CoreForge

This Data Processing Addendum ("DPA") forms part of the Customer Agreement between GreinchWW LLC, a Wyoming limited liability company doing business as "CoreForge" ("Processor"), and the Customer identified on the relevant order form or online sign-up ("Controller"), and reflects the parties' agreement on the processing of Personal Data in connection with the EU GDPR, UK GDPR, the California Consumer Privacy Act and other applicable data protection laws.

1. Definitions

Capitalised terms not defined here have the meaning given in the applicable Customer Agreement or the GDPR. "Personal Data", "Processing", "Controller", "Processor", "Data Subject" and "Sub-processor" have the meanings given in the GDPR. "Standard Contractual Clauses" ("SCCs") means the EU Commission's 2021 clauses (Module 2 — Controller to Processor); "UK IDTA" means the UK International Data Transfer Addendum to the EU SCCs.

2. Roles & scope

The Customer acts as Controller (or as a Processor on behalf of its own controllers) and instructs CoreForge, in its role as Processor within the meaning of Article 28 GDPR, to Process Personal Data for the purposes of providing the Service, as set forth in the Customer Agreement and any documented written instructions.

3. Subject matter, duration, nature & purpose

Subject matter: provision of the CoreForge SaaS platform.
Duration: the term of the Customer Agreement and any post-termination period required to return or delete data.
Nature and purpose: hosting, storage, transmission, backup, retrieval, deletion and analysis of Customer Data strictly to deliver the Service.

4. Categories of Data Subjects & Personal Data

Data Subjects: Customer's employees, contractors, end-users and any natural persons whose data the Customer chooses to upload.
Categories of Personal Data: as the Customer determines and uploads, typically business contact information, account credentials, operational records, content and any other fields the Customer configures.
Sensitive data: the Customer agrees not to upload special categories of Personal Data (Art. 9 GDPR) unless agreed separately in writing.

5. Obligations of CoreForge

Process Personal Data only on documented instructions from the Customer, unless required by law.
Ensure that persons authorised to process the Personal Data are under a duty of confidentiality.
Implement appropriate technical and organisational measures (see Annex II).
Engage sub-processors only as permitted in Section 7 below.
Assist the Customer in fulfilling its obligations to respond to Data Subject requests.
Assist the Customer in complying with Articles 32-36 GDPR (security, breach notification, DPIAs).
Delete or return Customer Data after termination, as instructed.
Make available all information necessary to demonstrate compliance.

6. Security measures (Annex II summary)

TLS 1.2+ for all data in transit; AES-256 for data at rest.
Logical isolation of Customer Data per tenant.
Mandatory 2FA for platform administrators.
Role-based access controls and least-privilege provisioning.
Audit logging of administrative actions retained 12 months.
Regular automated backups, encrypted at rest with separate keys.
Vulnerability scanning and dependency monitoring.
Documented incident response procedure with 72-hour breach notification.

7. Sub-processors

The current list of authorised sub-processors is published at coreforgeapp.com/subprocessors. CoreForge will notify the Customer at least 30 days before adding or replacing a sub-processor. The Customer may object in writing within that period; if the objection cannot be resolved the Customer may terminate the affected Service.

8. International transfers

Where Personal Data is transferred outside the EEA, UK or Switzerland to a country without an adequacy decision, the parties hereby incorporate the SCCs Module 2 (Controller-to-Processor), the UK IDTA, and the Swiss FDPIC-approved clauses, with the following choices: Clause 7 docking — not applicable; Clause 9(a) — Option 2 (general written authorisation, with 30-day notice); Clause 11 — independent dispute resolution NOT chosen; Clause 17 — Option 1 (Irish law); Clause 18 — Irish courts.

9. Data Subject requests

CoreForge will, to the extent legally permitted, promptly notify the Customer of any request received directly from a Data Subject and will assist the Customer by appropriate technical and organisational measures to enable the Customer to respond to such requests.

10. Personal Data breaches

CoreForge will notify the Customer without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data breach affecting the Customer's Personal Data, providing such information as is reasonably available at the time and supplementing it as further details become known.

11. Audits

Once per year, on reasonable prior written notice and during business hours, the Customer may request reasonable evidence of CoreForge's compliance. CoreForge may satisfy this obligation by providing relevant third-party certifications (e.g. SOC 2 reports once available) or, for enterprise plans, by allowing a remote audit conducted at the Customer's cost.

12. Return or deletion of data

On termination of the Service, CoreForge will, at the Customer's choice and within 30 days, return all Customer Data or delete it from production systems and backups (subject to legal retention obligations and overwrite cycles).

13. Liability & conflicts

Each party's liability under this DPA is subject to the limitations in the Customer Agreement. In the event of any conflict between this DPA and the SCCs, the SCCs prevail in respect of the relevant transfer.

14. Governing law

This DPA is governed by the laws of the State of Wyoming, United States, except that SCC-related matters are governed by the law of Ireland as elected in Clause 17 of the SCCs.

15. Counter-signature

For a counter-signed PDF copy of this DPA on company letterhead, email legal@coreforgeapp.com from your billing-contact email address with your company's legal name and address.