Data Processing Agreement (DPA)
This Data Processing Agreement (“DPA”) is incorporated into and forms part of the Terms of Service between you (“Company” or “Controller”) and Golden Tech Solutions LLC (“GoldenIris” or “Processor”), and governs the processing of personal data by GoldenIris on behalf of the Company in connection with the GoldenIris platform.
This DPA applies when the processing of personal data is subject to applicable data protection laws, including the General Data Protection Regulation (GDPR), the UK GDPR, or similar laws in other jurisdictions.
1. Definitions
- Controller: The entity (you, the customer) that determines the purposes and means of processing personal data.
- Processor: Golden Tech Solutions LLC, which processes personal data on behalf of the Controller.
- Data Subject: An identified or identifiable natural person whose personal data is processed.
- Personal Data: Any information relating to an identified or identifiable natural person.
- Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
- Sub-Processor: Any third party engaged by GoldenIris to process personal data.
2. Roles and Responsibilities
Controller Role
You are the Controller for personal data you submit to GoldenIris, including personal data about your team members, end users, customers, or any individuals referenced in your content or brand profiles. You are responsible for ensuring your processing instructions to GoldenIris comply with applicable law, including obtaining any required consents from data subjects.
Processor Role
GoldenIris acts as a Processor when it processes personal data on your behalf to provide the platform services. GoldenIris will process personal data only in accordance with your documented instructions as expressed through your use of the platform and configuration settings, unless required to do otherwise by applicable law.
3. Data Processing Scope
Subject Matter
Processing performed by GoldenIris on behalf of the Controller in connection with the GoldenIris platform.
Duration
Processing continues for the duration of the subscription and for 30 days following termination, after which personal data is deleted.
Nature and Purpose
GoldenIris processes personal data to provide platform features including content creation, brand management, AI-assisted generation, content publishing, and related analytics. Processing is performed on Azure infrastructure in the East US region.
Types of Personal Data Processed
| Data Category | Examples |
|---|---|
| User account data | Name, email address, job title, login credentials |
| Content data | Brand profiles, voice profiles, drafts, published content, ICP data |
| Usage analytics | Feature usage logs, session data, IP address (anonymized) |
| Team member data | Names and emails of users added to a brand workspace |
Categories of Data Subjects
Account holders, team members, and (indirectly) individuals referenced in customer-created content.
4. Processor Obligations
GoldenIris shall:
- Process personal data only on documented instructions from the Controller, including as set out in the Terms of Service and this DPA.
- Ensure that persons authorized to process personal data are bound by appropriate confidentiality obligations.
- Implement and maintain appropriate technical and organizational security measures as described in Section 5.
- Not engage sub-processors without prior notice to the Controller and an opportunity to object, except as provided in Section 6.
- Assist the Controller in fulfilling data subject rights requests as described in Section 7.
- Notify the Controller of personal data breaches without undue delay and in any event within 72 hours of becoming aware.
- Delete or return personal data upon termination as described in Section 9.
- Provide reasonable cooperation to assist the Controller with data protection impact assessments and compliance obligations.
5. Security Measures
GoldenIris implements the following technical and organizational security measures:
Technical Measures
- Encryption of all personal data at rest using AES-256
- Encryption of all data in transit using TLS 1.2 or higher
- Role-based access controls with least-privilege principles
- Multi-factor authentication for administrative and privileged access
- Regular automated vulnerability scanning and patch management
- Azure Security Center monitoring and anomaly detection
- Network segmentation and firewall protection
Organizational Measures
- Employee security training and data handling policies
- Access reviews and privilege de-provisioning processes
- Incident response and breach notification procedures
- Vendor security assessments for sub-processors
6. Sub-Processors
The Controller provides general authorization for GoldenIris to engage sub-processors listed at goldeniris.ai/sub-processors. GoldenIris will update that page and provide 30 days’ notice before adding new sub-processors that process personal data. The Controller may object to new sub-processors by notifying legal@goldeniris.ai within 30 days. If the parties cannot resolve the objection, the Controller may terminate its subscription.
GoldenIris ensures that all sub-processors are bound by data protection obligations no less protective than this DPA.
7. Data Subject Rights
GoldenIris will assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, restriction, portability, and objection) within 30 days. Account holders may exercise many of these rights directly through the GoldenIris platform. For requests that require manual action by GoldenIris, the Controller should submit requests to legal@goldeniris.ai.
8. Breach Notification
In the event of a confirmed personal data breach affecting data processed under this DPA, GoldenIris will:
- Notify the Controller without undue delay and within 72 hours of becoming aware of the breach.
- Provide a description of the nature of the breach, approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.
- Cooperate fully with the Controller’s investigation and remediation efforts.
Breach notifications should be sent to the primary account email address. Controllers are responsible for notifying relevant supervisory authorities and data subjects as required by applicable law.
9. Data Retention and Deletion
Upon expiration or termination of the subscription, GoldenIris will retain personal data for 30 days during which the Controller may export their data. After 30 days, GoldenIris will permanently delete personal data from active systems. Residual copies in backup systems will be overwritten within 90 days following the standard backup rotation schedule.
Billing records and transaction logs required for legal and tax purposes may be retained for up to 7 years, with access restricted to authorized personnel.
10. International Data Transfers
GoldenIris processes and stores data in the United States (Azure East US). For customers subject to GDPR or UK GDPR transferring personal data from the EU/EEA or UK, GoldenIris relies on Standard Contractual Clauses (SCCs) as the data transfer mechanism. Customers requiring executed SCC documentation should contact legal@goldeniris.ai.
11. Governing Law
This DPA is governed by the laws of the State of New Hampshire, USA, except where superseded by mandatory provisions of GDPR or other applicable data protection laws. Disputes shall be resolved in the courts of Strafford County, New Hampshire.
12. Contact
For data protection inquiries, contact:
- Email: legal@goldeniris.ai
- Company: Golden Tech Solutions LLC, New Hampshire, USA
© 2026 Golden Tech Solutions LLC · GoldenIris · New Hampshire, USA · legal@goldeniris.ai