Version: 1.0
TABLE OF CONTENTS
1. PURPOSE AND SCOPE
1.1 Purpose
This Data Processing Agreement ("DPA") forms part of and is supplemental to the Terms of Service available at https://www.7taps.com/legal/terms-of-service between 7TAPS OPCO, LLC ("7taps," "Processor") and the Customer ("Controller") and establishes the terms under which 7taps will process Personal Data on behalf of Customer in compliance with applicable Data Protection Laws, including the EU General Data Protection Regulation (EU) 2016/679 ("EU GDPR"), UK General Data Protection Regulation ("UK GDPR"), and California Consumer Privacy Act ("CCPA").
1.2 Scope of Application
This DPA applies to all processing of Personal Data by 7taps as Processor on behalf of Customer as Controller in connection with the Services provided under the Terms of Service.
1.3 Hierarchy of Agreement Terms
In case of conflict between the terms of this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.
2. DEFINITIONS
"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
"Anonymized Data" means data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable natural person without use of additional information, where such additional information is kept separately and subject to technical and organizational measures.
"Controller" means the natural or legal person which determines the purposes and means of the processing of Personal Data.
"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including without limitation the EU GDPR, UK GDPR, California Consumer Privacy Act (CCPA), and any successor legislation.
"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by 7taps on behalf of Customer pursuant to the Terms of Service.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Processor" means a natural or legal person which processes Personal Data on behalf of the Controller.
"Standard Contractual Clauses" means the standard contractual clauses for international transfers adopted by the European Commission.
"Sub-processor" means any Processor engaged by 7taps to process Personal Data on behalf of Customer.
"Terms of Service" or "Terms" means the 7taps Terms of Service governing Customer's use of the Services.
3. DATA PROCESSING DETAILS
3.1 Categories of Data Subjects
User Data Subjects: Individuals who create 7taps courses (instructors, content creators, Authorized Users)
Learner Data Subjects: Individuals who take 7taps courses (students, trainees, end-users)
Administrative Contacts: Customer employees or representatives with account access
3.2 Categories of Personal Data
Identity Data: Names, usernames, email addresses
Contact Information: Email addresses, phone numbers (if provided)
Learning Data: Course progress, completion status, assessment results, learning preferences, quiz responses
Learner Submissions: Content, responses, feedback, and data submitted by Learners through interactive course features (submit cards, surveys, assessments, polls)
Usage Data: Platform interaction data, login timestamps, IP addresses, session information
Technical Data: Device information, browser type, cookies and similar tracking technologies
3.3 Processing Operations
Collection: Gathering Personal Data through platform registration and usage
Recording: Storing Personal Data in secure databases and systems
Organization: Structuring and categorizing Personal Data for service delivery
Structuring: Organizing Personal Data for efficient retrieval and processing
Storage: Maintaining Personal Data in encrypted, secure cloud infrastructure
Adaptation/Alteration: Modifying Personal Data based on user inputs or system requirements
Retrieval: Accessing Personal Data for service delivery and support
Consultation: Reviewing Personal Data for troubleshooting and customer support
Use: Processing Personal Data to deliver microlearning services
Disclosure: Sharing Personal Data with authorized Sub-processors as detailed herein
Dissemination: Making Personal Data available to authorized users within Customer's organization
Alignment/Combination: Integrating Personal Data from multiple sources for comprehensive service delivery
Restriction: Limiting processing based on Customer instructions or Data Subject requests
Erasure: Deleting Personal Data upon Customer instruction or contract termination
Destruction: Permanently removing Personal Data from all systems and backups
3.4 Purpose of Processing
7taps processes Personal Data solely to:
Provide microlearning platform services as specified in the Terms of Service
Maintain platform security and integrity
Provide customer support and technical assistance
Ensure compliance with legal and regulatory requirements
Generate anonymized analytics for service improvement (with Customer consent)
3.5 Data Retention Period
Personal Data will be retained as follows:
During Active Service:
Personal Data is retained for the duration of Customer's use of the Services
After Subscription Ends (Downgrade to Free Edition):
Personal Data remains accessible to Customer for up to twenty-four (24) months from last account activity
This allows Customer to reactivate and retain access to their data
After Account Termination or Deletion Request:
Production Systems: Personal Data deleted within ninety (90) days
Backup Systems: Personal Data deleted within thirty (30) days of production deletion
Legal Hold Exception:
7taps may retain Personal Data longer if required by applicable law, ongoing legal proceedings, or regulatory investigation. Customer will be notified of any such retention with explanation of legal basis.
3.6 Customer-Initiated Deletion Rights
Customer may request deletion of Personal Data at any time by:
Submitting a deletion request to support@7taps.com
Providing account identification and scope of deletion requested
Confirming deletion authority on behalf of Data Subjects
Upon receiving a valid deletion request:
7taps will commence deletion within three (3) business days
Deletion will follow the timeline specified in Section 3.5
7taps will provide deletion confirmation upon request
This right exists regardless of subscription status (Paid Plan, Free Edition, or inactive account).
4. PROCESSOR OBLIGATIONS
4.1 Processing Instructions
7taps shall:
Process Personal Data only on documented instructions from Customer, including regarding international transfers
Immediately inform Customer if instructions violate applicable Data Protection Laws
Not process Personal Data for any purpose other than providing the Services
Maintain a record of processing activities as required under GDPR Article 30(2)
4.2 Confidentiality
7taps ensures that persons authorized to process Personal Data:
Are subject to confidentiality obligations through employment contracts or NDAs
Receive appropriate data protection training
Access Personal Data only as necessary for service delivery
4.3 Technical and Organizational Measures
7taps implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
Access Controls:
Multi-factor authentication for all system access
Role-based access controls with principle of least privilege
Regular access reviews and prompt deactivation of unused accounts
Data Security:
Encryption of Personal Data at rest using AES-256 or equivalent
Encryption of Personal Data in transit using TLS 1.2 or higher
Secure key management with separation of duties
Infrastructure Security:
24/7 security monitoring and alerting
Regular vulnerability assessments and penetration testing
Secure development lifecycle practices
Physical security controls at data center facilities
Operational Security:
Incident response procedures with 72-hour notification timeline
Business continuity and disaster recovery planning
Regular backup testing and validation
Change management controls for system modifications
4.4 Compliance Certifications
7taps maintains the following certifications demonstrating compliance with security standards:
SOC 2 Type 2 (Security, Availability, Confidentiality criteria)
ISO 27001:2022 Information Security Management System
Upon request, 7taps will provide Customer with copies of current audit reports and certifications, subject to confidentiality obligations.
5. SUB-PROCESSING
5.1 General Authorization
Customer provides general written authorization for 7taps to engage Sub-processors, subject to the conditions set forth in this section.
5.2 Current Sub-processors
7taps currently uses the following categories of Sub-processors:
Cloud Infrastructure: Amazon Web Services (AWS) - hosting and infrastructure services
Support Tools: Intercom - customer support and communication tools
Payment Processing: Stripe - collecting payments from customers
Course Delivery: Twilio, Inc and Sendgrid, Inc - delivering training to customers
Importing Learners: Merge, Inc. - Import learners from HRMS systems
AI Services: Multiple providers for AI-powered content generation (may process personal data contained in Customer's AI inputs)
A current list of Sub-processors is available at https://help.7taps.com/en/articles/12187041-third-party-service-providers-subprocessors and will be updated as changes occur.
5.3 Sub-processor Requirements
7taps ensures that:
Sub-processors are bound by data protection obligations equivalent to those in this DPA
Sub-processors implement appropriate technical and organizational measures
7taps remains fully liable for Sub-processor performance
Customer may object to Sub-processor changes with 30 days written notice
5.4 Sub-processor Changes
7taps will:
Provide 30 days notice of Sub-processor changes via email and service notifications
Allow Customer to object to changes on reasonable data protection grounds
Work with Customer to implement reasonable alternative arrangements if Customer objects
5.5 AI Sub-Processors and Personal Data
Customer acknowledges that when using AI Tools within the Services:
Customer inputs (including any personal data contained therein) are processed by AI Sub-processors
AI Sub-processors operate under enterprise agreements that prohibit use of Customer inputs for model training
AI Sub-processors do not retain Customer inputs beyond the time necessary to generate outputs
Full details available in 7taps AI Terms at https://help.7taps.com/en/articles/6959985-7taps-ai-terms
6. DATA SUBJECT RIGHTS
6.1 Assistance with Data Subject Requests
7taps will assist Customer in fulfilling Data Subject rights requests by:
Providing commercially reasonable assistance to identify relevant Personal Data
Implementing technical measures to enable Data Subject rights (where technically feasible)
Forwarding Data Subject requests received directly to Customer within 48 hours
Cooperating with Customer's response efforts within reasonable timeframes
6.2 Technical Measures for Rights
The 7taps platform includes technical capabilities to support:
Access Rights: User dashboards showing personal data and learning progress
Rectification Rights: User profile editing capabilities
Portability Rights: Data export functionality in structured formats (JSON, CSV)
Erasure Rights: Account deletion with confirmation of data removal
6.3 Response Timeline
7taps will provide assistance within:
Urgent requests: 48 hours (e.g., data breaches, legal orders)
Standard requests: 10 business days
Complex requests: 20 business days (with progress updates every 5 business days)
7. PERSONAL DATA BREACHES
7.1 Breach Notification
7taps shall:
Notify Customer without undue delay and within 72 hours of becoming aware of a Personal Data Breach, or such shorter period as required by applicable law
Provide written notification including:
Nature of the breach and categories of Data Subjects affected
Likely consequences of the breach
Measures taken or proposed to address the breach
Contact details for further information
7.2 Breach Investigation
7taps will:
Conduct immediate investigation upon breach discovery
Implement containment measures to prevent further unauthorized access
Preserve evidence for regulatory reporting and legal proceedings
Provide updates to Customer during investigation as reasonably requested
7.3 Customer Cooperation
7taps will reasonably cooperate with Customer's:
Regulatory breach notifications (within 72 hours to supervisory authorities)
Communications to affected Data Subjects
Internal breach response procedures
Legal counsel and regulatory interactions
8. DATA PROTECTION IMPACT ASSESSMENTS AND AUDITS
8.1 Impact Assessment Assistance
7taps will provide reasonably requested information to assist Customer with:
Data Protection Impact Assessments (DPIAs) under GDPR Article 35
Prior consultations with supervisory authorities
Privacy risk assessments and mitigation planning
8.2 Audit Rights
Customer may:
Annual Audit: Conduct one comprehensive audit per year at Customer's expense
Certification Review: Request copies of current SOC 2 and ISO 27001 reports
Incident Audits: Request additional audits following security incidents
Regulatory Audits: Include 7taps in regulatory audit scope with reasonable notice
8.3 Audit Procedures
Audits shall be conducted:
With 30 days advance written notice (except emergency/incident audits)
During business hours with minimal service disruption
Subject to confidentiality obligations and reasonable security procedures
At Customer's cost unless material non-compliance is discovered
9. INTERNATIONAL DATA TRANSFERS
9.1 Transfer Mechanisms
For transfers of Personal Data outside the European Economic Area (EEA), 7taps relies on:
Adequacy Decisions: Transfers to countries with European Commission adequacy decisions
Standard Contractual Clauses: EU-adopted SCCs for transfers to non-adequate countries
Supplementary Measures: Additional technical measures as required by regulatory guidance
9.2 Current Transfer Locations
Personal Data may be transferred to and processed in:
United States: AWS US-East (Ohio) region - primary hosting location
Backup Locations: Encrypted backups in AWS regions with adequate protection
9.3 Transfer Safeguards
For transfers to non-adequate countries, 7taps implements:
Encryption in transit and at rest using strong cryptographic standards
Access controls limiting personnel access based on business necessity
Contractual obligations requiring sub-processors to implement equivalent protections
Regular monitoring and assessment of transfer adequacy
10. DATA RETURN AND DELETION
10.1 Data Return Options
Upon Customer request or contract termination, 7taps will:
Data Export: Provide Personal Data in structured, commonly used, machine-readable format
Secure Transfer: Deliver exported data via encrypted channels
Format Options: Commonly used, machine-readable format (such as JSON, CSV, or similar) as determined by 7taps based on the type of data being exported
Timeline: Complete data return within 30 days of valid request
10.2 Data Deletion
Following data return (or if return is not requested):
Production Systems: Delete all Personal Data within 90 days
Backup Systems: Delete all Personal Data from backups within 30 days of production deletion
Certification: Provide written certification of deletion upon Customer request
10.3 Legal Preservation
7taps may retain Personal Data longer if required by:
Applicable law or regulation
Ongoing legal proceedings or disputes
Regulatory investigation or enforcement action
Customer will be notified of any such retention with explanation of legal basis.
11. LIABILITY AND REMEDIES
11.1 Limitation of Liability
Each party's liability for damages relating to this DPA shall be subject to the limitation of liability provisions in the Terms of Service, except that:
Such limitations shall not apply to violation of confidentiality obligations
Such limitations shall not apply to indemnification obligations under this DPA
Such limitations shall not limit liability for gross negligence or willful misconduct
11.2 Data Protection Indemnification
7taps will indemnify Customer against third-party claims arising from:
7taps' material breach of this DPA or applicable Data Protection Laws
7taps' failure to implement adequate technical and organizational measures
Exclusions: Customer's processing instructions, unauthorized access not due to 7taps' negligence, or Customer's failure to implement reasonable security measures.
