Data Processing Agreement (DPA)

Last updated: July 6, 2026

This Data Processing Agreement ("DPA") forms part of the Terms & Conditions and is entered into by and between Taproot Commerce LLC ("Processor", "we", "us"), operating as CompliWorx, and the customer entity that subscribes to the Service ("Customer", "Controller", "you"). This DPA reflects the parties' agreement with respect to the Processing of Personal Data.

1. Definitions

2. Roles and scope

Customer is the Controller of Personal Data submitted to the Service. Taproot Commerce LLC is the Processor, acting on Customer's written instructions as set forth in the Terms & Conditions and this DPA.

The scope, duration, nature, and purpose of Processing, the types of Personal Data, and the categories of data subjects are as described in the Terms & Conditions and the Privacy Notice.

3. Customer instructions

The Processor shall Process Personal Data only on the Customer's documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. The Customer warrants that its instructions comply with applicable data protection law.

4. Processor obligations

The Processor shall:

5. Sub-processors

The Customer provides general written authorization for the Processor to engage sub-processors, subject to the Processor's obligations to:

Current sub-processors include:

The Processor shall provide the Customer with notice of intended changes concerning the addition or replacement of sub-processors, giving the Customer the opportunity to object.

6. Security measures

The Processor maintains the following technical and organizational measures:

7. Data subject rights

The Processor shall assist the Customer, where technically and reasonably possible, in fulfilling Customer's obligations to respond to data subject requests regarding access, rectification, erasure, portability, restriction, and objection.

8. Personal data breach

The Processor shall notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. Notification shall include:

The Processor shall take reasonable steps to investigate, contain, and remediate the breach, and shall provide the Customer with reasonable cooperation and information.

9. Data transfers

To the extent that Processing of Personal Data involves a transfer to a third country (outside the EEA, UK, or Switzerland), the parties agree to the Standard Contractual Clauses (SCCs) as approved by the European Commission, which are incorporated by reference.

10. Audit rights

The Processor shall make available to the Customer, upon reasonable notice and not more than once per year, information necessary to demonstrate compliance with this DPA. Audits may be conducted by the Customer or an independent auditor, subject to confidentiality obligations and reasonable scheduling.

11. Deletion or return of data

Upon termination of the Service, the Processor shall, at the Customer's choice, delete or return Personal Data to the Customer, and delete existing copies, unless applicable law requires storage of the Personal Data.

12. Contact

For any questions about this DPA or to exercise your rights, contact us at admin@compliworx.com.

See also our Privacy Notice and Terms & Conditions.