DATA PROCESSING AGREEMENT
Last Updated: 5/1/2025
This Data Processing Agreement (“Agreement” or “DPA”) forms part of, and is incorporated by reference into, the Valid Records Terms and Conditions of Use (the “Terms”) available at https://validrecord.com/terms, or any other written or electronic agreement between Valid Records, Inc. (“Valid Records,” “Processor,” “we,” “us,” or “our”) and the customer or entity agreeing to the Terms (“Client,” “Controller,” or “you”).
This DPA applies to the extent that Valid Records Processes Personal Data on behalf of Client in the course of providing the Services pursuant to the Terms. By entering into the Terms, Client enters into this DPA with Valid Records, which shall govern such Processing within the United States.
1. DEFINITIONS
For purposes of this DPA, the following terms shall have the meanings set forth below.
“Applicable Privacy Laws” means all United States federal, state, and local data-protection and privacy laws governing the Processing of Personal Data under this DPA, including, without limitation, the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100 et seq.) as amended by the California Privacy Rights Act of 2020 (effective January 1, 2023), and any substantially similar or successor state privacy laws enacted in the United States.
“Controller” means the entity that determines the purposes and means of Processing Personal Data.
“Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, and that is provided to or accessed by Processor in connection with the performance of the Services.
“Processing” or “Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, combination, restriction, erasure, or destruction.
“Processor” means Valid Records, Inc., which Processes Personal Data on behalf of Controller pursuant to the Terms and this DPA.
“Services” means the services provided by Processor to Controller as described in the Terms, including but not limited to data verification, fraud-risk scoring, validation, compliance analysis, analytics, and related technology and support services.
“Sub-Processor” means any third party engaged by Processor that Processes Personal Data on behalf of Controller in connection with the Services.
2. ROLES OF THE PARTIES
The Parties acknowledge and agree that Controller is the data controller and Valid Records is the data processor. Processor shall Process Personal Data solely on behalf of Controller and only for the limited and specific purposes of providing the Services in accordance with the Terms and this DPA. Processor shall not sell, share, or otherwise Process Personal Data for its own purposes, as those terms are defined under Applicable Privacy Laws. Nothing in this DPA shall be construed as transferring ownership of Personal Data to Processor.
3. SCOPE AND PURPOSE OF PROCESSING
Processor shall Process Personal Data only to the extent necessary to perform the Services and to fulfill its obligations under the Terms. Such Processing may include activities related to the verification and validation of contact and identifying information, fraud-risk and behavioral analysis, phone number, address, and ZIP-code verification, compliance and litigant screening, performance analytics and reporting, and other related technical operations required to provide, secure, and improve the Services. Processor shall not retain, use, disclose, or otherwise Process Personal Data for any purpose other than those expressly permitted under this DPA or as required by law. Processor shall not combine Personal Data received from Controller with data obtained from other sources except as necessary to perform the Services in compliance with Applicable Privacy Laws.
4. CONTROLLER INSTRUCTIONS
Processor shall Process Personal Data only in accordance with Controller’s documented lawful instructions and as required to perform the Services or to comply with Applicable Privacy Laws. Processor shall promptly notify Controller if Processor believes that an instruction infringes Applicable Privacy Laws. Processor shall not be obligated to act upon any instruction that Processor reasonably determines to be unlawful or beyond the scope of the Services.
5. SECURITY AND CONFIDENTIALITY
Processor shall implement and maintain appropriate administrative, technical, and physical measures designed to protect Personal Data against unauthorized access, destruction, loss, alteration, or disclosure. Such measures shall take into account the nature of the Personal Data, the scope of Processing, and the associated risks. All personnel, contractors, and agents of Processor with access to Personal Data shall be bound by confidentiality obligations at least as protective as those contained herein. Processor shall maintain a written information security program that includes policies addressing access controls, encryption, network protection, secure disposal, and incident response.
