Product: 1sixty8 Manifold Operator: 1sixty8 media, inc., a Pennsylvania S corporation Version: 1.0 Effective Date: [DATE OF ADOPTION] Last Updated: [DATE OF ADOPTION]
Status: DRAFT for attorney review. This document was drafted by the founder with AI assistance. It is not legal advice. Do not publish or rely on any portion of this text until it has been reviewed and approved by counsel admitted to practice in Pennsylvania and familiar with U.S. SaaS data-processing contracting and U.S. state privacy laws.
This Data Processing Addendum (the "DPA") supplements and forms part of the Terms of Service (the "Terms") between 1sixty8 media, inc. ("1sixty8 media," "Processor," "we," or "us") and Customer ("Controller" or "Customer"). This DPA becomes effective as of the date Customer accepts the Terms (or the date Customer begins using the Service, if earlier), and no separate signature is required for this DPA to be binding. Customer may request a countersigned copy for its internal records, which we will provide on reasonable request.
Capitalized terms not defined in this DPA have the meanings given in the Terms or the Privacy Policy, as applicable.
Within the scope of its subject matter, this DPA governs any conflict with the Terms. Outside that scope, the Terms continue to govern.
2.1 Scope. This DPA governs the Processing of Personal Information by Processor on behalf of Customer in connection with Customer's use of the Service.
2.2 Definitions.
https://shop.1sixty8.com/legal/subprocessors.3.1 Customer as controller / business. As between the parties, Customer is the controller, business, or similar role (as defined under Applicable Privacy Laws) of Customer Personal Information. Customer determines the purposes and means of Processing.
3.2 Processor as processor / service provider. As between the parties, Processor is the processor, service provider, or similar role (as defined under Applicable Privacy Laws) of Customer Personal Information. Processor Processes Customer Personal Information only on Customer's documented instructions, which instructions are given by Customer's acceptance of the Terms, this DPA, the Privacy Policy, and the Acceptable Use Policy, together with Customer's use of the Service and any additional written instructions Customer provides to us.
3.3 Processor's limitations. We will not:
(a) sell or share Customer Personal Information (as those terms are defined under Applicable Privacy Laws), and we have not sold or shared Customer Personal Information in the preceding twelve months; (b) retain, use, or disclose Customer Personal Information for any purpose other than the specific purposes set out in this DPA and the Privacy Policy, including for a commercial purpose outside of providing and improving the Service; (c) retain, use, or disclose Customer Personal Information outside of the direct business relationship between Customer and Processor; (d) combine Customer Personal Information with Personal Information received from any other source, except as expressly permitted under Applicable Privacy Laws and solely to provide the Service; (e) use Customer Personal Information for targeted advertising, cross-context behavioral advertising, or profiling that produces legal or similarly significant effects; (f) use Customer Personal Information to train, fine-tune, or improve artificial intelligence or machine-learning models, unless Customer has affirmatively enrolled in a specific opt-in program offered by us; or (g) disclose Customer Personal Information to any third party except as expressly permitted under this DPA, the Privacy Policy, or with Customer's prior instruction.
3.4 Aggregated and Deidentified Data. Processor may create and retain aggregated and deidentified data derived from Customer Personal Information, provided that such data does not identify any individual, Customer, or any of Customer's end-customers, and Processor does not attempt to re-identify such data.
This DPA applies to Processing carried out during the term of the Terms. Processor's obligations under Sections 9 (Breach Notification) and 11 (Return and Deletion) continue for the periods stated in those sections notwithstanding termination of the Terms.
5.1 Processing on documented instructions. Processor will Process Customer Personal Information only on the documented instructions of Customer. If Processor is required by applicable law to Process Customer Personal Information other than on Customer's instructions, Processor will notify Customer of the legal requirement before Processing unless the relevant law prohibits notice on grounds of important public interest.
5.2 Confidentiality. Processor will ensure that personnel authorized to Process Customer Personal Information are bound by appropriate confidentiality obligations and receive training on their data-handling responsibilities. Access to Customer Personal Information is limited to personnel with a genuine need to know for the purpose of providing the Service.
5.3 Security. Processor will implement and maintain appropriate technical and organizational measures to protect Customer Personal Information against unauthorized or unlawful Processing and against accidental loss, destruction, damage, or alteration. Those measures are described in Annex 2 (Technical and Organizational Measures).
6.1 General authorization. Customer grants Processor general authorization to engage Sub-Processors to Process Customer Personal Information. A current list of Sub-Processors is maintained at https://shop.1sixty8.com/legal/subprocessors.
6.2 Sub-Processor obligations. Processor will impose on each Sub-Processor, by written contract, data-protection obligations that are substantially similar to those in this DPA, to the extent applicable to the nature of the Sub-Processor's Processing.
6.3 Sub-Processor changes. Processor will provide Customer with at least thirty (30) days' advance notice before engaging a new Sub-Processor or materially changing an existing Sub-Processor's role. Notice may be provided by email to Customer's account email, by in-app notification, or by updating the published Sub-Processor list with a dated changelog entry. During the notice period, if Customer reasonably objects to the new or materially changed Sub-Processor on documented data-protection grounds, Customer may terminate the affected subscription under the termination provisions of the Terms and receive a pro-rata refund of prepaid fees for the unused portion of the subscription term.
6.4 Liability for Sub-Processors. Processor remains liable to Customer for the acts and omissions of each Sub-Processor with respect to Customer Personal Information, to the same extent Processor would be liable if performing those acts directly.
Customer Personal Information is stored and Processed in the United States. Processor does not currently transfer Customer Personal Information to any country outside the United States. A subprocessor's edge network (for example, content-delivery or anti-DDoS infrastructure) may route technical traffic through nodes outside the United States, but no meaningful Processing of Personal Information occurs outside the United States. If Processor later engages a Sub-Processor that Processes Customer Personal Information outside the United States, Section 6.3 applies and Processor will implement appropriate safeguards consistent with Applicable Privacy Laws.
8.1 Customer responsibility. As controller, Customer is responsible for responding to requests from individuals exercising rights under Applicable Privacy Laws (including rights to access, delete, correct, port, or opt out of certain uses of their Personal Information).
8.2 Processor assistance. Taking into account the nature of the Processing and the information available to us, Processor will provide reasonable assistance to Customer in responding to individual rights requests, including through the self-service tools available within the Service (export, deletion, correction, and communications-preference tooling). Customer is primarily responsible for executing responses using those tools.
8.3 Requests received directly by Processor (Group B). If an individual whose Personal Information is processed on behalf of Customer (a Group B individual, as defined in the Privacy Policy) contacts Processor directly with a rights request, Processor will forward the request to Customer, inform the individual that the request has been forwarded, and direct the individual to Customer as the appropriate contact. Processor will not act directly on such a request without Customer's instruction, except where required by applicable law.
8.4 Timing. Processor will provide assistance under this Section 8 in a timeframe reasonably sufficient to allow Customer to meet its response deadlines under Applicable Privacy Laws.
9.1 Timing. Without undue delay, and in any event no later than seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer Personal Information, Processor will notify Customer in writing.
9.2 Content of notice. The notice will include, to the extent then known:
(a) a description of the nature of the Personal Data Breach, including categories and approximate number of affected individuals and records; (b) the likely consequences of the Personal Data Breach; (c) measures taken or proposed to address the Personal Data Breach, including measures to mitigate adverse effects; and (d) the name and contact information of the person at Processor from whom additional information can be obtained.
If all information is not available at the time of the initial notice, Processor will provide further information as it becomes available.
9.3 Customer's notification obligations. Customer is responsible for any notifications required to be provided to regulators or affected individuals under Applicable Privacy Laws. Processor will provide reasonable assistance in preparing such notifications.
10.1 Information on request. On reasonable prior written request from Customer, and no more than once per twelve-month period (absent a documented Personal Data Breach affecting Customer's Customer Personal Information), Processor will provide Customer with reasonable information and documentation necessary to demonstrate Processor's compliance with this DPA, including summary descriptions of Processor's technical and organizational measures, relevant policies, and, if and when available, independent audit or assessment reports (such as SOC 2 or ISO 27001 reports).
10.2 No on-site audits. Customer's audit rights under this DPA are satisfied in full by the information-on-request mechanism in Section 10.1. Processor does not grant Customer or its representatives a right to conduct on-site audits of Processor's premises, infrastructure, or operations. If Applicable Privacy Laws or a particular Customer's regulatory obligation later require on-site audit rights, the parties will negotiate in good faith an appropriate supplement to this DPA; nothing in this Section 10.2 overrides a mandatory requirement of Applicable Privacy Law.
10.3 Confidentiality. Information provided under this Section 10 is Confidential Information of Processor and is subject to the confidentiality obligations in the Terms.
On termination of the Terms, Processor will handle Customer Personal Information in accordance with the Privacy Policy's data retention and deletion commitments, which as of the Effective Date provide:
(a) a thirty (30) day export grace period during which Customer may export Customer Personal Information using the Service's tools; (b) deletion of Customer Personal Information from Processor's production systems within sixty (60) days of the termination date, subject to the backup purge timeline in (c); (c) purging of Customer Personal Information from backup systems within thirty (30) days after deletion from production systems; and (d) retention, where strictly necessary, of minimum records to comply with legal, tax, accounting, or dispute-resolution obligations (including, for example, anonymized billing records), consistent with the Privacy Policy.
Each party's liability under or in connection with this DPA is subject to, and does not increase, the Limitation of Liability in the Terms. Customer's indemnification obligations to Processor under the Terms expressly survive the Processing of Customer Personal Information under this DPA.
