Data Processing Addendum (DPA)

Last Updated: March 2026

This Data Processing Addendum ("DPA") is entered into between SoloAdmin, a corporation organized and existing under the laws of the State of Wisconsin ("Processor"), and the entity that has accepted the SaaS Agreement ("Controller"). This DPA is effective as of the Effective Date of the SaaS Agreement and is incorporated into and forms part of the SaaS Agreement. The Controller's acceptance of the SaaS Agreement constitutes its acceptance of and agreement to be bound by the terms of this DPA.

This DPA is incorporated into and forms part of the Software as a Service Agreement (the "SaaS Agreement") between the Controller and Processor (collectively, the "Parties"). This DPA reflects the Parties' rights and obligations with respect to Personal Data Processed as part of the Services (all as defined below). In the event of a conflict between the terms of this DPA and the SaaS Agreement with respect to the subject matter herein, the terms of this DPA govern. Any prior data processing agreements between the Parties are superseded and replaced by this DPA in their entirety. All capitalized terms not defined in this DPA will have the meaning given to them in the SaaS Agreement.

1. Definitions.

For the purposes of this DPA, the following terms shall have the meanings specified below:

  • "Breach Event" means any incident where security is compromised, resulting in unintentional or illegal destruction, misplacement, modification, or unauthorized sharing or access to Personal Data that has been transmitted, stored, or otherwise processed.
  • "Data Privacy Laws" means all applicable laws and regulations relating to the processing, privacy, and/or use of Personal Data, as applicable to either party or the Services, including jurisdictional, industry-specific, or data-specific laws and regulations including, but not limited to: applicable United States federal and state privacy laws, including but not limited to the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), and other applicable state privacy laws, and the laws of the State of Wisconsin.
  • "Data Subject" refers to the identified or identifiable natural person whose Personal Data is processed.
  • "Parties" means the Controller and Processor collectively.
  • "Personal Data" refers to any information that is tied to an identified or identifiable natural person (Data Subject) that is protected as personal data, personal information, or personally identifiable information under applicable Data Privacy Laws.
  • "Personnel" refers to the employees or other individuals who are in a contractual relationship with the Processor, including employees or other individuals who are in a contractual relationship with the Sub-Processor.
  • "Processing" means actions performed by the Processor on the Personal Data whether by automated means or not, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • "Services" means the SoloAdmin device management platform and related services provided by the Processor pursuant to the SaaS Agreement, including device inventory management, package deployment, system patching, and system health monitoring.
  • "Subprocessor" or "Subcontractor" refers to any third party appointed by the Processor to assist in fulfilling its obligations in providing Services to the Controller.

2. Purpose.

The purpose of this DPA is to define the conditions under which the Processor shall process Personal Data on behalf of the Controller.

3. Compliance with Laws.

The Processor warrants that any Processing activities performed on behalf of the Controller will be conducted in accordance with all applicable Data Privacy Laws. The Processor must notify the Controller in writing without undue delay if it is no longer able to meet its obligations under applicable Data Privacy Laws. The Processor shall promptly notify the Controller of any legal, regulatory, or governmental requirement, demand, or order (including, but not limited to, court orders, law enforcement requests, national security letters, or regulatory investigations) that requires or may require the Processor to disclose, process, or handle Personal Data in a manner that conflicts with the Controller's instructions or the provisions of this DPA, unless such notification is prohibited by law. To the extent legally permissible, the Processor shall provide the Controller with reasonable advance notice to allow the Controller to seek protective measures or challenge such requirements.

The Controller has sole responsibility for the quality and accuracy of the Personal Data and how it acquired such data. The Controller is also responsible for complying with transparency and consent requirements for the collection, use, and transfer of the Personal Data under applicable Data Privacy Laws.

4. Ownership of Data.

All Personal Data processed by the Processor in performing the Services shall remain the property of the Controller.

5. Duration of Processing.

Processing obligations under this DPA will begin on the Effective Date and run until the end of the Processor's provision of Services to the Controller.

6. Types of Data.

The Processor will process the categories of Personal Data provided by the Controller as set forth in Schedule 1.

