Terms of ServicePrivacy PolicyRefund PolicyData Processing AddendumSubprocessorsAcceptable Use

Data Processing Addendum · v1.0 · 1724756d7829

24/7 PROFITS — Data Processing Addendum

Effective: April 27, 2026 · Version 1.0

This Data Processing Addendum (the "DPA") forms part of the Terms of Service, the Master Services Agreement, or any other written agreement (the "Principal Agreement") between AllDayFBA LLC dba 24/7 Profits ("Processor," "we," "us") and the customer entity that has accepted the Principal Agreement ("Controller," "you," "Customer").

This DPA reflects the parties' obligations under the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the UK Data Protection Act 2018 and UK GDPR, and the California Consumer Privacy Act / California Privacy Rights Act ("CCPA / CPRA") to the extent applicable.

By executing the Principal Agreement, accepting an order form, or making a paid use of the Services, Controller is deemed to have entered into this DPA.

1. Definitions

Capitalized terms not defined here have the meanings given in the GDPR. "Customer Personal Data" means any Personal Data that Controller submits to, or is collected by, the Services on Controller's instructions. "Subprocessor" means any third party engaged by Processor to process Customer Personal Data.

2. Roles of the Parties

For Customer Personal Data, Controller is the controller and Processor is the processor. Processor will process Customer Personal Data only:

  • For the purposes set out in Schedule 1 of this DPA;
  • In accordance with Controller's documented instructions, including the Principal Agreement, this DPA, and Controller's configuration of the Services; and
  • As required by applicable law, in which case Processor will inform Controller of that requirement before processing (unless prohibited by law).

3. Confidentiality and Personnel

Processor ensures that personnel authorized to process Customer Personal Data have committed to confidentiality, are appropriately trained, and process Customer Personal Data only on a need-to-know basis.

4. Security Measures

Processor implements and maintains the technical and organizational measures listed in Schedule 2 of this DPA. Processor will not materially decrease the protection of those measures during the term of the Principal Agreement.

5. Subprocessors

Controller authorizes Processor to engage the subprocessors listed at https://247profits.org/subprocessors as updated from time to time (the "Subprocessor List").

Processor will:

  1. Enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those in this DPA;
  2. Remain responsible for each Subprocessor's performance of those obligations;
  3. Provide notice of new or replacement Subprocessors at least fourteen (14) days before granting them access to Customer Personal Data, by updating the Subprocessor List or by email if Controller has subscribed to subprocessor change notifications;
  4. Permit Controller to object on reasonable data-protection grounds — if the parties cannot resolve the objection within thirty (30) days, Controller's exclusive remedy is to terminate the affected Services with pro-rated refund of any pre-paid fees for unused time.

6. Data Subject Requests

Processor will, taking into account the nature of the processing, assist Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling Controller's obligations to respond to data subject requests under applicable law (access, correction, deletion, portability, restriction, objection).

7. Personal Data Breach Notification

Processor will notify Controller without undue delay, and in any event within seventy-two (72) hours, of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

8. Audits

Processor will make available to Controller all information necessary to demonstrate compliance with this DPA. Once per calendar year, on at least thirty (30) days' written notice and during normal business hours, Controller (or an independent auditor mandated by Controller and bound by confidentiality) may audit Processor's compliance, at Controller's expense, in a manner that does not unreasonably interfere with Processor's operations or the security of other customers' data.

In lieu of an on-site audit, Processor may satisfy this obligation by providing a copy of its most recent independent third-party audit report (e.g., SOC 2 Type II, ISO 27001) where available.

9. International Transfers

Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, the parties incorporate by reference the Standard Contractual Clauses (Module 2: Controller to Processor) approved by the European Commission, and the UK International Data Transfer Addendum where the UK GDPR applies. Schedule 3 sets out the transfer details.

