Data based on job function and need-to-know
  • Authentication: Multi-factor authentication (MFA) for administrative access
  • Logging and Monitoring: Comprehensive audit logging of access to and processing of Personal Data
  • Network Security: Firewalls, intrusion detection and prevention systems, and network segmentation
  • Vulnerability Management: Regular security assessments, penetration testing, and vulnerability scanning
  • Backups: Regular automated backups with tested restoration procedures

Organizational Measures

  • Security Policies: Documented information security policies and procedures
  • Staff Training: Regular security awareness training for personnel with access to Personal Data
  • Confidentiality: Contractual confidentiality obligations for all personnel
  • Incident Response: Documented incident response plan with procedures for detecting, responding to, and reporting security incidents
  • Vendor Management: Due diligence and contractual safeguards for Subprocessors
  • Compliance: Regular audits and assessments including SOC 2 Type II certification

For more detailed information about Admiral's security practices, please visit our Security page.

Contact Information

For questions about this DPA or Admiral's data processing practices, please contact:

Datalift, LLC
155 Willowbrook Blvd, Ste 110 #3332
Wayne, NJ 07470
Email: [email protected]