Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") describes how IT Strategy Group processes personal data when providing our consulting services. This agreement supplements our Privacy Policy and service agreements.

This DPA applies when we process personal data on behalf of our clients in the course of providing our services.

Definitions

Nature and Purpose of Processing

We process personal data solely for the purpose of providing our consulting services, which may include:

• Digital transformation consulting
• Platform engineering and development
• Cloud migration and modernization
• Systems analysis and optimization
• Technical documentation and training

Categories of Data Subjects

Depending on the nature of our services, we may process personal data relating to:

• Client employees and contractors
• End users of client systems
• Customer data within client systems
• Third-party contacts and stakeholders

Types of Personal Data

The categories of personal data we may process include:

• Identity data (names, titles, contact information)
• Professional information (job roles, company affiliations)
• Technical data (IP addresses, system identifiers)
• Usage data (system logs, analytics data)
• Communications data (emails, support tickets)

Data Processing Obligations

IT Strategy Group commits to:

• Process personal data only as instructed by the client
• Ensure authorized personnel are bound by confidentiality
• Implement appropriate technical and organizational measures
• Assist with data subject rights requests
• Notify clients of any data breaches without undue delay
• Delete or return data upon completion of services

Security Measures

We implement comprehensive security measures to protect personal data:

Technical Safeguards

• Encryption in transit and at rest
• Multi-factor authentication
• Network security controls
• Regular security updates and patches
• Secure development practices

Organizational Measures

• Access controls and role-based permissions
• Employee security training
• Incident response procedures
• Regular security assessments
• Vendor security evaluations

Sub-Processors

We may engage sub-processors to assist in providing our services. When we do:

• We ensure they provide adequate data protection guarantees
• We impose the same data protection obligations via contract
• We remain fully liable for sub-processor performance
• We maintain a list of authorized sub-processors

International Data Transfers

If personal data is transferred outside the jurisdiction where it was collected, we ensure:

• Appropriate safeguards are in place
• Standard contractual clauses are implemented
• Adequacy decisions are respected
• Client consent is obtained when required

Data Subject Rights

We assist clients in responding to data subject requests, including:

• Access requests
• Rectification of inaccurate data
• Erasure requests
• Restrictions on processing
• Data portability requests
• Objections to processing

Data Breach Notification

In the event of a personal data breach, we will:

• Notify the client without undue delay (within 72 hours when possible)
• Provide detailed information about the breach
• Assist with breach assessment and notification obligations
• Take immediate steps to contain and remedy the breach
• Cooperate with regulatory investigations

Data Retention and Deletion

Upon termination of our services, we will:

• Return or securely delete all personal data as instructed
• Provide confirmation of data deletion
• Ensure sub-processors also delete or return data
• Retain data only if required by law

Audits and Compliance

We support compliance efforts by:

• Providing documentation of our security measures
• Allowing reasonable audits and inspections
• Maintaining records of processing activities
• Participating in data protection impact assessments

Contact Information

For questions about data processing or to exercise data subject rights, please contact us: