Skip to main content
Tools Agents Data Destruction Sell to Us Blog Contact
Instagram Log In Get Started

Data Processing Agreement

Last updated: March 14, 2026

1. Parties and Definitions

This Data Processing Agreement ("DPA") is entered into between:

  • Data Controller ("Controller", "Customer", "You"): The entity or individual that has agreed to the ITAD Tools Terms of Service and uses the ITAD Tools platform to process personal data.
  • Data Processor ("Processor", "We", "Us"): ITAD Tools LLC, located at 25422 Trabuco Rd STE 184, Lake Forest, CA 92630, United States.

This DPA is incorporated into and supplements the Terms of Service between the Controller and Processor. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data processing matters.

Key Definitions
  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
  • "CCPA" means the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA).
  • "SCCs" means the Standard Contractual Clauses adopted by the European Commission for the transfer of personal data to third countries.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope and Purpose of Processing

Subject Matter

The Processor processes Personal Data on behalf of the Controller in connection with the provision of the ITAD Tools platform, which includes IT asset disposition management, device specification lookup, data destruction certification, inventory management, and related services.

Purpose of Processing

Personal Data is processed solely for the following purposes:

  • Account management: User registration, authentication, two-factor authentication, and session management.
  • IT asset disposition services: Hardware specification lookup, asset valuation, inventory management, data destruction certification, and compliance reporting.
  • Subscription and billing: Processing payments and managing subscription plans through Stripe.
  • Customer support: Responding to inquiries, bug reports, and service requests.
  • Platform security: Fraud prevention, security monitoring, login anomaly detection, and access logging.
  • Analytics: Aggregated, privacy-focused usage analytics to improve platform performance and user experience (subject to user consent via cookie banner).
  • Communications: Transactional emails including account verification, password resets, tool assignments, and service notifications.

The Processor shall not process Personal Data for any purpose other than those specified in this DPA or as otherwise instructed in writing by the Controller, unless required to do so by applicable law. In such case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited from doing so by law.

3. Data Subjects and Categories of Personal Data

Categories of Data Subjects

The Personal Data processed under this DPA may relate to the following categories of Data Subjects:

  • Employees, contractors, and authorized agents of the Controller
  • End users of the Controller's ITAD Tools account
  • Individuals whose personal data appears in IT assets processed through the platform (e.g., device records, asset inventories)
Categories of Personal Data
Category Examples
Identity data Name, username, email address, organization name
Authentication data Hashed passwords, two-factor authentication tokens
Network data IP addresses (raw and hashed), user agent strings, browser information
Geolocation data Approximate location derived from IP address (city, region, country)
Transaction data Subscription records, payment history (card details processed by Stripe, never stored on our servers)
Usage data Tools accessed, page views, scroll depth, click actions, session activity, login history
IT asset data Device serial numbers, service tags, MAC addresses, drive models, hardware specifications, asset tags
Data destruction records Wipe results, sanitization logs, certificate details, chain-of-custody records

The Processor does not knowingly process special categories of Personal Data (Article 9 GDPR) unless such data is incidentally included in content uploaded by the Controller.

4. Controller Obligations

The Controller warrants and undertakes that:

  • It has a lawful basis for processing Personal Data in accordance with applicable data protection laws, including the GDPR and CCPA where applicable.
  • It has provided appropriate notice to Data Subjects regarding the processing of their Personal Data, including reference to this DPA and the Processor's Privacy Policy.
  • It has obtained all necessary consents from Data Subjects where consent is the legal basis for processing.
  • Its instructions to the Processor regarding the processing of Personal Data comply with all applicable data protection laws.
  • It is responsible for the accuracy, quality, and legality of the Personal Data it provides to the Processor.
  • It will promptly notify the Processor of any changes to applicable data protection laws that may affect the Processor's obligations under this DPA.
  • It will not upload or submit special categories of Personal Data (Article 9 GDPR) to the platform unless expressly agreed in writing with the Processor.

5. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law.
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Take all measures required pursuant to Article 32 of the GDPR (security of processing), as described in Section 7 of this DPA.
  • Respect the conditions for engaging Sub-processors as set forth in Section 6.
  • Assist the Controller in responding to requests from Data Subjects exercising their rights under Chapter III of the GDPR, as described in Section 9.
  • Assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to the Processor.
  • At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires storage.
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits and inspections as described in Section 11.
  • Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes applicable data protection laws.

6. Sub-processors

The Controller provides general written authorization for the Processor to engage Sub-processors to assist in providing the services, subject to the conditions set forth in this section.

