1. Purpose and incorporation

This DPA supplements any agreement under which 1CH provides services that involve processing personal data on Customer's instructions. It reflects roles under applicable data protection law: Customer is generally the controller (or equivalent) for Customer business data and end-user content Customer directs us to process; 1CH acts as processor (or equivalent service provider) solely to provide the services described in the agreement.

2. Definitions

“Personal data,” “processing,” “controller,” “processor,” and similar terms carry the meanings under applicable law (including, where relevant, the EU GDPR, UK GDPR, and U.S. state privacy laws). “Services” means the 1CH offerings described in the applicable agreement. “Subprocessor” means a third party engaged by 1CH to process personal data in support of the Services.

3. Processing instructions

1CH will process personal data only on documented instructions from Customer—including the agreement, applicable statements of work, and reasonable configuration choices Customer makes in product interfaces—unless storage is required by law (in which case 1CH will, where legally permitted, inform Customer before responding).

Customer is responsible for the lawfulness of instructions, notices, and consents toward data subjects whose personal data Customer submits to the Services.

4. Confidentiality and personnel

1CH will ensure that personnel authorized to process personal data are bound by appropriate confidentiality obligations and access personal data only as needed to perform the Services.

5. Security

1CH will implement technical and organizational measures appropriate to the risk, taking into account the state of the art, implementation cost, and nature of processing. Measures may include access controls, encryption in transit where standard for the service, logging and monitoring, vulnerability management, and vendor diligence for material subprocessors. Details may be further described in security documentation or questionnaires exchanged during procurement.

6. Subprocessors

Customer authorizes 1CH to engage subprocessors to support the Services, subject to substantially similar written obligations as this DPA. 1CH will make available a current list of material categories or named subprocessors (for example hosting, email delivery, authentication, observability) as agreed in the order process. Where contractually required, 1CH will provide notice of changes and a reasonable objection process for new subprocessors that materially expand risk.

7. Data subject requests

Where applicable law requires 1CH to respond to individuals exercising privacy rights, 1CH will assist Customer by forwarding verifiable requests related to Customer data or, where agreed, providing tooling for Customer to respond. Customer will handle requests that must be answered solely from Customer-controlled systems of record unless otherwise allocated in writing.

8. Breach notification

If 1CH becomes aware of a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data processed for Customer, 1CH will notify Customer without undue delay and provide information reasonably necessary for Customer to meet regulatory obligations, consistent with law enforcement constraints and the integrity of investigation.

9. Deletion and return

At the end of the Services (or on Customer's written request where contractually required), 1CH will delete or return personal data processed on Customer's behalf, except where longer retention is required by law or where backup systems require a commercially reasonable period to overwrite, during which data will remain isolated from active processing.

10. International transfers

Where personal data originating in restricted jurisdictions is transferred internationally, the parties will rely on mechanisms required by applicable law (for example standard contractual clauses or approved transfer frameworks) as referenced in the agreement or an annex executed with it.

11. Audits and demonstrations

On reasonable written request, 1CH will make available information necessary to demonstrate compliance with this DPA, including summaries of third-party audits or certifications where available. Intrusive on-site audits may be subject to mutual scheduling, confidentiality, and frequency limits so as not to compromise security of multi-tenant environments.

12. Liability

Liability caps, exclusions, and remedies for breach of this DPA follow the governing agreement unless mandatory law requires otherwise.

13. Contact

For privacy or security questions related to a contemplated or active enterprise agreement: