Data Processing Agreement

Terms such as “personal data”, “processing”, “controller”, “processor”, “data subject”, “sub-processor”, and “supervisory authority” have the meaning given to them in Regulation (EU) 2016/679 (“GDPR”) and equivalent US state privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA) where applicable.

The Processor processes personal data solely to provide the back-office, finance, customer-support and operations services described in the MSA. Processing continues for the term of the MSA and ends on termination, subject to the deletion/return obligations below.

Processing includes: collection, storage, organisation, retrieval, use, disclosure by transmission, restriction, erasure, and destruction of personal data, strictly to deliver the agreed services and the Controller's documented instructions.

Data subjects: Controller's customers, prospects, employees, contractors, suppliers, and end-users whose data is shared with the Processor for service delivery.

Categories of data: contact details (name, email, phone, address), account identifiers, order & invoice data, support correspondence, payment metadata (no card numbers retained), and any other categories the Controller chooses to upload. No special categories of data are processed unless expressly agreed in writing.

• Process personal data only on documented instructions from the Controller.
• Ensure persons authorised to process the data are bound by confidentiality.
• Implement the technical and organisational measures set out in Annex II.
• Assist the Controller with data subject rights requests and DPIAs.
• Notify the Controller of a personal data breach without undue delay, and in any event within 72 hours of becoming aware.
• Make available all information necessary to demonstrate compliance and submit to audits on reasonable notice.

The Controller grants the Processor general authorisation to engage the sub-processors listed in Annex III. The Processor will give 30 days' notice of any intended addition or replacement, during which the Controller may reasonably object.

Where personal data of EU/EEA, UK or Swiss data subjects is transferred outside its jurisdiction, the parties incorporate the EU Standard Contractual Clauses (Module 2, Decision (EU) 2021/914) and, for UK transfers, the UK International Data Transfer Addendum issued by the ICO. Annex I to the SCCs is populated by Annexes I and III below.

On termination of the MSA, the Processor will, at the Controller's choice, return or delete all personal data within 30 days, unless retention is required by applicable law (e.g. US tax/accounting record-keeping under the IRC and Texas Business & Commerce Code).

Liability under this DPA is subject to the limitations and exclusions set out in the MSA, except where mandatory law (including Article 82 GDPR) provides otherwise.

Controller: as identified in the signed MSA / order form.
Processor: 123 OUTSOURCED, LLC, 17350 State Hwy 249, Suite 220 #24587, Houston, TX 77064, USA.
Competent supervisory authority (where SCCs apply): the supervisory authority of the Controller's Member State of establishment, or — for non-EU controllers offering goods or services in the EU — the supervisory authority of the appointed Art. 27 representative.

• TLS 1.2+ for data in transit; AES-256 encryption at rest for primary stores.
• Least-privilege access; SSO + MFA enforced for all operator accounts.
• Per-client data segregation with row-level security on the application database.
• Audit logs of admin actions, retained for at least 12 months.
• Daily encrypted backups; documented restore procedure tested quarterly.
• Background checks and confidentiality agreements for all operators.
• Documented incident response plan; breach notification within 72 hours.
• Annual review of security controls; pen-test on material releases.

The current list of authorised sub-processors (including hosting, email, payments and CRM providers) is available on request from privacy@123outsourced.com. The list is updated whenever a sub-processor is added or replaced.

To execute this DPA against your active MSA, email legal@123outsourced.com with your legal entity name, registered address, and signatory. We will return a counter-signed PDF within two business days.