Data Processing Agreement
This Data Processing Agreement ("DPA") describes how Pallacor, Inc. ("Pallacor," "Processor") processes personal data on behalf of customers ("Customer," "Controller") in connection with the Pallacor loss prevention platform. This DPA supplements and is incorporated into the App Terms of Service.
If you are subject to the CCPA or other applicable data protection laws and require a signed DPA, contact [email protected].
1. Definitions
For the purposes of this DPA:
- "Controller" means the Customer, who determines the purposes and means of processing personal data.
- "Processor" means Pallacor, who processes personal data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Customer Data" means all data submitted by or on behalf of the Customer to the Service, including Personal Data of employees and individuals involved in loss prevention cases.
- "Sub-Processor" means any third party engaged by Pallacor to process Personal Data on the Controller's behalf.
2. Roles & Responsibilities
The Customer acts as the Controller of Personal Data submitted to the Service. Pallacor acts as a Processor, processing that data solely as instructed by the Customer and as necessary to provide and maintain the Service.
Pallacor processes Customer Data only in accordance with the Customer's documented instructions (as reflected in the App Terms of Service and this DPA) and as required by applicable law. Pallacor will inform the Customer if, in its opinion, an instruction violates applicable data protection law.
3. Customer Responsibilities
As the Controller, the Customer is responsible for:
- Ensuring that Personal Data submitted to the Service has been collected lawfully and that individuals have been informed of its use;
- Complying with all applicable privacy and data protection laws in the jurisdictions where it operates;
- Determining the legal basis for processing Personal Data under applicable law;
- Responding to requests from data subjects exercising their rights (e.g., access, deletion, correction), with Pallacor's reasonable assistance as described in Section 4;
- Not submitting to the Service categories of Sensitive Personal Data beyond what is necessary for loss prevention operations, as described in Section 5.
4. Pallacor Obligations
Pallacor will:
- Process Customer Data only as instructed by the Customer and as necessary to provide the Service;
- Ensure that personnel authorized to process Customer Data are bound by appropriate confidentiality obligations;
- Implement and maintain the security measures described in Section 7;
- Notify the Customer of any data subject requests received directly by Pallacor and provide reasonable assistance to the Customer in responding to such requests;
- Assist the Customer in fulfilling obligations related to data protection impact assessments and prior consultations with supervisory authorities, where required;
- Not sell, rent, or disclose Customer Data to third parties for their own purposes.
5. Sensitive Personal Data
The Service is not designed to store or process sensitive personal information beyond what is inherent to loss prevention operations (e.g., incident reports involving suspected theft or fraud). This includes but is not limited to racial or ethnic origin, health data, biometric data used for identification, or data concerning criminal convictions.
Customers should limit the Personal Data submitted to the Service to what is necessary and proportionate for legitimate loss prevention purposes. If your use case involves Sensitive Personal Data, contact [email protected] to discuss appropriate handling before submitting such data.
6. CCPA
For purposes of the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), Pallacor acts as a "Service Provider" to the Customer. Pallacor processes Personal Data only for the business purposes specified in the App Terms of Service and this DPA.
Pallacor does not sell or share Personal Data (as those terms are defined under CCPA/CPRA) and does not retain, use, or disclose Personal Data outside the scope of its Service Provider relationship with the Customer.
Pallacor will assist the Customer in responding to verifiable consumer requests (access, deletion, correction, opt-out) that it receives directly, and will cooperate with the Customer's efforts to fulfill such requests.
7. Security Measures
Pallacor implements and maintains appropriate technical and organizational measures to protect Customer Data against unauthorized access, disclosure, alteration, or destruction. These measures include, but are not limited to:
- Encryption: Customer Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256);
- Access controls: Role-based access control (RBAC) limits access to Customer Data to authorized personnel on a need-to-know basis;
- Multi-factor authentication (MFA): Required for all Pallacor employees with access to production systems;
- Audit logging: Access to Customer Data is logged and monitored for anomalous activity;
- Infrastructure security: Customer Data is hosted on cloud infrastructure with SOC 2 Type II certification;
- Vendor management: Sub-processors are evaluated for security practices before engagement and are contractually required to maintain appropriate safeguards.
Pallacor is actively pursuing SOC 2 Type II certification. Current security posture documentation is available upon request by contacting [email protected].
8. Breach Notification
In the event of a confirmed Personal Data breach affecting Customer Data, Pallacor will notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach, to the extent permitted by law.
The notification will include, to the extent known at the time:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records affected;
- The name and contact details of the data protection point of contact at Pallacor;
- The likely consequences of the breach;
- The measures taken or proposed to address the breach and mitigate its effects.
The Customer is responsible for notifying the relevant supervisory authorities and affected individuals as required by applicable law. Pallacor will provide reasonable cooperation and assistance in this process.
9. Sub-Processors
Pallacor engages certain third-party sub-processors to assist in providing the Service. All sub-processors are bound by data processing terms that provide at least the same level of protection as this DPA.
A current list of sub-processors is available at pallacor.com/sub-processors. Pallacor will provide at least 30 days' advance notice of any new sub-processor engagement or material change to existing sub-processors by updating that page.
If you object to the engagement of a new sub-processor, you may notify Pallacor at [email protected] within 30 days of the notice. Pallacor will work in good faith to address the objection. If no reasonable resolution can be found, you may terminate your subscription without penalty.
10. Data Location
Customer Data is stored and processed exclusively within the United States. Pallacor does not transfer Customer Data to servers outside the United States without prior written consent from the Customer.
If your organization requires data residency in a specific region or has cross-border transfer restrictions, contact [email protected] before using the Service.
11. Compliance & Audits
Pallacor will provide reasonable documentation and assistance to help the Customer demonstrate compliance with applicable data protection laws, including responding to audit questionnaires and providing copies of relevant security certifications.
Upon 30 days' written notice, Pallacor will permit the Customer or its authorized representative to conduct a security audit, at the Customer's expense, no more than once per year. Audit scope, timing, and procedures must be agreed upon in advance to minimize disruption to operations. Pallacor may require the auditor to execute a confidentiality agreement before disclosing sensitive system information.
12. Termination & Retention
Upon termination or expiration of the App Terms of Service, Pallacor will retain Customer Data for 90 days, during which the Customer may request an export. After 90 days, Pallacor will securely delete or anonymize Customer Data in accordance with its data retention policies, unless legally required to retain it.
To request a data export before deletion, contact [email protected]. Export requests will be fulfilled within 10 business days in a standard, machine-readable format.