11.3 Regulatory Fines and Penalties
Controller Fines: Customer responsible for fines related to its processing determinations
Processor Fines: 7taps responsible for fines related to its processing activities
Joint Liability: Shared responsibility for fines resulting from joint actions or decisions
12. TERM AND TERMINATION
12.1 Term
This DPA shall commence on the effective date and remain in effect for the duration of the Terms of Service or until all Personal Data is deleted or returned, whichever is later.
12.2 Survival
The following provisions shall survive termination:
Data return and deletion obligations (Section 10)
Confidentiality obligations (Section 4.2)
Indemnification obligations (Section 11.2)
Limitation of liability (Section 11.1)
12.3 Effect of Termination
Upon termination:
7taps shall cease all processing activities except as necessary for data return/deletion
All Sub-processor agreements relating to Personal Data shall be terminated
Confidentiality obligations shall continue indefinitely
13. GENERAL PROVISIONS
13.1 Amendment
This DPA may only be amended by written agreement signed by both parties, except for:
Updates to Sub-processor lists (Section 5.2)
Technical and organizational measures improvements (Section 4.3)
Regulatory compliance updates required by law
13.2 Severability
If any provision of this DPA is held invalid or unenforceable, the remainder shall continue in full force and effect, and the parties shall negotiate a replacement provision that achieves the same objective.
13.3 Governing Law
This DPA shall be governed by the same laws as specified in the Terms of Service, provided that Data Protection Laws shall apply to data protection matters regardless of choice of law.
13.4 Dispute Resolution
Disputes relating to this DPA shall be resolved according to the dispute resolution procedures in the Terms of Service, except that:
Data Subject complaints may be escalated directly to supervisory authorities
Emergency data protection matters may require immediate court intervention
Regulatory investigations take precedence over contractual dispute procedures
13.5 Contact Information
Customer Data Protection Officer/Contact:
[Customer to provide contact details]
7taps Data Protection Contact:
Email: security@7taps.com
Address: ATTN: 7taps
700 S Rosemary Ave, Suite 204
West Palm Beach, FL 33401
Phone: +1 954-281-9775
APPENDIX A: STANDARD CONTRACTUAL CLAUSES
[This section would incorporate the EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 for international transfers. The full text would be attached as a separate appendix due to length.]
Module Selection
For the purposes of international data transfers under this DPA:
Module Two: Controller to Processor transfers (Customer to 7taps)
Module Three: Processor to Processor transfers (7taps to Sub-processors)
Key Variations
Governing Law: As specified in the Terms of Service
Competent Courts: As specified in the Terms of Service
Technical and Organizational Measures: As detailed in Section 4.3 of this DPA and Appendix B
APPENDIX B: TECHNICAL AND ORGANIZATIONAL MEASURES
B.1 Access Control Measures
Multi-factor authentication for all system access
Role-based access control (RBAC) with principle of least privilege
Regular access reviews and certification processes
Automated deactivation of inactive accounts
Privileged access management for administrative functions
B.2 Data Security Measures
AES-256 encryption for data at rest
TLS 1.2+ encryption for data in transit
Hardware Security Modules (HSMs) for key management
Database activity monitoring and anomaly detection
Data loss prevention (DLP) tools and policies
B.3 Infrastructure Security
24/7 Security Operations Center (SOC) monitoring
Intrusion detection and prevention systems
Vulnerability management and patch management
Network segmentation and micro-segmentation
Regular penetration testing by third-party security firms (at least annually)
B.4 Application Security
Secure Software Development Lifecycle (SSDLC)
Static and dynamic application security testing
Dependency scanning for third-party components
Code review requirements for production deployments
Web Application Firewall (WAF) protection
B.5 Physical and Environmental Security
Biometric access controls to data centers
24/7 physical security monitoring
Environmental controls (temperature, humidity, fire suppression)
Redundant power and network connectivity
Secure hardware disposal procedures
B.6 Operational Security
Documented incident response team and procedures
Business continuity and disaster recovery plans
Change management and configuration control
Regular backup testing and validation
Security awareness training for all personnel
B.7 Compliance and Audit
SOC 2 Type 2 certification (annual audit)
ISO 27001:2022 certification (annual surveillance audit)
Regular internal security assessments
Third-party penetration testing (at least annually)
Vulnerability disclosure program
Document Control:
Version: 1.0
Effective Date: October 13, 2025
Last Updated: October 13, 2025
Next Review Date: October 12, 2026
Approved By: Ezra Charm, COO
Distribution: Legal, Security, Operations, Customer Success