Data Processing Addendum
Last updated: June 12, 2026
1. Purpose and Scope
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Developer312 and the Customer and supplements the Terms with respect to the processing of personal data.
This DPA applies where Developer312 processes personal data on behalf of the Customer in connection with the Eco-Auditor platform. It is intended to support GDPR-aligned controller-to-processor arrangements.
In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of personal data.
2. Definitions
Unless defined otherwise, terms used in this DPA have the meanings given in the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"). Key definitions:
- "Customer" means the organization that has entered into a subscription agreement for the Eco-Auditor platform
- "Processor" means Developer312, acting on behalf of the Customer in processing personal data
- "Controller" means the Customer, which determines the purposes and means of processing personal data
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Subprocessor" means any third party engaged by Developer312 to process personal data on behalf of the Customer
- "Data Subject" means an identified or identifiable natural person whose personal data is processed
3. Roles of the Parties
The Customer acts as the Controller of personal data. Developer312 acts as the Processor, processing personal data on the Customer's behalf and only in accordance with the Customer's documented instructions.
Where Developer312 decides on the purposes and means of processing its own employee or business data separate from the Customer's data, Developer312 acts as Controller for that processing.
4. Subject Matter and Duration of Processing
The subject matter of processing is the hosting, storing, organizing, analyzing, and displaying of customer-submitted business data within the Eco-Auditor platform.
This DPA applies for the duration of the Customer's subscription and a post-termination retention period as specified in the Terms of Service, after which personal data is securely deleted in accordance with Section 12.
5. Processing on Documented Instructions
Developer312 shall process personal data only on documented instructions from the Customer, including:
- Instructions provided through the Eco-Auditor platform interface
- Instructions provided in writing (including email) by authorized Customer representatives
- Processing necessary to comply with applicable legal obligations
Developer312 shall not process personal data for its own purposes or for purposes not authorized by the Customer, unless required by applicable law, in which case Developer312 shall inform the Customer unless legally prohibited from doing so.
6. Confidentiality
Developer312 ensures that all persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Developer312's employees and contractors are bound by confidentiality agreements and receive data protection training appropriate to their role.
7. Security of Processing
Developer312 implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Annex II. These measures include:
- Role-based access controls and least-privilege access
- Encryption of personal data in transit (TLS 1.2+) and at rest
- Authentication and password controls including multi-factor authentication
- Logging, monitoring, and intrusion detection
- Backup and disaster recovery measures
- Environment segregation between production, staging, and development
- Vulnerability management and security patching
- Incident response procedures
- Employee confidentiality obligations and security training
- Secure deletion procedures
8. Use of Subprocessors
The Customer authorizes Developer312 to engage subprocessors to process personal data on the Customer's behalf. Developer312 ensures that subprocessors are bound by written agreements that impose data protection obligations no less protective than those in this DPA.
A current list of subprocessors is maintained in Annex III. Developer312 will notify the Customer of any addition or replacement of subprocessors, providing the Customer with a reasonable opportunity to object to such changes.
If the Customer objects to a subprocessor change and the parties cannot reach a resolution, the Customer may terminate the affected portion of the service or, if the change affects the entire service, terminate the subscription.
9. Assistance with Data Subject Rights
Developer312 shall assist the Customer in fulfilling its obligations to respond to data subject requests for exercising their rights under applicable data protection laws, including rights of access, rectification, erasure, portability, restriction, and objection.
Developer312 will promptly notify the Customer if it receives a data subject request directly and will not respond to such requests without the Customer's instructions, except as required by applicable law.
10. Personal Data Breach Notification
Developer312 shall notify the Customer without undue delay after becoming aware of a personal data breach, providing:
- The nature of the breach, including the categories and approximate number of data subjects and records affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its effects
- A designated point of contact for further information
Developer312 will cooperate with the Customer in investigating breaches and will provide all reasonably available information to assist the Customer in meeting its notification obligations under applicable law.
11. Return and Deletion of Personal Data
Upon termination of the service agreement, Developer312 will, at the Customer's choice:
- Return all personal data to the Customer in a structured, commonly used, machine-readable format; or
- Securely delete all personal data and certify such deletion in writing
This obligation does not apply where retention of personal data is required by applicable law, in which case Developer312 will continue to process such data only for the purpose and duration required by law.
12. Information and Audit Rights
Developer312 shall make available to the Customer all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.
Such audits shall be conducted during normal business hours with reasonable advance notice, and the Customer shall bear the cost of such audits unless they reveal a material breach of this DPA by Developer312.
13. International Data Transfers
Developer312 may process or access personal data outside the EEA, UK, or Switzerland depending on hosting, support, or infrastructure operations.
Where required, international transfers shall be governed by the Standard Contractual Clauses described in Section 14 and Annex IV.
Developer312 will ensure that any transfer of personal data to a third country is subject to appropriate safeguards as required by applicable data protection law.