Current Sub-processors
Sub-processor Purpose Data Processed Location
Stripe, Inc. Payment processing, subscription management, fraud prevention Name, email, payment card details, billing address United States
Sentry (Functional Software, Inc.) Application error monitoring and performance tracking Error context, URLs, stack traces (PII collection disabled via send_default_pii=False) United States
Umami (self-hosted) Privacy-focused web analytics Page views, referrers, browser type, country (no cookies, no PII collected) United States (self-hosted infrastructure)
MaxMind, Inc. IP geolocation lookup (GeoLite2 database) IP addresses (queried locally; no data transmitted to MaxMind) United States (local database)
MXRoute Transactional email delivery (SMTP) Recipient email address, email subject and body content United States
Sub-processor Obligations

The Processor shall:

  • Impose data protection obligations on each Sub-processor by way of a written contract that are no less protective than those set out in this DPA.
  • Remain fully liable to the Controller for the performance of each Sub-processor's obligations.
  • Notify the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes within 30 days of notification.
  • If the Controller reasonably objects to a new Sub-processor, the Processor shall use commercially reasonable efforts to make available an alternative arrangement or allow the Controller to terminate the affected services without penalty.

7. Data Security Measures

The Processor implements and maintains the following technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR:

Encryption
  • TLS 1.2+ encryption for all data in transit
  • HTTPS enforced across all platform endpoints
  • HSTS headers with extended max-age to prevent protocol downgrade attacks
  • Encrypted database storage volumes
Access Controls
  • Role-based access control (RBAC) with principle of least privilege
  • Password hashing using industry-standard algorithms (plaintext passwords are never stored)
  • Two-factor authentication (2FA) support for all user accounts
  • Session management with Secure, HttpOnly, and SameSite cookie attributes
  • Automated session expiration and cleanup
  • Dedicated service accounts with restricted permissions
Infrastructure Security
  • Firewall-protected infrastructure with restricted network access
  • Regular credential rotation across all services
  • Nightly automated vulnerability scans
  • Continuous security monitoring and alerting via automated security agent
  • File permission monitoring and enforcement
  • Login anomaly detection and credential exposure monitoring
Application Security
  • CSRF protection on all state-changing operations
  • Content Security Policy (CSP) headers with script nonces
  • Input validation and output encoding to prevent injection attacks
  • Rate limiting on authentication and sensitive endpoints
  • Error tracking with PII collection disabled (send_default_pii=False)
  • IP address hashing (SHA-256 with secret salt) before storage in analytics
Data Minimization and Retention
  • Automated data cleanup processes with defined retention periods (see our Data Retention Schedule)
  • Analytics data retained for no more than 90 days
  • Login history and usage data purged after 90 days
  • Performance metrics retained for 30 days
  • Account data deleted within 30 days of account deletion request
  • PII anonymization in performance metrics and bug reports upon account deletion

8. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed on behalf of the Controller, the Processor shall:

  • Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR.
  • Provide the following information in the notification (to the extent available at the time of notification, with additional details provided as they become known):
    • A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected
    • The name and contact details of the Processor's data protection contact
    • A description of the likely consequences of the Data Breach
    • A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects
  • Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.
  • Document all Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken, and make this documentation available to the Controller upon request.
  • Not notify any third party of a Data Breach without first obtaining the Controller's prior written consent, unless required by applicable law.

Breach notifications will be sent to the Controller's designated contact via email. Controllers may designate a breach notification contact by emailing admin@itadtools.com.

9. Data Subject Rights Assistance

The Processor shall assist the Controller in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under applicable data protection laws, including:

  • Right of access (Article 15 GDPR) — Data Subjects may request a copy of their Personal Data.
  • Right to rectification (Article 16 GDPR) — Data Subjects may correct inaccurate or incomplete data. Self-service rectification is available at /auth/profile.
  • Right to erasure (Article 17 GDPR) — Data Subjects may request deletion of their Personal Data. Self-service account deletion is available at /auth/delete-account.
  • Right to restriction of processing (Article 18 GDPR) — Data Subjects may request that processing be limited in certain circumstances.
  • Right to data portability (Article 20 GDPR) — Data Subjects may receive their data in a structured, commonly used, machine-readable format. Self-service data export is available at /auth/export-data.
  • Right to object (Article 21 GDPR) — Data Subjects may object to processing based on legitimate interest. Analytics consent can be withdrawn at any time via the cookie settings link in the site footer. DNT and GPC signals are honored.
Self-Service Tools

The Processor provides the following self-service tools to facilitate the exercise of Data Subject rights:

  • Data export: /auth/export-data — exports account data, login history, tools, bug reports, certificates, resale assessments, preferences, and compliance report purchases as JSON.
  • Account deletion: /auth/delete-account — permanently deletes the account and anonymizes associated records (PII nulled in performance metrics and bug reports).
  • Profile editing: /auth/profile — allows users to update their username and email address (requires current password confirmation).
  • Consent management: Cookie consent can be withdrawn at any time via the cookie settings link in the site footer.

The Processor shall respond to all Data Subject requests forwarded by the Controller within 30 days of receipt. If a request is complex or numerous requests are received, the response period may be extended by a further 60 days, with the Controller and Data Subject informed of the extension within the initial 30-day period.

10. International Data Transfers

Personal Data is stored and processed in the United States. The Processor's infrastructure, including all servers and databases, is located in the United States.