6. SUB-PROCESSORS
Processor may engage Sub-Processors to assist in performing the Services. Processor shall remain fully responsible for each Sub-Processor’s compliance with this DPA. Processor shall ensure that all Sub-Processors are bound by written agreements imposing data-protection and confidentiality obligations substantially equivalent to those set forth herein. Processor shall not be required to provide notice to or obtain approval from Controller before engaging or replacing Sub-Processors, provided that Processor remains responsible for their performance and compliance with this DPA.
7. DATA SUBJECT REQUESTS
Processor shall, to the extent required by Applicable Privacy Laws, provide reasonable assistance to Controller in responding to verified consumer or data-subject requests, including requests for access, correction, deletion, restriction, or portability of Personal Data. Processor shall not independently respond to any such request unless directed or authorized by Controller or required by law. Controller remains solely responsible for determining the appropriate response to such requests and for verifying the identity and authority of requesters.
8. SECURITY INCIDENTS
Processor shall notify Controller without undue delay, and in no event later than seventy-two (72) hours after confirmation, of any unauthorized or unlawful breach of security that results in the accidental or unlawful destruction, loss, alteration, disclosure of, or access to Personal Data (a “Security Incident”). Such notice shall include, where reasonably available, a description of the nature of the incident, the categories and approximate number of affected individuals, the likely consequences, and the measures taken or proposed to mitigate the impact. Processor shall promptly investigate and take appropriate remedial action to mitigate and prevent recurrence of any Security Incident.
9. DATA RETENTION AND DELETION
Upon expiration or termination of the Services, Processor shall, at Controller’s written election, delete or return all Personal Data in its possession or control, unless retention is required by law, regulation, or a legitimate business purpose such as fraud prevention, audit, or compliance. Any retained Personal Data shall remain subject to the protections and restrictions of this DPA for so long as it is maintained.
10. AUDITS AND COMPLIANCE
Upon reasonable written request, Processor shall make available to Controller information reasonably necessary to demonstrate compliance with this DPA. Formal audits or inspections may be conducted only if required by law or regulatory authority and shall be subject to reasonable advance notice, confidentiality obligations, and reimbursement by Controller of Processor’s reasonable costs associated with such audits.
11. LIABILITY AND INDEMNIFICATION
Each Party shall be responsible for its own acts and omissions under this DPA. Processor’s total cumulative liability arising from or relating to this DPA shall not exceed the total amount of fees paid by Controller to Processor under the Terms during the twelve (12) months immediately preceding the event giving rise to the claim. Under no circumstances shall Processor be liable for indirect, consequential, incidental, special, exemplary, or punitive damages, including lost profits, loss of goodwill, or business interruption, even if advised of the possibility thereof. Controller shall indemnify, defend, and hold harmless Processor and its affiliates, officers, directors, employees, and agents from and against all claims, losses, damages, liabilities, costs, and expenses, including reasonable attorneys’ fees, arising from Controller’s violation of Applicable Privacy Laws, misuse or unauthorized disclosure of Personal Data, or breach of this DPA.
12. RELATIONSHIP TO THE TERMS
This DPA forms part of and is incorporated into the Valid Records Terms and Conditions of Use. In the event of any conflict between this DPA and the Terms, this DPA shall control solely with respect to the Processing of Personal Data.
13. GOVERNING LAW AND VENUE
This DPA shall be governed by and construed in accordance with the laws of the State of California, without regard to conflicts-of-law principles. Any dispute arising out of or relating to this DPA shall be resolved exclusively in the state or federal courts located in Los Angeles County, California, and each Party hereby consents to the jurisdiction of such courts.
14. MISCELLANEOUS
If any provision of this DPA is held invalid or unenforceable, the remainder shall remain in full force and effect. Processor may update or amend this DPA as necessary to comply with Applicable Privacy Laws or to reflect changes in its data-protection practices. Continued use of the Services following such amendment constitutes acceptance of the revised DPA. Each Party represents and warrants that it has full power and authority to enter into this DPA and to perform its obligations hereunder.