Data Processing Agreement
1. Definitions
In this Data Processing Agreement ("Agreement"), the following terms have the meanings set forth below:
- Controller: The entity that determines the purposes and means of processing personal data. For the purposes of this Agreement, Customer is the Controller.
- Processor: The entity that processes personal data on behalf of the Controller. For the purposes of this Agreement, SplitRun is the Processor.
- Personal Data: Any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, phone numbers, compensation amounts, commission data, sales metrics, and any other data that can be linked to an individual.
- Processing: Any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, transmission, deletion, and similar operations.
- Sub-Processor: Any entity engaged by SplitRun to process Personal Data on behalf of Customer.
- Data Breach: Any confirmed or reasonably suspected unauthorized access, disclosure, destruction, or loss of Personal Data.
- Service Provider: A third party that provides infrastructure, hosting, payment, or communication services to SplitRun.
2. Scope and Roles
This Agreement governs the processing of Personal Data by SplitRun as a Processor on behalf of Customer as the Controller. Customer retains full control over the purposes and means of processing, including decisions about data collection, use, retention, and deletion.
SplitRun processes Personal Data only as instructed by Customer through the SplitRun Platform and in accordance with the terms of this Agreement and the Master Service Agreement between the parties.
This Agreement applies to all Personal Data provided by Customer to SplitRun, regardless of the method of transmission or format.
3. Categories of Personal Data Processed
SplitRun processes the following categories of Personal Data on behalf of Customer:
- Employee and Commission Data: Names, titles, compensation structures, commission rates, commission payments, sales targets, performance metrics, and compensation history.
- Sales and Revenue Data: Transaction amounts, sales volume, deal information, revenue attribution, account assignments, and sales performance metrics linked to individuals.
- Agent and Representative Information: Sales representatives, account managers, and affiliate partners including names, email addresses, phone numbers, and commission-related information.
- Account and Merchant Data: Customer and merchant information associated with sales transactions, including identifiable contact information and transaction history.
- Account Information: Email addresses and user identifiers associated with Customer accounts.
Customer is responsible for ensuring that all Personal Data provided to SplitRun is processed in compliance with applicable laws and that appropriate legal bases exist for collection and processing.
4. Processing Purposes
SplitRun processes Personal Data solely for the following purposes:
- Calculating, tracking, and managing employee and agent commissions
- Reporting commission data and compensation analytics to Customer
- Providing the SplitRun Platform and commission intelligence services
- Enforcing the Master Service Agreement and this Data Processing Agreement
- Complying with applicable laws and legal obligations
- Providing customer support and platform maintenance
SplitRun will not use Personal Data for any purpose other than those listed above without obtaining prior written consent from Customer.
5. Sub-Processors and Data Locations
SplitRun engages third-party service providers to assist in providing the SplitRun Platform. All Personal Data is processed exclusively in the United States. Customer authorizes SplitRun to engage the following Sub-Processors:
| Sub-Processor | Service Category | Processing Purpose | Data Location |
|---|---|---|---|
| Supabase (Open Source Associate, Inc.) | Database & Storage | Storage and retrieval of customer data, commission data, and account information | United States |
| Vercel Inc. | Application Hosting | Hosting the SplitRun Platform and serving application content | United States |
| Stripe Inc. | Payment Processing | Processing subscription payments and managing billing information | United States |
| Resend Inc. | Email Communications | Sending transactional and notification emails to users | United States |
SplitRun will notify Customer of any changes to Sub-Processors at least thirty (30) days in advance and will provide Customer with an opportunity to object to the use of any new Sub-Processor based on legitimate grounds relating to data protection.
6. Security Measures
SplitRun implements and maintains industry-standard technical and organizational security measures designed to protect Personal Data against unauthorized access, modification, disclosure, destruction, and loss, including:
- Encryption at Rest: Personal Data is encrypted using AES-256 encryption standards when stored in databases and storage systems.
- Encryption in Transit: All data transmitted between Customer and SplitRun is encrypted using TLS 1.2 or higher.
- Access Controls: Role-based access control (RBAC) restricts employee and system access to Personal Data to only those individuals with a legitimate need to access such data for the purposes outlined in this Agreement.
- Audit Logging: SplitRun maintains comprehensive audit logs of all access to Personal Data, including timestamps, user identities, and actions performed. Logs are retained for a minimum of twelve (12) months.
- Authentication: SplitRun requires secure authentication mechanisms, including multi-factor authentication (MFA) for administrative access.
- Network Security: SplitRun maintains firewalls, intrusion detection systems, and other network security measures.
- Data Minimization: SplitRun limits collection and processing of Personal Data to only what is necessary for the stated purposes.
- Regular Security Assessments: SplitRun conducts regular security assessments and vulnerability testing.
While SplitRun implements these protections, no security system is absolutely impenetrable. Customer acknowledges that no Processor can guarantee complete security of Personal Data.
7. Data Breach Notification
In the event of a confirmed or reasonably suspected Data Breach involving Personal Data, SplitRun will:
- Notify Customer without undue delay and, in no case later than seventy-two (72) hours after becoming aware of the Data Breach.
- Provide Customer with detailed information about the nature of the breach, including the scope, types of Personal Data affected, and the likely consequences.
- Describe the measures SplitRun has taken or will take to mitigate the impact of the breach.
- Provide the name and contact information of SplitRun's data protection contact.
SplitRun will cooperate with Customer and provide reasonable assistance in complying with breach notification obligations under applicable laws.