Transfers from the EEA/UK/Switzerland

Where Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, such transfers are conducted on the basis of:

  • Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), Module Two (Controller to Processor), supplemented by additional safeguards where necessary.
  • The EU-U.S. Data Privacy Framework, where applicable.
  • Any other valid transfer mechanism under applicable data protection law.

The Controller may request a copy of the applicable transfer mechanism upon written request to admin@itadtools.com.

Supplementary Measures

In addition to the SCCs, the Processor implements the following supplementary measures to protect transferred Personal Data:

  • Encryption of all data in transit using TLS 1.2 or higher
  • Access controls limiting data access to authorized personnel only
  • Contractual data protection obligations imposed on all Sub-processors
  • Prompt notification to the Controller of any government access requests, to the extent permitted by law
Transfer Impact Assessment

The Processor has assessed the laws and practices of the United States relevant to the protection of transferred Personal Data and has determined that, together with the SCCs and supplementary measures described above, adequate safeguards are in place. The Processor will promptly inform the Controller if it becomes aware of any change in applicable law that would materially affect these safeguards.

11. Audit Rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and applicable data protection laws.

Audit Process
  • The Controller may conduct audits, including inspections, of the Processor's data processing activities, either directly or through a mandated third-party auditor (subject to reasonable confidentiality obligations).
  • The Controller shall provide the Processor with at least 30 days' written notice of any planned audit, unless the audit is required by a supervisory authority or is necessitated by a Data Breach.
  • Audits shall be conducted during normal business hours, with minimal disruption to the Processor's operations.
  • The Processor shall cooperate fully with the audit and provide reasonable access to relevant documentation, systems, and personnel.
  • The audit scope shall be limited to the Processor's processing of the Controller's Personal Data.
  • The Controller shall bear its own costs in connection with any audit, unless the audit reveals a material breach of this DPA by the Processor, in which case the Processor shall bear the reasonable costs of the audit.
Audit Alternatives

As an alternative to a full on-site audit, the Processor may, at the Controller's request:

  • Provide a written summary of the technical and organizational security measures in place
  • Share results of any independent third-party security assessments or certifications
  • Respond to a reasonable written questionnaire regarding data processing practices

12. Duration and Termination

Duration

This DPA shall remain in effect for the duration of the Controller's use of the ITAD Tools platform and services under the Terms of Service. It automatically terminates when the Controller's account is closed and all Personal Data has been deleted or returned in accordance with this DPA.

Data Return and Deletion

Upon termination of this DPA or the underlying Terms of Service:

  • The Processor shall, at the Controller's written election, either return all Personal Data to the Controller in a structured, commonly used, machine-readable format (JSON), or delete all Personal Data and existing copies, within 30 days of the termination date.
  • If the Controller does not provide written instructions within 30 days of termination, the Processor shall delete all Personal Data.
  • The Processor may retain Personal Data to the extent required by applicable law (e.g., financial records, data destruction certificates for compliance), provided that such data shall remain confidential and shall not be actively processed for any purpose other than compliance with legal obligations. The Processor shall inform the Controller of such retention, including the legal basis and expected retention period.
  • The Processor shall provide written confirmation of deletion upon the Controller's request.
Survival

Sections 7 (Data Security Measures), 8 (Data Breach Notification), 11 (Audit Rights), 13 (Governing Law), and 14 (Liability) shall survive the termination or expiration of this DPA.

13. Governing Law and Dispute Resolution

This DPA shall be governed by and construed in accordance with the laws of the State of California, United States, without regard to its conflict of law principles.

Any disputes arising out of or in connection with this DPA that cannot be resolved through good-faith negotiation shall be submitted to binding arbitration in Orange County, California, in accordance with the rules of the American Arbitration Association.

Notwithstanding the foregoing, where the GDPR applies to the processing of Personal Data under this DPA, this DPA shall also be interpreted in accordance with the GDPR. Nothing in this section limits the rights of Data Subjects or supervisory authorities under the GDPR or other applicable data protection laws.

14. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits either party's liability for:

  • Breaches of confidentiality obligations under this DPA
  • Liability that cannot be excluded or limited by applicable data protection law
  • Either party's indemnification obligations in respect of third-party claims relating to a breach of this DPA

Nothing in this DPA shall limit either party's liability with respect to any rights that Data Subjects may have under applicable data protection law.

15. Changes to This Agreement

The Processor may update this DPA from time to time to reflect changes in data processing practices, applicable laws, or Sub-processors. When material changes are made, the Processor shall notify the Controller at least 30 days in advance via email. The Controller's continued use of the platform after the effective date of such changes constitutes acceptance of the revised DPA.

If the Controller does not agree to a material change, the Controller may terminate the affected services by providing written notice within 30 days of the change notification.

16. Contact

For questions about this Data Processing Agreement, to request a signed copy, or to report a data protection concern, please contact:

ITAD Tools LLC
25422 Trabuco Rd STE 184
Lake Forest, CA 92630
United States

Email: admin@itadtools.com
Website: itadtools.com

For data protection inquiries, email admin@itadtools.com with the subject line "Data Processing Agreement".