7. Instructions for Processing.

The Processor shall only process Personal Data in accordance with this DPA, including specific instructions set forth in Schedule 2, except where otherwise required by applicable law (and in such a case, shall inform the Controller of that legal requirement before processing, unless applicable law prevents it from doing so on important grounds of public interest). This requirement for documented instructions applies to all Processing activities, including any transfers of Personal Data to third countries or international organizations. The Controller may issue additional or modified processing instructions to the Processor during the term of this Agreement, provided such instructions are documented in writing. The Processor shall immediately inform the Controller if any instruction relating to the Personal Data infringes or may infringe any Data Privacy Laws.

Specific Processing Instructions: The Processor is authorized to perform the following categories of Processing activities on Personal Data:

  • Collection and receipt of Personal Data submitted by the Controller;
  • Storage of Personal Data on secure servers;
  • Organization, structuring, and retrieval of Personal Data for provision of the Services;
  • Transmission of Personal Data to authorized Subprocessors as listed in Section 15;
  • Use of Personal Data to provide the Services, including device management, package deployment, system patching, and system health monitoring;
  • Consultation and use of Personal Data as necessary to fulfill the Processor's obligations under the SaaS Agreement.

The Processor is prohibited from performing the following Processing activities without prior written authorization from the Controller:

  • Sharing Personal Data with third parties other than authorized Subprocessors;
  • Using Personal Data for any purpose other than providing the Services;
  • Transferring Personal Data outside the geographic boundaries specified by the Controller;
  • Combining Personal Data with data from other sources;
  • Retaining Personal Data beyond the term of the SaaS Agreement, except as required by law.

The Controller shall provide additional specific processing instructions in writing, which shall be attached to this Schedule 2 and incorporated by reference.

8. Data Subject's Rights.

The Processor shall promptly notify the Controller of any requests from a Data Subject to exercise their rights under applicable Data Privacy Laws and shall assist the Controller in responding to a Data Subject's request as provided in the processing instructions, Schedule 2.

9. Data Protection Impact Assessments.

The Processor shall assist the Controller in performing data protection impact assessments. At the Controller's request, the Processor shall provide all necessary information the Controller needs to meet their data protection assessment obligations, including but not limited to information about data transmittal, data storage, methods of processing, encryption, and data destruction.

10. Confidentiality.

Both Parties agree to maintain the confidentiality of Personal Data and not to disclose such data except as expressly permitted under the terms of this Agreement. The Processor shall ensure that all personnel authorized to process Personal Data are subject to binding confidentiality obligations.

11. Liability.

The Parties agree to indemnify one another against any claims, including but not limited to damages and fines, arising out of their respective breaches of this Agreement. Each Party's total cumulative liability in connection with this DPA, whether in contract, tort, or otherwise, shall not exceed the amount of fees paid or owed by the Controller to the Processor under the SaaS Agreement in the twelve (12) months preceding the date the events giving rise to such liability occurred. The foregoing limitation shall not apply to: (a) a Party's indemnification obligations under this Section 11; (b) liability arising from a Party's breach of Section 10 (Confidentiality); (c) liability arising from a Party's gross negligence or willful misconduct; or (d) either Party's fraud or fraudulent misrepresentation.

12. Data Security.

The Processor shall, at all times, implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to the risk to protect the Personal Data against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access. Such measures shall be at least equivalent to the technical and organizational measures set out in Schedule 3.

During the period in which the Processor processes any Personal Data, it shall undertake a documented assessment at least every twelve (12) months of whether the security measures implemented comply with the paragraph above. The Processor shall notify the Controller within thirty (30) days of full details of the assessment and its outcome and of any additional measures the Processor plans to implement as a result of the assessment.

Except as agreed by the parties by way of a binding variation of this DPA, the Processor may not make any change to the security measures it applies to the Personal Data from time to time to the extent any such change would materially reduce the level of security or conflict with the provisions of this DPA. The Processor may enhance security measures without prior notice to the Controller.

13. Breach Notification.

The Processor shall promptly notify the Controller of a Breach Event involving the Controller's data, or in any event within seventy-two (72) hours of becoming aware of such Breach Event.

