← Back to Home

Data Processing Agreement (DPA)

GDPR/CCPA Compliance for Enterprise Customers | Version 1.0 | Effective: October 29, 2025

⚖️ Legal Agreement

This Data Processing Agreement ("DPA") is incorporated into and forms part of the Master Services Agreement, End User License Agreement, or other written or electronic agreement between s4 Corporation ("Processor" or "s4") and Customer ("Controller" or "You") for the provision of s4™ Security Suite services ("Services").

1. Definitions

            Key Terms
            "Personal Data": Any information relating to an identified or identifiable natural person, as defined under GDPR Article 4(1) and CCPA § 1798.140(o).
"Processing": Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
"Controller": The entity that determines the purposes and means of processing Personal Data (Customer).
"Processor": The entity that processes Personal Data on behalf of the Controller (s4 Corporation).
"Sub-processor": Any third party engaged by Processor to process Personal Data.
"Data Subject": An identified or identifiable natural person whose Personal Data is processed.
"Supervisory Authority": An independent public authority established by an EU Member State (e.g., ICO, CNIL).
"Data Protection Laws": GDPR, CCPA, UK DPA 2018, and other applicable privacy laws.

        

2. Scope and Applicability

2.1 Scope of Processing

This DPA applies to all Personal Data processed by s4 on behalf of Customer when providing the Services, including but not limited to:

Employee user account information
Device identifiers and hardware fingerprints
License activation and usage data
VPN connection metadata (not content - zero-log policy)
Authentication and session data
Support tickets and communications

2.2 Data Processing Details

Subject Matter:	Provision of s4™ Security Suite services
Duration:	Term of the Services Agreement
Nature & Purpose:	Security software delivery, license management, VPN services, threat protection
Type of Personal Data:	Email addresses, device IDs, IP addresses (limited), usage statistics, license keys
Categories of Data Subjects:	Customer employees, contractors, authorized users

3. Obligations of the Processor (s4)

3.1 Processing Instructions

s4 shall process Personal Data only:

On documented instructions from the Controller (Customer)
As necessary to provide the Services
As required by applicable law (with notice to Controller when feasible)

3.2 Confidentiality

s4 shall ensure that persons authorized to process Personal Data:

Are bound by confidentiality obligations
Receive appropriate data protection training
Access Personal Data only as necessary for their duties

3.3 Security Measures

s4 implements technical and organizational measures to ensure a level of security appropriate to the risk, including:

            Technical Measures:
            Encryption: AES-256-GCM for data at rest and in transit
Certificate Pinning: SHA256 cert and public key hash validation (MITM protection)
Access Controls: Multi-factor authentication, role-based access
Network Security: SNI-based routing, firewall rules, IDS/IPS
Anti-Tampering: Code integrity checks, debugger detection
Secure Key Management: Hardware security modules (HSM) for cryptographic keys


            Organizational Measures:
            Background Checks: Screening for staff with data access
Security Training: Annual GDPR and security awareness training
Access Logging: Audit trails for all data access
Incident Response: 24-hour breach notification protocol
Data Minimization: Collect only necessary data
Regular Audits: Annual security assessments and penetration testing

        

3.4 Sub-processors

s4 maintains a list of authorized Sub-processors. Customer consents to the engagement of current Sub-processors and approves future Sub-processors subject to 30 days notice.

Current Sub-processors:

Oracle Cloud Infrastructure
- Purpose: Server hosting, infrastructure
- Location: United States
- Security: ISO 27001, SOC 2 Type II certified
Redis Labs
- Purpose: Session management, cache
- Location: United States
- Security: SOC 2 certified
PostgreSQL (Self-hosted)
- Purpose: Database management
- Location: United States (our servers)
- Security: Encrypted, access-controlled

Subscribe to Sub-processor notifications →

3.5 Data Subject Rights

s4 shall assist Customer in responding to Data Subject requests:

Access: Provide data export functionality via Customer Portal
Rectification: Enable data correction through account settings
Erasure: Delete data within 30 days of request
Restriction: Suspend processing upon request
Portability: Provide data in JSON/CSV format
Objection: Honor opt-outs for non-essential processing

Response Time: s4 will respond to Customer requests for assistance within 5 business days.

3.6 Data Breach Notification

In the event of a Personal Data breach, s4 shall:

Notify Customer without undue delay and no later than 24 hours after becoming aware
Provide details of the breach including:
- Nature of the breach
- Categories and approximate number of affected Data Subjects
- Likely consequences
- Measures taken or proposed to address the breach
Cooperate with Customer to investigate and remediate
Preserve evidence for forensic analysis

3.7 Audits and Inspections

Customer has the right to audit s4's compliance with this DPA:

Frequency: Once per year, with 30 days advance notice
Scope: Security controls, data processing practices, Sub-processor management
Cost: Customer bears reasonable costs; s4 provides SOC 2 reports at no charge
Confidentiality: Auditors must sign NDA

Alternative: Customer may accept s4's annual SOC 2 Type II audit report in lieu of independent audit.

4. Obligations of the Controller (Customer)

4.1 Lawful Processing

Customer warrants that:

It has a lawful basis for processing Personal Data (GDPR Article 6)
It has obtained necessary consents from Data Subjects
Processing instructions comply with Data Protection Laws
It will not instruct s4 to process data unlawfully

4.2 Data Accuracy

Customer is responsible for ensuring Personal Data provided to s4 is accurate, complete, and up-to-date.

4.3 End User Notice

Customer must provide appropriate privacy notices to Data Subjects, including:

That s4 is a Processor acting on Customer's behalf
Types of data collected
Purposes of processing
Data Subject rights

5. International Data Transfers

5.1 Data Location

Personal Data is primarily processed in:

Primary: United States (Oracle Cloud, Ashburn, VA)
Backup: United States (disaster recovery site)

5.2 Transfer Mechanisms (EU to US)

For transfers of Personal Data from the EEA/UK to the United States, s4 relies on:

Standard Contractual Clauses (SCCs)
- EU Commission Decision 2021/914 (Module Two: Controller-to-Processor)
- UK International Data Transfer Agreement (IDTA)
- Incorporated by reference into this DPA
- Download SCCs (PDF) →
Supplementary Measures (Schrems II compliance)
- End-to-end encryption (AES-256-GCM)
- Certificate pinning preventing MITM attacks
- Zero-log policy for VPN connections
- Data minimization and pseudonymization
- Documented resistance to government surveillance requests

5.3 California Data Transfers

For CCPA compliance, s4 certifies that it:

Does NOT sell Personal Information (CCPA § 1798.140(t))
Processes data only as a Service Provider (CCPA § 1798.140(v))
Does NOT retain, use, or disclose data outside the business relationship

6. Data Retention and Deletion

6.1 Retention Periods

License Activation Data	Duration of license + 90 days
User Account Data	Duration of account + 30 days
VPN Logs (Metadata)	Zero-log policy (not retained)
Support Tickets	3 years for legal/audit purposes
Billing Records	7 years (tax compliance)
Audit Logs	1 year

6.2 Data Deletion

Upon termination of Services or written request:

s4 will delete or anonymize all Personal Data within 30 days
Deletion includes backups and disaster recovery systems
Customer may request certification of deletion
Exception: Data required by law (e.g., tax records) retained per legal obligation

7. Liability and Indemnification

7.1 Limitation of Liability

Each party's liability under this DPA is subject to the limitation of liability provisions in the Master Services Agreement.

7.2 Indemnification

s4 shall indemnify Customer against:

Claims arising from s4's breach of this DPA
s4's violation of Data Protection Laws
Unauthorized processing by s4 or its Sub-processors

Exclusions: Claims arising from Customer's instructions or Customer's violation of Data Protection Laws.

8. Term and Termination

8.1 Term

This DPA remains in effect for the duration of the Services Agreement or until all Personal Data is deleted, whichever is later.

8.2 Effect of Termination

Upon termination:

s4 ceases all processing of Personal Data
Customer may request return or deletion of data
s4 deletes or returns all Personal Data within 30 days
Provisions regarding confidentiality, liability, and audit rights survive

9. Governing Law and Dispute Resolution

9.1 Governing Law

General: Laws of the State of Delaware, United States
EU Data Subjects: GDPR and applicable EU Member State law
California Residents: CCPA and California law

9.2 Dispute Resolution

Negotiation: Parties attempt good faith resolution (30 days)
Mediation: Non-binding mediation (60 days)
Arbitration: Binding arbitration per AAA rules
Exception: Supervisory Authority complaints handled per GDPR Chapter VI

10. Supervisory Authority and Data Subject Rights

10.1 Supervisory Authority Contact

Data Subjects in the EU have the right to lodge a complaint with a Supervisory Authority:

Lead Supervisory Authority: To be determined based on establishment
Data Subject's SA: In country of habitual residence, place of work, or place of alleged infringement

10.2 Data Subject Rights Procedure

Data Subjects may exercise rights by:

Contacting Customer (Controller) directly
Using s4 Customer Portal: auth.s4.software/data-request
Emailing: [email protected]

Response Time: 30 days (may be extended to 60 days for complex requests)

11. Certifications and Compliance

            s4 Certifications:
            ✅ SOC 2 Type II: Annual audit (available upon request)
✅ ISO 27001: Information Security Management (in progress)
✅ Privacy Shield (Self-certified): Voluntary compliance framework
✅ CCPA Compliance: Service Provider Agreement
✅ GDPR Compliant: DPA, SCCs, technical measures

        

12. Amendments and Updates

s4 may update this DPA to reflect:

Changes in Data Protection Laws
Guidance from Supervisory Authorities
Industry best practices
Changes to Sub-processors or services

Notification: 30 days advance notice for material changes. Customer may object within 30 days; otherwise, continued use constitutes acceptance.

13. Contact Information

Data Protection Officer (DPO)

Name: [To be designated]
Email: [email protected]
Privacy Team: [email protected]

Customer Support

General Inquiries: [email protected]
Data Requests: [email protected]
Portal: auth.s4.software

14. Signature and Acceptance

Electronic Acceptance: By clicking "I Accept" during account creation, purchasing a license, or continuing to use the Services after the effective date of this DPA, Customer agrees to be bound by its terms.

Alternative Execution: Enterprise customers requiring a signed DPA may contact [email protected] for a custom agreement.

Request Signed DPA Download PDF Version

This Data Processing Agreement complies with GDPR (EU 2016/679), CCPA (Cal. Civ. Code § 1798.100 et seq.), and UK DPA 2018.
Standard Contractual Clauses (Module Two) incorporated by reference.

s4™ Corporation · Legal & Privacy Department · Version 1.0 · October 29, 2025

← Back to Home