For GDPR and CCPA Compliance:
Roles and Responsibilities:
Data Controller: Our clients (for their customer data)
Data Processor: MaxusB2B (processing on client's behalf)
Joint Controllers: Where applicable, with clear arrangement
Processing Instructions:
We process data only per documented client instructions
No processing for our own purposes without authorization
Immediate notification if instruction violates data protection laws
Security Measures:
Technical: Encryption, access controls, intrusion detection
Organizational: Policies, training, confidentiality agreements
Physical: Data center security, access logs
Assessment: Regular risk assessments and audits
Sub-processing:
Approved Sub-processors: Listed in Annex 1
Notification: 30 days for new sub-processors
Objection Right: Clients may object with reasonable grounds
Liability: We remain liable for sub-processor actions
Data Subject Rights:
Assistance: We assist clients in fulfilling data subject requests
Response Time: Within regulatory timeframes
Costs: Reasonable costs may apply for extensive requests
Breach Notification:
Immediate Notification: Within 24 hours of awareness
Details Provided: Nature, categories, approximate numbers
Cooperation: Full cooperation in breach investigation
Documentation: All breaches documented
Data Transfers:
EU-US Transfers: Standard Contractual Clauses implemented
Adequacy Decisions: Following EU Commission decisions
Supplementary Measures: Additional safeguards where needed
Audit Rights:
Annual Audit: Independent third-party audit reports available
Client Audits: With reasonable notice and confidentiality
Costs: Client bears costs unless deficiency found
Return or Deletion:
End of Service: Data returned or deleted at client's choice
Timeframe: Within 30 days of service termination
Retention Permitted: Only where legally required