14. Limitations on Use.

The Processor shall not use or authorize the use of the Personal Data for any purpose other than performing its obligations under the SaaS Agreement and providing the Services as described in this DPA. Notwithstanding the foregoing, the Processor may: (a) de-identify or aggregate Personal Data and use such de-identified or aggregated data that does not identify the Controller or its Users for any lawful purpose, including to train machine learning or artificial intelligence tools and to improve and provide its services, in accordance with Section 6.4 of the SaaS Agreement; and (b) retain and use Usage Data (as defined in the SaaS Agreement) for any lawful business purpose in accordance with Section 6.5 of the SaaS Agreement.

The Controller shall not, and shall take commercially reasonable efforts to ensure that its Users do not, upload to the Platform or otherwise submit or make accessible to the Processor any: (i) financial account information or government-issued identifiers (e.g., social security numbers, credit card information, bank account information, driver's license numbers, or passport numbers); (ii) protected health information as defined under HIPAA; (iii) special categories of personal data as defined under GDPR Article 9; (iv) payment card information subject to PCI DSS; or (v) other types of sensitive data that is subject to specific or elevated data protection requirements under applicable law (collectively, "Prohibited Data"). The Controller acknowledges that the Platform is not designed for the management or protection of Prohibited Data and may not provide adequate or legally required security for Prohibited Data. If the Controller or any of its Users upload any Prohibited Data to the Platform in violation of this Section, the Processor may immediately delete such Prohibited Data without notice to the Controller, and the Controller shall indemnify, defend, and hold harmless the Processor from any claims, damages, losses, liabilities, and expenses (including reasonable attorneys' fees) arising from the Controller's breach of this provision.

15. Subcontractor Requirements.

The Processor may engage a Subcontractor (alternatively referred to herein as Subprocessor) to process Personal Data only with the Controller's prior written consent and under a written contract. The Controller hereby grants general written authorization for the Processor to engage Subcontractors, provided that the Processor provides the Controller with at least thirty (30) days' prior written notice before engaging any new Subcontractor or making any material changes to an existing Subcontractor arrangement. The Processor currently uses the following Subprocessors: DigitalOcean, LLC (cloud hosting services) and Auth0, Inc. (authentication services). The Subcontractor must agree in writing to uphold all the Processor's obligations under the DPA.

The Processor shall ensure that any Subcontractors it engages comply with all Data Privacy Laws in connection with the processing of Personal Data and the provision of the Services.

The Processor shall maintain a current and complete list of all Subcontractors engaged to process Personal Data, including each Subcontractor's name, location(s) where processing occurs, and a description of the processing activities performed by each Subcontractor. The Processor shall make this list available to the Controller upon written request and shall ensure the list is updated within ten (10) days of any changes to Subcontractor arrangements. The Processor may also make this list available to the Controller through a publicly accessible website or secure online portal, provided the Controller is notified of the location and any updates.

16. Destruction or Return of Data.

Upon termination or expiration of the SaaS Agreement, the Controller shall have seven (7) days from the effective date of termination to export all Customer Data from the Platform. The Processor agrees to, at the Controller's choice, securely delete or return the Personal Data within thirty (30) days upon termination or expiration of the SaaS Agreement except to the extent that storage of any such data is required by applicable law (and, if so, the Processor shall inform the Controller of any such requirement and shall securely delete such data as soon as it is permitted to do so under applicable law). The Processor's standard data retention policy provides for deletion of customer data within thirty (30) days following account termination. For the avoidance of doubt, the Processor may retain Customer Data in archived backup files in accordance with Section 5.4 of the SaaS Agreement.

17. Audits and Compliance.

The Processor shall permit the Controller, or an independent auditor appointed by the Controller, to conduct audits or inspections with reasonable notice during regular business hours to ensure compliance with the terms of this DPA, and applicable Data Privacy Laws. The scope of the audit shall be limited by the Parties to the systems, procedures, and documentation relevant to the processing of Personal Data. The Processor agrees to provide the Controller with all necessary cooperation, access, and support to conduct such audits. The Parties shall consider the findings of any such audit confidential information subject to the terms of this agreement. The Processor acknowledges and agrees that supervisory authorities and data protection authorities have the right to access the Processor's facilities, systems, and records for inspection or audit purposes in relation to the processing activities conducted under this DPA, to the extent required or permitted by applicable Data Privacy Laws, and the Processor shall provide reasonable cooperation and access to such authorities.

