Data Processing Addendum
This page provides a summary of DPCI’s data processing approach for organizations that use DPCI resources or tools with employees, collaborators, leaders or other participants.
When an organization uses DPCI resources in an organizational context, the organization may act as the party determining the purposes and means of processing, while DPCI may act as a service provider or processor/encargado, depending on the applicable arrangement and jurisdiction.
A separate written agreement may be required before using DPCI tools for identifiable participants, employee assessments, multi-rater feedback, leadership diagnostics or organizational reporting.
This page is informational and does not replace a signed or otherwise accepted contractual data processing agreement when required.
Roles and responsibilities
The applicable roles should be defined in the client agreement, including whether the organization acts as controller/responsible party and DPCI acts as service provider or processor/encargado.
Purpose limitation
Personal information should be processed only for agreed corporate training, leadership development, organizational learning or related support purposes.
Confidentiality
Personnel and service providers with access to information should be subject to appropriate confidentiality obligations.
Security measures
Reasonable administrative, technical and organizational measures should be applied to protect information against unauthorized access, loss, misuse or disclosure.
International hosting
Hosting or service providers may be located outside the participant’s country of residence, subject to applicable contractual and operational safeguards.
Subprocessors
Subprocessors should be listed, reviewed and managed according to the applicable service arrangement. See Subprocessors and International Hosting.
Retention and deletion
Retention periods should be configurable or contractually defined when identifiable participant information is processed. See Data Retention and Deletion Policy.
Assistance with user rights
DPCI may assist organizational clients with reasonable requests related to access, correction, deletion, restriction or objection, depending on applicable law and the agreement.
Incident notification
Security incidents involving identifiable information should be communicated according to the timing, process and responsibility rules established in the applicable agreement.
Return or deletion at the end of service
At the end of service, identifiable data should be returned, deleted or anonymized according to the applicable contract, legal requirements and operational constraints.