Data Processing Agreement

This Data Processing Agreement establishes Dovito’s legal duties for processing the Client’s Personal Data in compliance with data protection laws (GDPR, CCPA/CPRA).

Complimentary Consultation

DATA PROCESSING AGREEMENT

Dovito® Business Solutions, Ltd.

Effective Date: August 17, 2023
Last Updated: October 8, 2025

 

1. Introduction and Purpose

This Data Processing Agreement (“DPA”) is entered into between the Client (“Data Controller”) and Dovito® Business Solutions, Ltd. (“Dovito®,” “Data Processor,” or “Processor”). This DPA governs the processing of Personal Data by Dovito® on behalf of the Client in connection with the provision of services, including systems integration, custom software development, and access to third-party platforms when applicable.

This DPA forms part of and supplements the Terms and Conditions of Service between the parties and is designed to comply with data protection laws, including the General Data Protection Regulation (GDPR), UK GDPR, and California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA).

2. Definitions

For purposes of this DPA:

  • Personal Data: Any information relating to an identified or identifiable natural person.

  • Processing: Any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

  • Data Controller: The Client, who determines the purposes and means of processing Personal Data.

  • Data Processor: Dovito® Business Solutions, Ltd., who processes Personal Data on behalf of the Data Controller.

  • Data Subject: An identified or identifiable natural person whose Personal Data is processed.

  • Sub-Processor: Any third-party service provider engaged by Dovito to process Personal Data on behalf of the Data Controller.

  • Data Protection Laws: All applicable laws and regulations relating to privacy and data protection, including but not limited to GDPR, UK GDPR, CCPA, and CPRA.

3. Roles and Responsibilities

3.1 Data Controller Responsibilities

The Client, as Data Controller:

  • Retains ownership of all Personal Data provided to Dovito
  • Determines the purposes and means of processing Personal Data
  • Ensures that processing instructions provided to Dovito comply with applicable Data Protection Laws
  • Obtains all necessary consents and authorizations for processing Personal Data

3.2 Data Processor Responsibilities

Dovito, as Data Processor:

  • Processes Personal Data only in accordance with documented instructions from the Data Controller
  • Implements appropriate technical and organizational measures to protect Personal Data
  • Ensures that personnel authorized to process Personal Data are bound by confidentiality obligations
  • Assists the Data Controller in responding to Data Subject requests and fulfilling Data Protection Law obligations
  • Notifies the Data Controller of any Personal Data breaches without undue delay

4. Scope and Nature of Processing

4.1 Categories of Personal Data

Dovito processes the following categories of Personal Data on behalf of the Client:

  • Contact information (names, email addresses, phone numbers, business addresses)
  • Account credentials and authentication data
  • Business operational data and client information
  • Usage data and system interaction logs

4.2 Data Subjects

Personal Data relates to the following categories of Data Subjects:

  • Client’s employees, contractors, and representatives
  • Client’s customers, prospects, and business contacts

4.3 Purpose of Processing

Personal Data is processed for the following purposes:

  • Providing systems integration, custom software development, and related services
  • Supporting Client’s business operations, including CRM and project management functions
  • Providing access to third-party platforms when applicable to meet Client needs
  • Analyzing and improving service delivery and system performance

5. Security Measures

Dovito implements the following technical and organizational security measures to protect Personal Data:

  • Encryption: TLS/SSL encryption for data in transit; encryption for sensitive data at rest

  • Access Controls: Strict access controls limiting data access to authorized personnel only; multi-factor authentication (MFA) where applicable

  • Infrastructure Security: Secure cloud hosting on Amazon Web Services (AWS) and Google Cloud Platform (GCP), located in the United States

  • Monitoring and Logging: Regular monitoring for security threats and unauthorized access attempts

  • Incident Response: Documented procedures for detecting, investigating, and responding to security incidents

6. Sub-Processors

6.1 Authorization

The Client authorizes Dovito to engage Sub-Processors to process Personal Data on the Client’s behalf. Dovito will ensure that Sub-Processors are bound by data protection obligations substantially similar to those in this DPA.

6.2 Current Sub-Processors

Dovito currently engages the following Sub-Processors:

  • HighLevel (GO High Level) – CRM and marketing automation platform (when applicable for Client needs)
  • Amazon Web Services (AWS) – Cloud infrastructure and hosting services
  • Google Cloud Platform (GCP) – Cloud infrastructure and hosting services
  • Independent contractors engaged for technical implementation and support services

6.3 Changes to Sub-Processors

Dovito will notify the Client of any intended changes to Sub-Processors, including addition or replacement. The Client may object to such changes on reasonable grounds relating to data protection. If the Client objects, the parties will work in good faith to resolve the issue or, if no resolution can be reached, the Client may terminate the Services upon written notice.

7. Data Subject Rights

Dovito will, to the extent legally permitted and taking into account the nature of processing, assist the Client in fulfilling Data Subject requests to exercise their rights under Data Protection Laws, including:

  • Right of access to Personal Data
  • Right to rectification of inaccurate Personal Data
  • Right to erasure (“right to be forgotten”)
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing

If a Data Subject submits a request directly to Dovito, Dovito will promptly forward the request to the Client for handling.

8. Data Breach Notification

In the event of a Personal Data breach, Dovito will:

  • Notify the Client without undue delay upon becoming aware of the breach
  • Provide details including nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to mitigate the breach
  • Cooperate with the Client in investigating and remedying the breach
  • Take reasonable measures to prevent future breaches

9. Data Retention and Deletion

Upon termination or expiration of the Services, or upon Client’s written request, Dovito will:

  • Retain Personal Data for up to 90 days for recovery purposes unless the Client requests immediate deletion or migrates to another platform
  • Delete or return all Personal Data to the Client (in a structured, commonly used, and machine-readable format such as CSV or JSON) at the Client’s option
  • Delete all existing copies of Personal Data unless retention is required by applicable law or legitimate business purposes

10. Audits and Compliance

Dovito will make available to the Client all information reasonably necessary to demonstrate compliance with this DPA and Data Protection Laws. The Client may conduct audits or inspections of Dovito’s data processing activities, subject to reasonable advance notice and confidentiality obligations. Audits will be conducted during normal business hours and in a manner that does not unreasonably disrupt Dovito’s operations.

11. International Data Transfers

Personal Data is hosted on secure cloud infrastructure primarily located in the United States (AWS and GCP data centers). To the extent that Personal Data is transferred outside the European Economic Area (EEA), United Kingdom, or Switzerland, Dovito will ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or other legally recognized transfer mechanisms, to protect the Personal Data in accordance with GDPR and UK GDPR requirements.

12. Limitation of Liability

Each party’s liability under this DPA is subject to the limitations and exclusions set forth in the Terms and Conditions of Service. Nothing in this DPA reduces or limits either party’s liability under Data Protection Laws.

13. Term and Termination

This DPA will remain in effect for as long as Dovito processes Personal Data on behalf of the Client. Upon termination of the Services, the terms of this DPA will continue to apply until all Personal Data has been deleted or returned to the Client in accordance with Section 9.

14. Contact Information

For questions or concerns regarding this DPA or data processing practices, please contact:

Dovito® Business Solutions, Ltd.
508 Main Street
Windsor, Colorado 80550
Email: legal@dovito.com
Phone: Available upon request