Data Processing Agreement
Effective Date: January 27, 2026
Parties:
- "Controller" — the entity that has agreed to the Digital Inventory Group LLC Terms of Service and utilizes the Services.
- "Processor" — Digital Inventory Group LLC, a South Carolina limited liability company ("DiG" or "Company"), located at 317 Ruth Vista Road, Lexington, SC 29073.
1. Introduction and Scope
1.1. This Data Processing Agreement ("DPA") supplements and forms part of the Terms of Service available at digitalinventorygroup.com/terms-of-service (the "Agreement") between the Controller and Digital Inventory Group LLC.
1.2. This DPA applies to all Personal Data that the Processor processes on behalf of the Controller in connection with the provision of the Services. It sets forth the parties' obligations regarding the protection of Personal Data in compliance with Applicable Data Protection Laws.
1.3. In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail with respect to data protection matters.
2. Definitions
2.1. "Applicable Data Protection Laws" means all laws and regulations relating to the processing of Personal Data that apply to the parties' performance under the Agreement, including but not limited to: the EU General Data Protection Regulation 2016/679 ("GDPR"); the California Consumer Privacy Act and California Privacy Rights Act, Cal. Civ. Code Sections 1798.100-1798.199.100 ("CCPA/CPRA"); the Virginia Consumer Data Protection Act ("VCDPA"); the Colorado Privacy Act ("CPA"); the Connecticut Data Privacy Act ("CTDPA"); the Texas Data Privacy and Security Act ("TDPSA"); and the Oregon Consumer Privacy Act ("OCPA").
2.2. "Controller" means the entity that determines the purposes and means of the Processing of Personal Data and has entered into the Agreement with the Processor.
2.3. "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
2.4. "Personal Data" means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller in connection with the Services. This includes "personal information" as defined under the CCPA/CPRA and equivalent terms under other Applicable Data Protection Laws.
2.5. "Processing" (and its derivatives) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
2.6. "Processor" means Digital Inventory Group LLC, which processes Personal Data on behalf of the Controller.
2.7. "Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed by the Processor.
2.8. "Service Data" means all electronic data, text, messages, communications, or other materials submitted to and stored within the Services by the Controller or its authorized users.
2.9. "Services" means the CRM, messaging (SMS and email), payment processing, review management, webchat, and marketing automation services provided by the Processor to the Controller under the Agreement.
2.10. "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
3. Data Processing Details
3.1. Subject Matter. The Processing of Personal Data in connection with the Processor's provision of marketing automation, CRM, communications, payment processing, review management, and webchat services.
3.2. Duration. The Processing shall continue for the term of the Agreement and, thereafter, only as required by this DPA or Applicable Data Protection Laws.
3.3. Nature and Purpose. The Processor will process Personal Data as necessary to provide the Services, including storing, organizing, managing, retrieving, transmitting, and communicating with Data Subjects on behalf of the Controller.
3.4. Types of Personal Data. The categories of Personal Data processed include:
- Contact information (name, email address, phone number, mailing address)
- Communication records (SMS messages, emails, webchat transcripts)
- Transaction and payment data
- Behavioral and engagement data (website visits, email opens, link clicks)
- Consent records and opt-in/opt-out status
3.5. Categories of Data Subjects. The Data Subjects include the Controller's customers, leads, prospects, and employees whose data is submitted to the Services.
3.6. Further details are set forth in Exhibit A attached to this DPA.
4. Obligations of the Processor
4.1. Documented Instructions. The Processor shall process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such notice.
4.2. Confidentiality. The Processor shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3. Security. The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage, as further described in Section 6 and Exhibit B.
4.4. Data Subject Requests. The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as reasonably possible, in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws.
4.5. Compliance Assistance. The Processor shall assist the Controller in ensuring compliance with security obligations, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of Processing and the information available to the Processor.
4.6. Deletion or Return. Upon termination of the Agreement, the Processor shall, at the Controller's election, delete or return all Personal Data to the Controller and delete existing copies, subject to Section 11 of this DPA.
4.7. Audit Support. The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits and inspections as set forth in Section 10.