13.1 Governing law. This DPA is governed by the laws of the Commonwealth of Pennsylvania, consistent with the Terms.
13.2 Term. This DPA is effective from the date Customer accepts the Terms and remains in effect for the duration of the Terms. Sections 9 (Breach Notification with respect to breaches discovered after termination but involving pre-termination Personal Information), 11 (Return and Deletion), 12 (Liability), and 13 (Governing Law; Term; General) survive termination.
13.3 Precedence. If any provision of this DPA conflicts with the Terms, the AUP, or the Privacy Policy with respect to Processing of Customer Personal Information, this DPA governs within that scope.
13.4 Changes. Processor may update this DPA from time to time by posting an updated version at https://shop.1sixty8.com/legal/dpa and updating the effective date. Material changes that reduce Processor's commitments or that expand the purposes for which Customer Personal Information may be Processed require the same thirty (30) day advance written notice and re-acceptance mechanisms used for the Terms. Other updates are effective on posting.
Notices and inquiries under this DPA should be sent to legal@1sixty8.com with a copy to privacy@1sixty8.com. Postal correspondence may be addressed to:
1sixty8 media, inc. Attn: Legal (Data Processing) 273 Smith Road Kunkletown, PA 18058
Subject matter of Processing. Provision of the 1sixty8 Manifold software-as-a-service platform to Customer.
Nature of Processing. Hosting, storage, retrieval, transmission, display, modification, backup, and deletion of Customer Personal Information as directed by Customer through Customer's use of the Service.
Purpose of Processing. To deliver the Service to Customer and to meet the operational purposes described in the Privacy Policy (security and fraud prevention, diagnostics, aggregate metrics, product telemetry at the tenant level, and compliance with applicable law).
Duration of Processing. For the duration of the Terms, subject to the retention and deletion commitments in Section 11.
Categories of data subjects.
Categories of Personal Information. As described in Section 3 of the Privacy Policy, which is incorporated into this Annex by reference. High-level categories include:
Special categories of Personal Information. The Service is not intended for the processing of special-category Personal Information (for example, health information, biometric data, data revealing racial or ethnic origin). Customer is responsible for not submitting such information to the Service outside the narrow incidental cases that may arise from free-text notes fields.
Processor maintains the following categories of technical and organizational measures to protect Customer Personal Information. The specific implementations within each category may evolve over time as the industry and the Service evolve; Processor commits to maintaining measures at or above the standard described for each category.
Access control. Role-based access control with granular per-user permissions. Authentication tokens and session cookies are scoped to individual users. Administrator-level functions are gated by elevated permissions. Fast-switch access on trusted terminals is secured by individual hashed personal identification numbers.
Authentication. User passwords are stored only as cryptographic hashes produced by a modern password-hashing algorithm; plaintext passwords are never stored. Personal identification numbers are stored in hashed form. Bot-mitigation measures are deployed on authentication-related endpoints.
Encryption in transit. All Customer-facing traffic to and from the Service is encrypted in transit using industry-standard Transport Layer Security. Traffic between the edge network and the origin server is similarly encrypted.
Encryption at rest for sensitive tokens. Sensitive access tokens stored by the Service (for example, OAuth refresh tokens for third-party integrations) are encrypted at rest using an authenticated-encryption algorithm.
Audit logging. The Service maintains a security audit log covering authentication events, permission changes, administrator-level actions, and access to sensitive resources. Audit logs are retained for at least twelve (12) months.
Backups. The production database is backed up on a daily basis. Backups are retained for a period consistent with the Privacy Policy's retention commitments and subject to the deletion timeline in Section 11.
Network security. The Service is deployed behind a reputable edge-network provider that offers denial-of-service mitigation, rate-limiting, and web-application firewall capabilities. The origin server runs on a hardened managed-hosting environment.
Sub-Processor management. Processor maintains a current list of Sub-Processors and provides advance notice of material changes consistent with Section 6.3.
Personnel. Personnel with access to Customer Personal Information are bound by written confidentiality and intellectual-property obligations. Access is granted on a need-to-know basis for the purposes of operating and supporting the Service.
Physical security. Processor does not operate its own data center. Physical security controls for the underlying infrastructure are provided by Processor's hosting provider and the hosting provider's upstream data-center operator, both of which maintain industry-standard certifications.
Change management. Changes to the Service are developed in isolated branches, reviewed, and deployed through an automated deployment mechanism. Non-production test environments are used to validate changes before they reach production.
Incident response. Processor maintains an incident-response process for identifying, assessing, and responding to suspected security incidents, including the breach-notification commitments in Section 9.
Vendor management. Processor evaluates new Third-Party Services and Sub-Processors for data-protection posture before integration.
Processor may update the specific implementations in this Annex from time to time as the Service evolves, provided that any update does not materially reduce the overall level of protection afforded to Customer Personal Information. Material reductions are subject to the change-notice mechanism in Section 13.4.
| Version | Date | Summary of Change | |---|---|---| | 1.0 | [DATE] | Initial DPA published as placeholder pending attorney review. |