Enforcer Labs Private Limited
Effective Date: May 1, 2026
Last Updated: May 17, 2026
Applies To: Enforcer Marketing | Enforcer Dashboard
1. Introduction
This Data Processing Addendum ("DPA") supplements the Terms of Service and applicable agreements between Enforcer Labs Private Limited ("Enforcer Labs," "Processor," or "we") and the Customer ("Controller" or "you"). It governs the processing of personal data in connection with the Services.
This DPA incorporates the requirements of the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.
2. Scope and Applicability
2.1 Enforcer Marketing
This DPA applies to personal data processed by Enforcer Labs through the Enforcer Marketing website, including data collected through contact forms, email subscriptions, and analytics. Enforcer Labs acts as a Data Controller for this data.
2.2 Enforcer Dashboard
Enforcer Dashboard is self-hosted enterprise software. Enforcer Labs does not process any personal data or Customer Data through Enforcer Dashboard. All data processing occurs within Customer's infrastructure under Customer's control.
This DPA applies to Enforcer Dashboard only with respect to:
(a) personal data exchanged during license procurement and support interactions; and
(b) any telemetry or usage data transmitted to Enforcer Labs (if enabled by Customer).
For such limited processing, Enforcer Labs acts as a Data Processor on behalf of the Customer (Controller).
3. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under GDPR Article 4(1).
"Processing" means any operation performed on Personal Data, including collection, recording, storage, alteration, retrieval, use, disclosure, and erasure.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"Sub-Processor" means a third party engaged by Enforcer Labs to process Personal Data.
"Standard Contractual Clauses (SCCs)" means the contractual clauses approved by the European Commission for international data transfers.
4. Data Processing Details
4.1 Categories of Data Subjects
- Website visitors (Enforcer Marketing)
- Business contacts and prospective customers
- Licensed customers and their authorized contacts
- Support requestors
4.2 Categories of Personal Data
- Contact information (name, email, company, job title, phone)
- Communication content (support tickets, emails)
- Usage data (analytics, IP addresses — Enforcer Marketing only)
- License administration data (organization name, authorized contacts)
4.3 Purpose of Processing
- Responding to inquiries and providing information
- License administration and fulfillment
- Technical support delivery
- Website analytics and optimization
- Email communications (transactional and marketing)
- Legal compliance
4.4 Duration of Processing
Processing continues for the duration of the business relationship plus applicable retention periods as specified in the Privacy Policy (02_privacy_policy.md).
5. Processor Obligations (Enforcer Labs)
Where Enforcer Labs acts as a Data Processor, Enforcer Labs shall:
(a) Process Personal Data only on documented instructions from the Controller, unless required by applicable law;
(b) Ensure that persons authorized to process Personal Data have committed to confidentiality;
(c) Implement appropriate technical and organizational measures to ensure security of processing;
(d) Not engage Sub-Processors without prior written authorization from the Controller (general or specific);
(e) Assist the Controller in responding to Data Subject requests;
(f) Assist the Controller in ensuring compliance with security, breach notification, impact assessment, and consultation obligations;
(g) Delete or return all Personal Data upon termination, at the Controller's choice;
(h) Make available all information necessary to demonstrate compliance and allow for audits.
6. Controller Obligations (Customer)
Where Customer acts as a Data Controller (particularly for Enforcer Dashboard data processing):
(a) Customer shall ensure a lawful basis exists for all processing of Personal Data within the Software;
(b) Customer shall provide any required privacy notices to Data Subjects;
(c) Customer shall implement appropriate technical and organizational security measures;
(d) Customer shall comply with Data Subject rights requests;
(e) Customer shall notify Enforcer Labs of any restrictions or specific instructions regarding data processing.
