Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Master Strategic Group LLC DBA Traffic Orchestrator ("Processor") and the customer ("Controller") and governs the processing of personal data by Master Strategic Group LLC DBA Traffic Orchestrator on behalf of the customer, as required by GDPR Article 28.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed by Traffic Orchestrator on behalf of the Controller.
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, transmission, or deletion.
• "Sub-processor" means any third party engaged by Traffic Orchestrator to process Personal Data on behalf of the Controller.
• "Data Subject" means the identified or identifiable person to whom the Personal Data relates.

2. Scope of Processing

Traffic Orchestrator processes the following categories of Personal Data on behalf of the Controller:

• License Validation Data: Domain names, IP addresses (retained for 90 days, then scrubbed), device fingerprints, and validation timestamps
• Account Data: Customer email address, name, and organization information
• Usage Data: API call counts, validation frequency, and aggregate analytics

Processing is carried out solely for the purpose of providing the Software Licensing and API Management services described in the Terms of Service.

3. Controller Obligations

The Controller shall:

• Ensure that it has a lawful basis for providing Personal Data to Traffic Orchestrator
• Provide clear and conspicuous privacy notices to its end-users regarding the use of Traffic Orchestrator's license validation services
• Respond to Data Subject requests received directly and notify Traffic Orchestrator if assistance is required
• Comply with all applicable data protection laws and regulations

4. Processor Obligations

Traffic Orchestrator shall:

• Process Personal Data only on documented instructions from the Controller, unless required by applicable law
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures (see Section 5)
• Assist the Controller in responding to Data Subject requests
• Delete or return all Personal Data upon termination of the agreement, at the Controller's choice, within 30 days
• Make available all information necessary to demonstrate compliance with this DPA

5. Security Measures

Traffic Orchestrator implements the following technical and organizational measures to protect Personal Data:

• Encryption in Transit: All data transmitted via TLS 1.3 with forward secrecy
• Encryption at Rest: AES-256 encryption for stored credentials and sensitive data
• Access Controls: Role-based access, API key authentication with SHA-256 hashed storage
• Password Security: Bcrypt hashing (cost factor 12) for user passwords; plaintext passwords are never stored
• Automated Data Retention: IP addresses scrubbed after 90 days; expired sessions and tokens automatically purged
• Infrastructure Security: Globally distributed edge network with DDoS protection, rate limiting, and security headers (HSTS, CSP, X-Frame-Options)
• Audit Logging: Comprehensive audit trails of all data access and modifications, retained for 90 days
• Incident Detection: Automated self-healing monitoring with per-minute health checks

6. Sub-processors

Traffic Orchestrator uses the following sub-processors:

• Cloudflare, Inc. — Infrastructure hosting, CDN, DDoS protection, and data storage services
• Stripe, Inc. — Payment processing (PCI DSS Level 1 compliant; Traffic Orchestrator never stores card data)
• Resend, Inc. — Transactional email delivery

Traffic Orchestrator will notify the Controller of any intended changes to sub-processors at least 30 days in advance via email. The Controller may object to a new sub-processor within 14 days. If the objection cannot be reasonably resolved, the Controller may terminate the agreement.

7. Data Subject Requests

If Traffic Orchestrator receives a request from a Data Subject to exercise their rights under GDPR (access, rectification, erasure, restriction, portability, or objection), Traffic Orchestrator will:

• Promptly notify the Controller of the request
• Not respond to the Data Subject directly, except to redirect them to the Controller
• Provide reasonable technical assistance to the Controller in fulfilling the request

8. Data Breach Notification

In the event of a Personal Data breach, Traffic Orchestrator will:

• Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach
• Provide all available information about the nature, scope, and likely consequences of the breach
• Take immediate steps to contain and remediate the breach
• Cooperate with the Controller in any notification to supervisory authorities or Data Subjects

9. Audit Rights

The Controller has the right to audit Traffic Orchestrator's compliance with this DPA, subject to the following conditions:

• Audits shall be conducted at reasonable intervals and with reasonable advance notice (minimum 30 days)
• Audits shall be limited in scope to matters directly relevant to Personal Data processing under this DPA
• Traffic Orchestrator may satisfy audit requests by providing relevant certifications, audit reports, or documentation
• The Controller shall bear the costs of any on-site audits

10. International Data Transfers

When Personal Data is transferred outside the European Economic Area (EEA), Traffic Orchestrator ensures adequate protection through:

• EU Standard Contractual Clauses (SCCs) as adopted by the European Commission
• Adequacy decisions where applicable
• Cloudflare's commitment to data localization and regional processing where configured

11. Duration and Termination

This DPA remains in effect for the duration of the Terms of Service. Upon termination:

• Traffic Orchestrator will cease all processing of Personal Data within 30 days
• All Personal Data will be securely deleted or returned, at the Controller's election
• A certificate of deletion will be provided upon request

Obligations regarding confidentiality, security, and cooperation with investigations shall survive termination.