18. Recordkeeping Obligations.

The Processor shall maintain complete, accurate, and up to date written records of all categories of processing activities carried out on behalf of the Controller and ensure such records shall include all information:

  • Necessary to demonstrate its compliance with this DPA;
  • That each party is required to record and/or maintain under the applicable Data Privacy Laws; and
  • That the Controller may reasonably require from time to time

The Processor shall make copies of such records available to the Controller promptly (and in any event within thirty (30) days) on request from time to time.

19. Acceptance.

This DPA is incorporated into and accepted as part of the SaaS Agreement. The Controller's acceptance of the SaaS Agreement - whether by clicking a box indicating acceptance, accepting an Order referencing the SaaS Agreement, submitting payment information, or otherwise accessing the Platform - constitutes the Controller's acceptance of and agreement to be bound by the terms of this DPA. No separate execution of this DPA by the Parties is required.

Schedule 1

The types of Personal Data processed under the DPA and the categories of Data Subjects are as follows:

  1. Categories of Personal Data:
    1. Contact and identity information: names, email addresses, usernames, and other basic contact information of the Controller's Users and personnel;
    2. Device and system data: device inventory information, hardware and software configurations, audit logs, system health data, and other technical information collected from managed devices through the Platform;
    3. Access and deployment information: deployment logs, access credentials, scripts, and software installation packages associated with the Controller's managed devices and Platform usage.
  2. Categories of Data Subjects:
    1. The Controller's employees, independent contractors, and other personnel whose devices are managed through the Platform; and
    2. the Controller's Users (as defined in the SaaS Agreement) who access and use the Platform.
  3. Exclusions: The following categories of data are expressly excluded from the scope of this DPA:
    1. Usage Data (as defined in the SaaS Agreement) that does not identify the Controller or its Users;
    2. Aggregated Data (as defined in the SaaS Agreement); and
    3. Prohibited Data (as defined in Section 14 of this DPA), which the Controller is prohibited from submitting to the Platform.

Schedule 2

Specific Processing Instructions:

  1. Purpose Limitation — The Processor shall process Personal Data solely to provide the Services described in the SaaS Agreement, including device inventory management, package deployment, system patching, and system health monitoring. Personal Data shall not be used for product development, marketing, or analytics unless separately authorized in writing by the Controller.
  2. Data Minimization — The Processor shall collect and process only the minimum Personal Data necessary to perform each specific service function. Device telemetry data shall be limited to information technically required for the relevant monitoring or deployment task.
  3. Access Controls — Access to Personal Data shall be restricted to Personnel on a strict need-to-know basis. The Processor shall maintain role-based access controls and shall revoke access within twenty-four (24) hours of a Personnel member's departure or role change.
  4. Retention and Deletion — Active device logs and system health data shall be retained for no longer than ninety (90) days, unless a longer period is required by law or specified in writing by the Controller. Upon the Controller's written request, the Processor shall delete specific datasets within thirty (30) days of such request.
  5. Data Transfer Restrictions — Personal Data shall be processed and stored only within the geographic region(s) specified by the Controller. Unless otherwise agreed in writing by the Controller, all processing and storage of Personal Data shall occur within the United States. Any transfer of Personal Data outside the specified region requires prior written authorization from the Controller.
  6. Subprocessor Instructions — The Processor may transmit Personal Data to DigitalOcean, LLC (cloud hosting services) and Auth0, Inc. (authentication services) solely to the extent necessary to provide the Services. No additional Subprocessors may receive Personal Data without at least thirty (30) days' prior written notice to and prior written consent from the Controller, as set out in Section 15 of this DPA.
  7. Data Subject Rights Assistance — Upon receipt of a Data Subject rights request (including, without limitation, requests for access, deletion, correction, or portability), the Processor shall notify the Controller within five (5) business days of receipt. The Processor shall provide all reasonably required technical assistance to the Controller to enable fulfillment of the request within thirty (30) days of the original request, or such shorter period as may be required by applicable Data Privacy Laws.
  8. Incident Response — Upon detecting or becoming aware of a suspected or confirmed Breach Event, the Processor shall immediately take steps to contain the incident and preserve all relevant logs and evidence. In addition to the notification obligations set out in Section 13 of this DPA, the Processor shall cooperate fully with the Controller's incident response procedures and shall provide a written post-incident report to the Controller within fifteen (15) days of the Breach Event, including a description of the nature of the incident, the data affected, the likely consequences, and the remedial measures taken or proposed.
  9. Audit Cooperation — The Processor shall make available to the Controller upon written request all documentation, logs, system records, and other information reasonably necessary to demonstrate compliance with this DPA and applicable Data Privacy Laws, in accordance with Section 17 of this DPA.