7. Sub-Processors
7.1 Authorized Sub-Processors
Enforcer Labs currently engages the following Sub-Processors:
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Vercel, Inc. | Website hosting, analytics | Usage data, IP addresses | United States |
| Resend, Inc. | Email delivery | Email addresses, names, email content | United States |
7.2 Sub-Processor Changes
(a) Enforcer Labs shall notify the Controller at least thirty (30) days before engaging a new Sub-Processor;
(b) The Controller may object to a new Sub-Processor within fifteen (15) days of notification;
(c) If the Controller objects and the parties cannot resolve the objection, the Controller may terminate the affected Services;
(d) All Sub-Processors are bound by data processing agreements with obligations no less protective than this DPA.
8. International Data Transfers
8.1 Personal Data may be transferred to countries outside the EEA, UK, or Switzerland (specifically, the United States through Sub-Processors).
8.2 For transfers subject to GDPR, Enforcer Labs relies on Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
8.3 Enforcer Labs shall implement supplementary measures as necessary based on transfer impact assessments.
8.4 Copies of applicable SCCs are available upon request at legal@enforcer-cca.com.
9. Security Measures
Enforcer Labs implements the following technical and organizational measures:
9.1 Technical Measures
- Encryption of data in transit (TLS 1.2+)
- Access control with role-based permissions
- Secure software development practices
- Regular security assessments of hosting infrastructure
- Automated monitoring and alerting
9.2 Organizational Measures
- Access limited to personnel with a need-to-know
- Confidentiality obligations for all personnel
- Regular security awareness training
- Vendor security assessments for Sub-Processors
- Incident response procedures
10. Data Breach Notification
10.1 In the event of a Personal Data breach, Enforcer Labs shall notify the Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach.
10.2 The notification shall include:
(a) a description of the nature of the breach, including categories and approximate number of Data Subjects affected;
(b) the name and contact details of the data protection officer or point of contact;
(c) a description of the likely consequences of the breach;
(d) a description of measures taken or proposed to address the breach.
10.3 Enforcer Labs shall cooperate with the Controller in investigating and mitigating the breach.
11. Data Subject Rights
11.1 Enforcer Labs shall assist the Controller in responding to requests from Data Subjects to exercise their rights under GDPR (access, rectification, erasure, restriction, portability, objection) and CCPA/CPRA (know, delete, correct, opt-out).
11.2 If Enforcer Labs receives a request directly from a Data Subject, it shall promptly redirect the request to the Controller, unless legally required to respond directly.
12. Data Protection Impact Assessment
Enforcer Labs shall provide reasonable assistance to the Controller in conducting data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, where required under GDPR Article 35 and 36.
13. Audit Rights
13.1 Enforcer Labs shall make available to the Controller all information necessary to demonstrate compliance with this DPA.
13.2 The Controller may conduct audits, including inspections, no more than once per year, upon thirty (30) days' written notice, during normal business hours.
13.3 Enforcer Labs may satisfy audit requests by providing relevant certifications, audit reports (e.g., SOC 2 Type II), or third-party attestations.
14. Term and Termination
14.1 This DPA remains in effect for the duration of the processing of Personal Data under the applicable agreement.
14.2 Upon termination, Enforcer Labs shall, at the Controller's election, delete or return all Personal Data and confirm deletion in writing, unless retention is required by applicable law.
15. CCPA/CPRA Specific Provisions
Where the CCPA/CPRA applies:
(a) Enforcer Labs acts as a "Service Provider" as defined under CCPA §1798.140(ag);
(b) Enforcer Labs shall not sell or share Personal Information;
(c) Enforcer Labs shall not retain, use, or disclose Personal Information for any purpose other than performing the Services;
(d) Enforcer Labs shall not combine Personal Information received from the Controller with data from other sources, except as permitted by CCPA;
(e) Enforcer Labs certifies that it understands and will comply with these restrictions.
16. Contact
Enforcer Labs Private Limited
Data Protection Officer: Ommar Shaikh (dpo@enforcer-cca.com)
Email: legal@enforcer-cca.com
This DPA is subject to attorney review, particularly international transfer mechanisms and GDPR compliance provisions.