10. Deletion and Return of Customer Personal Data

Within ninety (90) days of the termination of the Principal Agreement, Processor will, at Controller's election:

  • Delete all Customer Personal Data in its systems and those of its Subprocessors; or
  • Return all Customer Personal Data in a structured, commonly used, machine-readable format and then delete the copies it holds.

This obligation does not apply where retention is required by law, including:

  • Payment, AVS, CVV, 3-DS, and dispute records — retained for seven (7) years
  • Recordings and transcripts that are or have been the subject of a payment dispute — retained for the longer of seven years from dispute resolution or the regulatory minimum
  • Tax and accounting records — retained for the period required by US federal and state tax law

11. CCPA / CPRA Specific Provisions

Where Customer Personal Data includes "personal information" of California residents, Processor is acting as a "service provider" under CCPA / CPRA. Processor will not:

  • Sell or share Customer Personal Data;
  • Retain, use, or disclose Customer Personal Data outside the direct business relationship with Controller, except as permitted by CCPA / CPRA;
  • Combine Customer Personal Data received from Controller with personal information from any other source, except as expressly permitted by CCPA / CPRA.

12. Liability

The parties' liability under this DPA is subject to the limitations and exclusions set out in the Principal Agreement.

13. Order of Precedence

Where this DPA conflicts with the Principal Agreement, this DPA controls with respect to the matters it addresses. Where this DPA conflicts with the Standard Contractual Clauses, the Standard Contractual Clauses control.

14. Term and Termination

This DPA is effective as of the effective date of the Principal Agreement and terminates automatically upon termination of the Principal Agreement. Sections 7, 8, 10, 11, and 12 survive termination.

Schedule 1 — Description of Processing

Subject matter: delivery of the Services purchased by Controller — coaching programs, software access, community access, content, and supporting communications.

Duration: the term of the Principal Agreement plus the retention periods in Section 10.

Nature and purpose: account creation, billing, content delivery, software functionality, fraud prevention, dispute defense, customer support, product analytics, AI inference for assistive features, and recordings of disclosed sessions.

Categories of data subjects: Controller's authorized users (employees, contractors, students, members) and individuals who interact with Controller through the Services.

Categories of Personal Data: identifiers (name, email, phone, IP, device fingerprint), profile information, payment metadata, course progress, software events, recordings and transcripts of disclosed sessions, communication content, and similar.

Special categories: none collected by us by default; if Controller chooses to submit special category data, Controller is solely responsible for any required additional safeguards under Article 9 GDPR.

Schedule 2 — Technical and Organizational Measures

  • TLS 1.2+ encryption in transit; AES-256 encryption at rest for sensitive fields
  • Role-based access control with least-privilege defaults; mandatory MFA for all administrative access
  • Centralized audit logging of administrative actions; logs retained 13 months
  • Regular dependency vulnerability scanning and patching SLA of 14 days for critical, 30 days for high
  • Backup of production database every 24 hours with 30-day retention; quarterly restore drills
  • Secrets stored in a managed secret store; no production secrets in source control
  • Incident response plan with defined roles, escalation, and 72-hour breach notification commitment
  • Subprocessor agreements requiring equivalent protections

Schedule 3 — International Transfer Details

Data exporter: Controller, with details set out in the Principal Agreement.

Data importer: AllDayFBA LLC dba 24/7 Profits, USA. Postal address per the legal page footer. Privacy contact: privacy@247profits.org.

Categories of data subjects, data, and processing: as set out in Schedule 1.

Frequency of transfer: continuous, for the term of the Principal Agreement.

Competent supervisory authority (Controller in the EEA): the Member State supervisory authority of Controller's main establishment, or as agreed in the Principal Agreement.

Competent supervisory authority (Controller in the UK): the UK Information Commissioner's Office (ICO).

Acceptance: This DPA is deemed accepted upon execution of the Principal Agreement, the first paid use of the Services, or written acknowledgement by Controller's authorized representative. Acceptance is recorded with the document hash, IP, user agent, and timestamp in Processor's audit trail.