Schedule 3

Minimum Technical and Organizational Security Measures.

Without prejudice to its other obligations, the Processor shall, at its own cost and expense, implement and maintain at least the following technical and organizational security measures to protect the Personal Data, and shall regularly review and update such measures to ensure their continued effectiveness and compliance with applicable data protection laws:

  1. Encryption
    1. All Personal Data shall be encrypted in transit using TLS 1.2 or higher.
    2. All Personal Data shall be encrypted at rest using AES-256 or equivalent industry-standard encryption.
    3. Encryption keys shall be managed and rotated on at least an annual basis, with access to keys restricted to authorized Personnel only.
  2. Access Controls
    1. The Processor shall implement role-based access controls (RBAC) to restrict access to Personal Data to authorized Personnel on a need-to-know basis.
    2. All access to systems processing Personal Data shall require multi-factor authentication (MFA).
    3. The Processor shall maintain and review access logs and shall revoke access promptly (and in any event within twenty-four (24) hours) upon a Personnel member's departure or role change.
    4. Privileged and administrative access shall be subject to enhanced controls, including logging, periodic review, and the principle of least privilege.
  3. Network and Infrastructure Security
    1. The Processor shall maintain firewalls, intrusion detection and/or prevention systems, and other appropriate network-level security controls.
    2. Systems processing Personal Data shall be logically segregated from other systems and networks where feasible.
    3. All security patches and updates to systems processing Personal Data shall be applied in a timely manner, and in any event within thirty (30) days of release for critical patches.
  4. Vulnerability Management and Penetration Testing
    1. The Processor shall conduct regular vulnerability scans of systems processing Personal Data, at a minimum on a quarterly basis.
    2. The Processor shall conduct, or cause to be conducted, penetration testing of its systems and infrastructure at least annually, and shall remediate material findings within a reasonable timeframe.
  5. Incident Detection and Response
    1. The Processor shall maintain a documented incident response plan that includes procedures for detecting, containing, investigating, and remediating Breach Events.
    2. The Processor shall maintain security monitoring and logging capabilities sufficient to detect unauthorized access or anomalous activity affecting Personal Data.
    3. Logs related to access and processing of Personal Data shall be retained for a minimum of twelve (12) months.
  6. Physical Security
    1. The Processor and its Subprocessors shall maintain appropriate physical security controls to restrict unauthorized access to facilities and equipment used to process Personal Data, including access controls, surveillance, and environmental protections.
  7. Business Continuity and Disaster Recovery
    1. The Processor shall maintain documented and tested business continuity and disaster recovery plans that address the availability and integrity of Personal Data.
    2. Personal Data shall be backed up on a regular basis, with backups encrypted and stored securely.
  8. Personnel and Training
    1. The Processor shall ensure that all Personnel with access to Personal Data receive data protection and security awareness training at least annually.
    2. All Personnel with access to Personal Data shall be subject to binding confidentiality obligations.
    3. The Processor shall conduct appropriate background checks on Personnel with access to Personal Data, to the extent permitted by applicable law.
  9. Vendor and Subprocessor Security
    1. The Processor shall conduct security due diligence on Subprocessors prior to engagement and on a periodic basis thereafter.
    2. All Subprocessors engaged to process Personal Data shall be contractually required to maintain security measures at least equivalent to those set out in this Schedule 3.
  10. Data Minimization and Pseudonymization
    1. The Processor shall, where feasible and appropriate, apply pseudonymization or anonymization techniques to Personal Data to reduce risk.
    2. The Processor shall collect and retain only the minimum Personal Data necessary for the performance of the Services.
  11. Security Reviews
    1. The Processor shall review and update its security measures at least annually or following any material change to its systems, services, or the threat landscape, and shall document the results of such reviews in accordance with Section 12 of this DPA.