14. Standard Contractual Clauses
Where personal data is transferred from the EEA, the parties agree to incorporate the Standard Contractual Clauses ("SCCs") as adopted by the European Commission, consisting of:
- Module Two (Controller to Processor): Where the Customer acts as Controller and Developer312 acts as Processor
- Module Three (Processor to Processor): Where both parties act as Processors in a chain of processing
The specific module(s) applicable will depend on the processing context. Annex IV provides the relevant SCC details and transfer information.
For transfers to the UK, the UK Addendum to the EU SCCs as approved by the UK Information Commissioner's Office shall apply as a supplementary measure.
15. Liability and Order of Precedence
Liability under this DPA shall be subject to the limitations and exclusions set out in the Terms of Service.
The order of precedence for conflicting terms shall be: (1) this DPA, (2) the Terms of Service, and (3) any other agreement between the parties with respect to the processing of personal data.
16. Governing Law
This DPA shall be governed by and construed in accordance with the laws specified in the Terms of Service.
Nothing in this DPA shall prejudice the data subject's rights under applicable data protection law.
17. Changes to this DPA
Developer312 may update this DPA to reflect changes in applicable law, regulatory requirements, or data processing practices. Where the update represents a material change, Developer312 will provide the Customer with notice and an opportunity to review the updated terms.
Updated subprocessor information will be provided in accordance with Section 8.
18. Contact Information
Developer312 — Data Protection
Developer312 is a subsidiary of NIGHT LITE USA LLC.
Email: hello@developer312.com
Phone: (510) 401-1225
Annexes
Annex I: Details of Processing
| Subject matter | Hosting, storing, organizing, analyzing, and displaying customer-submitted business data in the Eco-Auditor platform |
| Duration | For the subscription term and a post-termination retention/deletion period as specified in the Terms of Service |
| Purpose | Providing workflow automation, reporting preparation, audit trails, user account administration, support, security, and related SaaS functionality |
| Categories of data subjects | Customer personnel, customer users, vendor/supplier contacts, uploaded-record contacts, and other business contacts contained in customer data |
| Categories of personal data | Name, business email, work phone, job title, account identifiers, support correspondence, uploaded business records that may contain personal data, billing contacts, usage/log data, and similar business-related personal data |
Annex II: Technical and Organizational Security Measures
Developer312 implements the following technical and organizational measures to protect personal data:
Access Control
- Role-based access controls with least-privilege principles
- Multi-factor authentication for administrative access
- Unique user identification and authentication
- Regular access reviews and deprovisioning
Data Encryption
- TLS 1.2+ for all data in transit
- AES-256 encryption for data at rest
- Encrypted backups and secure key management
Infrastructure Security
- Environment segregation (production, staging, development)
- Network segmentation and firewall controls
- Vulnerability management and security patching
- Regular security assessments and penetration testing
Operational Security
- Logging and monitoring of system access and events
- Incident response procedures with defined escalation paths
- Employee confidentiality obligations and security training
- Secure deletion procedures for data no longer required
Business Continuity
- Regular backup and recovery procedures
- Disaster recovery plans with tested restore capabilities
- Redundant infrastructure components for availability
Subprocessor Management
- Written data processing agreements with all subprocessors
- Ongoing review of subprocessor security practices
- Notification procedures for subprocessor changes
This is a summary of key measures. Detailed security documentation is available upon request under NDA. Developer312 does not overclaim certifications or controls not currently in place.
Annex III: List of Subprocessors
The following subprocessors are authorized to process personal data on behalf of the Customer:
| Subprocessor | Purpose | Location |
|---|---|---|
| Cloud hosting provider | Application hosting, data storage, compute | United States |
| Stripe, Inc. | Payment processing and billing | United States |
| Analytics provider | Service-level monitoring and aggregated usage analytics | United States |
| Email/communications provider | Transactional and notification email delivery | United States |
| Customer support platform | Support ticket management and communications | United States |
Developer312 will notify the Customer of changes to this subprocessor list in accordance with Section 8 of this DPA. A current list is available upon request.
Annex IV: International Data Transfers and SCC Information
Where personal data is transferred outside the EEA/UK/Switzerland, the following applies:
SCC Module Applicability
Module Two (Controller to Processor) applies where the Customer acts as Controller. Module Three (Processor to Processor) applies where Developer312 engages subprocessors.
Transfer Mechanism
The European Commission's Standard Contractual Clauses (Decision 2021/914) serve as the primary transfer mechanism. For UK transfers, the UK Addendum to the EU SCCs applies.
Supplementary Measures
Encryption in transit and at rest, access controls, and the security measures described in Annex II serve as supplementary technical measures to support the adequacy of the transfer.
Specific SCC annex details, including data exporter/importer information, competent supervisory authority, and governing law selections, shall be completed upon execution. This DPA does not constitute a signed SCC agreement until countersigned by both parties.