Data Processing Agreement

Standard Data Processing Agreement for enterprise customers using the IFO4 platform, in compliance with GDPR Article 28 requirements for processor agreements.

"Controller" means the entity that determines the purposes and means of the processing of Personal Data. Under this DPA, the Customer is the Controller.

"Processor" means the entity that processes Personal Data on behalf of the Controller. Under this DPA, IFO4 acts as the Processor.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under GDPR Article 4(1).

"Sub-processor" means any third party engaged by IFO4 to process Personal Data on behalf of the Customer.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

This DPA applies to all Personal Data processed by IFO4 on behalf of the Customer in connection with the IFO4 platform services, including certification management, learning management, examination services, and community features.

IFO4 shall process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law.

Categories of data subjects include Customer employees, contractors, and authorized users of the IFO4 platform. Categories of Personal Data include names, email addresses, professional credentials, course completion records, and examination results.

IFO4 shall process Personal Data only to the extent necessary to provide the services described in the applicable service agreement, and in accordance with the documented instructions of the Customer.

IFO4 shall immediately inform the Customer if, in its opinion, an instruction infringes applicable data protection law. IFO4 shall not process Personal Data for any purpose other than as instructed by the Customer.

IFO4 shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

IFO4 shall not engage another processor (sub-processor) without prior specific or general written authorization of the Customer. In the case of general written authorization, IFO4 shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors.

Current sub-processors include: Google Cloud Platform (infrastructure hosting, US), Stripe (payment processing, US), Resend (transactional email, US), Vercel (application hosting, US). An up-to-date list is maintained at ifo4.org/privacy-center.

Where IFO4 engages a sub-processor, it shall impose the same data protection obligations as set out in this DPA by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures.

IFO4 shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256), regular testing and evaluation of security measures, access controls with role-based permissions, and audit logging of all data access.

Additional measures include: multi-factor authentication for administrative access, regular security assessments and penetration testing, incident response procedures with defined escalation paths, and employee security awareness training.

IFO4 maintains SOC 2 Type II compliance and undergoes annual third-party security audits.

IFO4 shall assist the Customer in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under GDPR Chapter III (Articles 15 through 22), including: right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, and right to object.

IFO4 shall promptly notify the Customer upon receiving a request from a Data Subject and shall not respond to such request directly unless authorized by the Customer.

IFO4 provides self-service data subject request tools at ifo4.org/privacy-center/request.

IFO4 shall notify the Customer without undue delay after becoming aware of a Personal Data breach. The notification shall, at minimum, describe the nature of the breach, the categories and approximate number of Data Subjects concerned, the likely consequences of the breach, and the measures taken or proposed to address the breach.

IFO4 commits to notifying the Customer within 72 hours of becoming aware of a confirmed breach, in compliance with GDPR Article 33.

IFO4 shall cooperate with and assist the Customer in complying with its obligations under GDPR Articles 33 and 34 regarding breach notification to supervisory authorities and Data Subjects.

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). Where such transfers occur, IFO4 shall ensure that appropriate safeguards are in place as required by GDPR Chapter V.

Safeguards for international data transfers include: Standard Contractual Clauses (SCCs) as approved by the European Commission, adequacy decisions where applicable, and data processing agreements with all sub-processors that include equivalent transfer safeguards.

IFO4 primary infrastructure is hosted on Google Cloud Platform in the United States. The EU-US Data Privacy Framework provides the legal basis for transatlantic data transfers where applicable.

This DPA shall remain in effect for the duration of the service agreement between the Customer and IFO4, and shall continue to apply for as long as IFO4 processes Personal Data on behalf of the Customer.

Upon termination of the service agreement, IFO4 shall, at the choice of the Customer, delete or return all Personal Data to the Customer and delete existing copies unless applicable law requires storage of the Personal Data.

IFO4 shall provide the Customer with a written certification of data deletion upon request, unless retention is required by applicable law.

Execute a DPA with IFO4

Enterprise customers can request a signed Data Processing Agreement. Contact our legal team to begin the process.