Data Processing Addendum
This Data Processing Addendum governs the processing of personal data required to deliver the August platform services provided by Credicle Corporation.
1. ROLES AND RESPONSIBILITIES
1.1 You are the Data Controller, and August is the Data Processor, processing DPA Data on Your behalf.
1.2 August processes customer data for providing or maintaining the Service and in accordance with the Instructions.
1.3 This addendum governs processing of personal data required to provide services under the Platform Agreement. Categories of personal data, data subjects, and processing duration are tied to the service agreement term.
2. PROCESSING REQUIREMENTS
As a Data Processor, August commits to:
2.1 Process data only as needed for service performance and in accordance with documented Instructions.
2.2 Promptly notify customers of any inability to comply with DPA requirements.
2.3 Inform customers when instructions may violate data protection law.
2.4 Ensure staff handling data maintain appropriate confidentiality obligations.
3. SUBPROCESSOR MANAGEMENT
3.1 August maintains a Subprocessor List at august.law/legal/subprocessors.
3.2 Notification: August provides 30-day advance notice before adding new subprocessors.
3.3 Objection Rights: Customers may object within 15 days on reasonable grounds.
3.4 Resolution Options: August may offer alternatives, take corrective steps, limit features, or allow customers to stop using affected services.
3.5 Liability: August will remain fully liable to You for the performance of each Subprocessor regarding data protection obligations.
4. CUSTOMER NOTIFICATION OBLIGATIONS
August notifies customers regarding:
4.1 Law enforcement disclosure requests (with best-effort waiver requests if legally prohibited from notifying customer).
4.2 Supervisory authority investigations.
4.3 Data subject access, correction, erasure, or portability requests (with 30+ day notice provisions where permitted by law).
5. DATA BREACH RESPONSE
5.1 Upon discovering security breaches causing accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to DPA Data, August notifies customers per Security Addendum timelines.
5.2 August provides reasonable support for data subject request responses, data protection impact assessments, and required audits and assessments conducted per Security Addendum procedures.
6. DATA RETENTION AND DELETION
Within 30 days following termination of the Service or upon your reasonable request, August shall return to you or delete the DPA Data, unless August is required by law to retain DPA Data.
7. US STATE PRIVACY LAW COMPLIANCE
August certifies compliance including obligations to:
7.1 Process data solely for stated purposes.
7.2 Refrain from selling or sharing personal data.
7.3 Maintain privacy protections equivalent to state law requirements.
7.4 Prevent unauthorized reidentification of deidentified data.
7.5 The parties agree to review compliance with new AI-specific legislation and negotiate amendments as needed. Either party may terminate if new regulations make service provision infeasible or unlawful.
Last updated: January 2026