5. Sub-Processing
5.1. General Authorization. The Controller grants a general written authorization to the Processor to engage Sub-processors for the Processing of Personal Data. As of the Effective Date, the Processor's Sub-processors include:
| Sub-processor | Purpose |
|---|---|
| HighLevel Inc. (GoHighLevel) | Primary platform — CRM, marketing automation, communications infrastructure |
| Twilio / LeadConnector | SMS and voice communications delivery |
| Stripe (and affiliated payment processors) | Payment processing |
| Amazon Web Services (AWS) / Google Cloud Platform (GCP) | Cloud hosting and data storage |
5.2. Notification of Changes. The Processor shall notify the Controller of any intended addition or replacement of Sub-processors at least thirty (30) days before the new Sub-processor begins Processing Personal Data. Notification shall be provided via email to the address on file or through in-platform notice.
5.3. Objection Right. The Controller may object to a new Sub-processor by notifying the Processor in writing within fourteen (14) days of receiving notice. The objection must state reasonable grounds related to data protection. The parties shall discuss the objection in good faith. If no resolution is reached, the Controller may terminate the affected Services without penalty.
5.4. Sub-processor Obligations. The Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set forth in this DPA. The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.
6. Security Measures
6.1. The Processor shall implement and maintain the technical and organizational security measures described in Exhibit B, which include, at a minimum:
- Encryption in Transit: TLS 1.2 and TLS 1.3 for all data in transit.
- Encryption at Rest: AES-256 encryption for all stored data.
- Access Controls: Role-based access control (RBAC), two-factor authentication (2FA) available for all accounts, and minimum 8-character password requirements.
- Network Security: Firewalls, access control lists (ACLs), and DDoS protection.
- Monitoring and Logging: Centralized logging with automated alerts for anomalous activity.
- Backup and Recovery: 7-day backup retention, multi-availability-zone redundancy, and WORM (Write Once Read Many) protection for backup integrity.
- Tenant Isolation: Logical data separation with unique identifiers per Controller account.
- Personnel Security: Background checks for personnel with access to Personal Data and annual security awareness training.
6.2. The Processor shall regularly review and update these measures to ensure ongoing effectiveness appropriate to the risk, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of Processing.
7. Data Subject Rights
7.1. Assistance. The Processor shall assist the Controller in responding to Data Subject requests to exercise their rights under Applicable Data Protection Laws, including but not limited to the right of access, rectification, erasure, restriction of Processing, data portability, and objection.
7.2. Direct Requests. If the Processor receives a request from a Data Subject directly, the Processor shall promptly notify the Controller within forty-eight (48) hours and shall not respond to the request without the Controller's prior written instruction, unless required by applicable law.
7.3. Controller Responsibility. The Controller is responsible for verifying the identity of Data Subjects making requests and for determining the appropriate response. The Processor shall provide reasonable cooperation and information to support the Controller's assessment.
7.4. Self-Service Tools. Where the Services include functionality enabling the Controller to access, correct, or delete Personal Data directly (such as CRM record management or contact export features), the Controller shall use these tools as the primary means of fulfilling Data Subject requests.
8. International Data Transfers
8.1. Primary Processing Location. The Processor primarily processes Personal Data within the United States.
8.2. Transfer Safeguards. Where Processing of Personal Data involves a transfer to a jurisdiction outside the United States that does not benefit from an adequacy determination under applicable law, the Processor shall ensure that appropriate safeguards are in place, including but not limited to Standard Contractual Clauses approved by the European Commission.
8.3. Data Privacy Framework. The Processor's primary platform provider, HighLevel Inc. (GoHighLevel), is certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework.
8.4. Supplementary Measures. Upon request, the Processor shall cooperate with the Controller in conducting a transfer impact assessment and implementing supplementary measures as may be reasonably necessary. Standard Contractual Clauses are available upon request by contacting [email protected].
9. Security Incident Notification
9.1. Notification. The Processor shall notify the Controller of a confirmed Security Incident without undue delay and in no event later than seventy-two (72) hours after becoming aware of the incident.
9.2. Content of Notification. The notification shall include, to the extent reasonably available:
- A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and records concerned;
- The name and contact details of the Processor's point of contact;
- A description of the likely consequences of the Security Incident; and
- A description of the measures taken or proposed to be taken to address the Security Incident, including measures to mitigate its possible adverse effects.