8. Data Subject Rights
SplitRun acknowledges that individuals have rights regarding their Personal Data under applicable privacy laws. Upon receipt of a request from Customer regarding an individual's rights (including access, correction, deletion, or portability), SplitRun will:
- Provide reasonable technical and organizational assistance to Customer to fulfill such requests.
- Respond promptly to Customer's requests without undue delay.
- Not directly respond to individuals' requests but will direct such requests to Customer, as Customer is the Controller.
Customer is responsible for assessing requests under applicable laws and determining whether disclosure, correction, or deletion is required.
9. Data Retention and Deletion
SplitRun will retain Personal Data only for so long as is necessary to provide the SplitRun Platform and fulfill the purposes outlined in Section 4. Upon termination or expiration of the Master Service Agreement, or upon Customer's written request:
- SplitRun will securely delete or return all Personal Data in SplitRun's possession unless applicable law requires longer retention.
- SplitRun will certify to Customer in writing that deletion or return has been completed, except where legally prohibited.
- SplitRun may retain minimal operational data (e.g., transaction logs, anonymized analytics) for compliance and backup purposes, provided such data is no longer linked to Customer or identifiable individuals.
10. Audit and Compliance Rights
SplitRun acknowledges Customer's right to audit SplitRun's compliance with this Agreement. Customer may:
- Request information and documentation regarding SplitRun's processing of Personal Data and implementation of security measures.
- Conduct audits or inspections of SplitRun's facilities and systems upon reasonable notice (minimum thirty (30) days), provided that such audits do not unreasonably interfere with SplitRun's operations.
- Engage independent third-party auditors to conduct compliance assessments on Customer's behalf.
SplitRun will provide reasonable cooperation and access to facilitate audits, except where doing so would compromise the security, confidentiality, or intellectual property of SplitRun or other customers. Audits may be conducted no more frequently than once per calendar year unless a prior audit identified material non-compliance.
11. International Data Transfers
All Personal Data is processed exclusively in the United States. SplitRun does not currently transfer Personal Data outside the United States. Customer warrants that it is authorized to transfer any Personal Data to the United States and that such transfer complies with applicable laws.
SplitRun does not currently offer data processing for individuals located in the European Union, European Economic Area, or other jurisdictions with specific international data transfer requirements. Should Customer require such functionality, SplitRun will evaluate appropriate mechanisms (such as Standard Contractual Clauses) and notify Customer of any additional terms or restrictions.
12. CCPA Compliance
To the extent that Personal Data includes information subject to the California Consumer Privacy Act (CCPA), SplitRun acknowledges its role as a service provider and agrees to:
- Process Personal Data only as instructed by Customer.
- Not sell Personal Data or combine Personal Data from multiple customers for commercial purposes.
- Implement and maintain reasonable security measures as described in Section 6 of this Agreement.
- Provide reasonable assistance to Customer in responding to consumer requests and exercising CCPA rights.
- Notify Customer promptly of any Data Breach involving Personal Data, as required by California law.
13. Data Processing Addendum
This Agreement serves as the Data Processing Addendum (DPA) for the Master Service Agreement between SplitRun and Customer and is incorporated by reference into that agreement. In the event of any conflict between this Agreement and the Master Service Agreement, the terms of this Agreement will control with respect to the processing of Personal Data.
14. Term and Termination
This Agreement is effective as of the date the Customer first uses the SplitRun Platform and continues for so long as SplitRun processes Personal Data on behalf of Customer. Upon termination of the Master Service Agreement or Customer's request:
- SplitRun will cease processing Personal Data within a reasonable timeframe.
- SplitRun will securely delete or return Personal Data in accordance with Section 9 of this Agreement.
- The obligations of SplitRun under Sections 7 and 8 will survive termination.
15. Limitation of Liability
Except as otherwise provided in the Master Service Agreement or required by law, neither party shall be liable to the other for indirect, incidental, consequential, special, or punitive damages arising out of or relating to this Agreement or the processing of Personal Data, even if advised of the possibility of such damages.
SplitRun's total liability for any claim arising from a Data Breach is limited to the fees paid by Customer to SplitRun in the twelve (12) months preceding the incident giving rise to the claim, unless a higher liability cap is provided in the Master Service Agreement or required by applicable law.
16. Governing Law and Jurisdiction
This Agreement is governed by and construed in accordance with the laws of the State of California, without regard to its conflict of law provisions. The parties consent to the exclusive jurisdiction of the state and federal courts located in California.
17. Contact Information
For questions, concerns, or requests relating to this Data Processing Agreement, please contact:
- Data Protection Contact: dpa@splitrun.io
- Entity: Deliquio CA Inc. d/b/a SplitRun
SplitRun will respond to all inquiries regarding data processing within five (5) business days.
18. Amendments
SplitRun may amend this Agreement to comply with changes in applicable laws or to update security measures and Sub-Processor information. SplitRun will provide Customer with notice of material changes at least thirty (30) days in advance. If Customer does not accept the amendments, Customer may terminate the Master Service Agreement without penalty.
19. Severability
If any provision of this Agreement is found to be invalid, illegal, or unenforceable, such provision will be modified to the minimum extent necessary to make it valid and enforceable, or if not possible, severed. The remaining provisions will continue in full force and effect.
20. Entire Agreement
This Agreement, together with the Master Service Agreement, constitutes the entire agreement between the parties regarding the processing of Personal Data and supersedes all prior negotiations, representations, and agreements, whether written or oral.
Effective Date: April 13, 2026