Legal

Data Processing Addendum

Terms for processing personal data on behalf of our business customers, including security and subprocessor commitments.

Legal documentLast updated June 22, 2026

1. Parties & Scope

This Data Processing Addendum ("DPA") forms part of the agreement between Risen Results, LLC ("Processor") and the business customer ("Controller") under which Risen Results processes personal data on the Controller's behalf to provide the Services.

If there is a conflict between the agreement and this DPA with respect to the processing of personal data, this DPA controls.

2. Definitions

"Personal Data," "Processing," "Controller," "Processor," "Data Subject," and "Supervisory Authority" have the meanings given in applicable data protection laws (including GDPR and CCPA / CPRA, as applicable).

3. Roles

The Controller determines the purposes and means of processing. Risen Results acts as Processor (or Service Provider under CCPA) and processes personal data only on documented instructions from the Controller and as needed to provide the Services or comply with law.

4. Processing Details (Schedule A)

Subject matter: provision of the Services. Duration: term of the underlying agreement plus any retention period required by law.

Nature & purpose: hosting, transmission, and processing of personal data to operate consent capture, lead routing, messaging, analytics, and reporting features.

Categories of data subjects: end users who submit forms, recipients of communications, and Controller's authorized personnel.

Categories of personal data: contact data (name, email, phone, postal code), inquiry content, consent records, device and usage metadata, account credentials, and audit logs.

5. Subprocessors (Schedule B)

Risen Results engages subprocessors to provide hosting, messaging, email delivery, analytics, fraud prevention, and AI features. A current list of subprocessors is available on request at legal@risenresults.ai.

Risen Results imposes data-protection obligations on each subprocessor that are no less protective than those in this DPA and remains responsible for the performance of each subprocessor.

Controller may object on reasonable grounds to a new subprocessor; the parties will work in good faith to resolve the objection.

6. Security Measures (Schedule C)

Risen Results maintains administrative, technical, and physical safeguards designed to protect personal data — including encryption in transit, role-based access controls, audit logging, vulnerability management, secure software development practices, and incident response procedures.

Access to personal data is limited to personnel who need it to provide the Services and who are subject to confidentiality obligations.

7. International Transfers

Where personal data is transferred from the EU/EEA, UK, or Switzerland to a country without an adequacy decision, the parties rely on the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), incorporated by reference into this DPA.

8. Data Subject Requests

Risen Results will, taking into account the nature of the processing, assist Controller with appropriate technical and organizational measures to respond to data-subject requests for access, correction, deletion, restriction, portability, and objection.

If a data subject contacts Risen Results directly with such a request, Risen Results will promptly forward it to the Controller and will not respond except to confirm receipt or as required by law.

9. Personal Data Breach Notification

Risen Results will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller's personal data, and will provide information reasonably necessary for Controller to meet its own notification obligations.

10. Audits

Risen Results will make available to Controller information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Controller or a mutually agreed auditor, subject to reasonable confidentiality and security requirements.

11. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the underlying agreement.

12. Term & Termination

This DPA takes effect on the effective date of the underlying agreement and remains in effect for so long as Risen Results processes personal data on Controller's behalf. On termination, Risen Results will, at Controller's choice and at no cost beyond standard return/deletion fees, delete or return personal data, except to the extent retention is required by law.

13. Governing Law

This DPA is governed by the same law as the underlying agreement, unless data protection law requires application of a different law.

14. Requesting a Signed DPA

To countersign this DPA for your account, email legal@risenresults.ai with your legal entity name, jurisdiction, and the contact who will sign.