9.3. Cooperation. The Processor shall cooperate with the Controller in investigating and remediating the Security Incident and shall provide reasonable assistance in the Controller's efforts to comply with its own notification obligations under Applicable Data Protection Laws.
9.4. No Admission. Notification of a Security Incident under this Section 9 shall not be construed as an acknowledgment or admission of fault or liability by the Processor.
10. Audit Rights
10.1. Scope. The Controller may audit the Processor's compliance with this DPA no more than once in any twelve (12) month period, unless a Security Incident has occurred or a supervisory authority requires additional audits.
10.2. Notice. The Controller shall provide at least thirty (30) days advance written notice of an audit, specifying its scope and duration.
10.3. Conduct. Audits shall be conducted during normal business hours, shall not unreasonably interfere with the Processor's operations, and shall be carried out at the Controller's expense.
10.4. Alternative Evidence. The Processor may satisfy audit requests in whole or in part by providing relevant certifications, SOC 2 Type II reports, third-party audit summaries, or other documentation that reasonably demonstrates compliance with the obligations of this DPA.
10.5. Confidentiality. Any information obtained or generated during an audit shall be treated as confidential information of the Processor and shall be used solely for the purpose of verifying compliance with this DPA.
11. Data Retention and Deletion
11.1. Retention Period. The Processor shall retain Personal Data only for the duration of the Agreement and as necessary to fulfill the purposes described in this DPA.
11.2. Post-Termination Export. Upon termination or expiration of the Agreement, the Controller shall have thirty (30) days to export Personal Data from the Services using available export tools or by requesting an export from the Processor.
11.3. Deletion. Following the 30-day export period, the Processor shall delete all Personal Data within ninety (90) days, except where retention is required by applicable law or where data has been irreversibly anonymized and is no longer Personal Data.
11.4. Certification. Upon the Controller's written request, the Processor shall provide written confirmation that Personal Data has been deleted in accordance with this Section 11.
12. CCPA/CPRA Specific Terms
12.1. Service Provider Status. For purposes of the CCPA/CPRA, the Processor acts as a "Service Provider" as defined in Cal. Civ. Code Section 1798.140(ag). The Processor processes Personal Data on behalf of the Controller solely for the business purposes specified in the Agreement and this DPA.
12.2. No Sale or Sharing. The Processor shall not sell or share (as those terms are defined under the CCPA/CPRA) any Personal Data received from the Controller.
12.3. Use Restrictions. The Processor shall not retain, use, or disclose Personal Data for any purpose other than performing the Services specified in the Agreement, or as otherwise permitted under the CCPA/CPRA. The Processor shall not combine Personal Data received from or on behalf of the Controller with Personal Data received from other sources or collected from its own interactions with Data Subjects, except as expressly permitted by the CCPA/CPRA.
12.4. Compliance Certification. The Processor certifies that it understands and will comply with the restrictions set forth in the CCPA/CPRA applicable to Service Providers and the obligations of this Section 12.
12.5. Right to Monitor. The Controller has the right to take reasonable and appropriate steps to ensure that the Processor uses Personal Data in a manner consistent with the Controller's obligations under the CCPA/CPRA.
13. Term and Termination
13.1. Effective Date. This DPA becomes effective upon the Controller's acceptance of the Agreement (Terms of Service) and applies retroactively to any Personal Data processed under the Agreement prior to the Effective Date of this DPA.
13.2. Duration. This DPA shall remain in effect for the duration of the Agreement.
13.3. Survival. The obligations of the Processor regarding data deletion (Section 11), confidentiality (Section 4.2), and any accrued rights or obligations shall survive termination of this DPA and the Agreement.
14. Liability
14.1. Limitations. Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set forth in the Agreement, except as provided in Section 14.2.
14.2. Exclusions. Nothing in this DPA or the Agreement shall limit or exclude either party's liability for:
- Fraud or fraudulent misrepresentation;
- Death or personal injury caused by negligence;
- Willful or intentional breach of the data protection obligations set forth in this DPA; or
- Any liability that cannot be limited or excluded under applicable law.
15. General Provisions
15.1. Governing Law. This DPA shall be governed by and construed in accordance with the laws of the State of South Carolina, without regard to its conflict of laws principles, except to the extent that Applicable Data Protection Laws require the application of a different law to specific data protection matters.
