1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Optimus Business Plans ("Data Controller", "we", "us", "our") and the customer ("Data Subject", "you", "your") accessing and using our services. This DPA reflects the parties' agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Laws including but not limited to the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
• "Sub-processor" means any third party appointed by us to process Personal Data on your behalf.
• "Data Protection Laws" means all applicable laws and regulations relating to data protection and privacy, including GDPR and CCPA.

3. Processing of Personal Data

3.1 Scope and Purpose

We process Personal Data on your behalf for the following purposes:

• Generation of business plans based on questionnaire responses
• Account management and authentication
• Payment processing and billing
• Customer support and communication
• Service improvement and analytics

3.2 Categories of Data

The types of Personal Data processed include:

• Contact information (name, email, phone number)
• Business information (company details, business model, financial projections)
• Account credentials and authentication data
• Payment information (processed by our payment processor)
• Usage data and analytics

4. Sub-processors

We engage the following sub-processors to assist in providing our services:

We will notify you of any changes to our sub-processors by updating this list. You may object to the use of a new sub-processor by notifying us within 30 days of the update.

5. Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit and at rest
• Regular security assessments and vulnerability testing
• Access controls and authentication mechanisms
• Regular backups and disaster recovery procedures
• Employee training on data protection and security
• Incident response and breach notification procedures

6. Data Retention and Deletion

We retain Personal Data for the following periods:

• Account Data: Duration of account plus 30 days after deletion
• Business Plans: 5 years from creation or as required by law
• Payment Records: 7 years for tax and accounting purposes
• Support Communications: 2 years from last interaction

Upon termination of services or upon request, we will delete or return all Personal Data and delete existing copies unless retention is required by law.

7. Your Rights

Under Data Protection Laws, you have the following rights:

• Access: Request copies of your Personal Data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your Personal Data
• Restriction: Request limitation of processing
• Portability: Receive your data in a structured format
• Objection: Object to certain types of processing

To exercise these rights, please contact us at privacy@optimusbusinessplans.com.

8. Data Breach Notification

In the event of a Personal Data breach, we will:

• Notify you without undue delay and within 72 hours of becoming aware of the breach
• Provide details of the nature and scope of the breach
• Communicate the measures taken to address the breach
• Cooperate with you to mitigate any adverse effects
• Document all breaches and remedial actions taken

9. International Data Transfers

Personal Data may be transferred to and processed in countries outside of your jurisdiction. We ensure appropriate safeguards are in place for such transfers, including:

• Standard Contractual Clauses approved by relevant authorities
• Adequacy decisions where applicable
• Other lawful transfer mechanisms under Data Protection Laws

10. Audit Rights

You have the right to audit our compliance with this DPA, subject to:

• Reasonable advance notice (at least 30 days)
• No more than once per calendar year
• Execution of appropriate confidentiality agreements
• Audits conducted during business hours
• You bearing the costs of such audits

11. Liability and Indemnification

Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Terms of Service. Each party shall indemnify and hold harmless the other party from any losses resulting from its breach of this DPA.