15.2. Precedence. In the event of any inconsistency or conflict between this DPA and the Agreement with respect to the protection of Personal Data, the terms of this DPA shall prevail.
15.3. Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
15.4. Amendments. The Processor may update this DPA from time to time to reflect changes in Applicable Data Protection Laws, industry practices, or the Services. Material changes will be communicated to the Controller with at least thirty (30) days notice. Continued use of the Services following notice constitutes acceptance of the updated DPA.
15.5. Entire Agreement. This DPA, together with the Agreement, constitutes the entire agreement between the parties regarding the Processing of Personal Data and supersedes all prior agreements and understandings on the subject matter.
15.6. Contact. Questions or requests regarding this DPA should be directed to:
Digital Inventory Group LLC
317 Ruth Vista Road
Lexington, SC 29073
Phone: (877) 796-7787
Email: [email protected]
Privacy inquiries: [email protected]
Exhibit A: Data Processing Details
| Element | Description |
|---|---|
| Subject Matter | Marketing automation and CRM services provided by Digital Inventory Group LLC |
| Duration of Processing | The term of the service agreement between the Controller and the Processor, plus any post-termination retention period described in Section 11 |
| Nature of Processing | Collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, and destruction |
| Purpose of Processing | To provide CRM, messaging (SMS and email), payment processing, review management, and webchat services to the Controller; to store and manage Controller's contact records; to facilitate communications between the Controller and its Data Subjects; to process transactions on behalf of the Controller |
| Categories of Personal Data | Contact information (name, email address, phone number, mailing address); communication records (SMS, email, and webchat content and metadata); transaction and payment data; behavioral and engagement data (website visits, email opens, link clicks, form submissions); consent and opt-in/opt-out records |
| Categories of Data Subjects | Customers, leads, and prospects of the Controller; employees and staff of the Controller who use the Services |
| Controller Obligations | Ensure lawful basis for Processing; provide accurate privacy notices to Data Subjects; respond to Data Subject requests; comply with Applicable Data Protection Laws |
| Processor Obligations | Process Personal Data in accordance with documented instructions; implement and maintain security measures; assist with Data Subject requests; notify of Security Incidents; engage Sub-processors in compliance with this DPA |
Exhibit B: Technical and Organizational Security Measures
The Processor maintains the following security measures to protect Personal Data processed under this DPA. These measures are subject to ongoing review and improvement.
| Category | Measure |
|---|---|
| Encryption — Transit | TLS 1.2 and TLS 1.3 for all data transmitted between clients, the Services, and third-party integrations |
| Encryption — Rest | AES-256 encryption for all Personal Data stored within the Services, including databases and backup storage |
| Access Control | Role-based access control (RBAC) enforced across all systems; principle of least privilege applied to all personnel and service accounts |
| Authentication | Two-factor authentication (2FA) available for all user accounts; minimum 8-character password requirement with complexity rules; session timeout policies |
| Network Security | Firewalls and access control lists (ACLs) segmenting network zones; DDoS mitigation and protection services; intrusion detection and prevention systems |
| Monitoring and Logging | Centralized logging of access and system events; automated alerting for anomalous or unauthorized activity; regular log review and analysis |
| Backup and Recovery | Automated backups with 7-day retention; multi-availability-zone redundancy; WORM (Write Once Read Many) protection for backup integrity; documented disaster recovery procedures |
| Tenant Isolation | Logical data separation with unique identifiers per Controller account; access controls preventing cross-tenant data access |
| Personnel Security | Background checks for personnel with access to Personal Data; confidentiality agreements; annual security awareness training; access revocation upon role change or termination |
| Vulnerability Management | Regular vulnerability scanning and patching; secure software development practices; third-party penetration testing |
| Incident Response | Documented incident response plan; designated incident response team; post-incident review and remediation procedures |
| Physical Security | Data center physical access controls (managed by cloud infrastructure providers AWS/GCP); environmental controls including fire suppression and climate management |
e. here
CONTACT US
SOCIALS
CRM + Automations + AI = Growth at Scale
317 Ruth Vista Road
Lexington, SC 29073
© 2025-2026 Digital Inventory Group | All Rights Reserved