Data Processing Agreement

Last Updated: February 2025

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement or other written or electronic agreement between Administr LLC. ("Administr," "we," "us," "Processor") and the entity identified as the customer ("Customer," "you," "Controller") for the provision of the Administr platform and services (the "Agreement"). This DPA reflects the parties' agreement with respect to the Processing of Personal Data.

1. Definitions

For purposes of this DPA, the following definitions apply:

  • "Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including the GDPR, CCPA, and other applicable privacy laws.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.
  • "CCPA" means the California Consumer Privacy Act of 2018, as amended by the CPRA.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Administr on behalf of the Customer.
  • "Processing" means any operation performed on Personal Data, such as collection, recording, storage, retrieval, use, disclosure, or deletion.
  • "Sub-processor" means any third party engaged by Administr to process Personal Data on behalf of the Customer.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

2. Scope and Roles

This DPA applies to the Processing of Personal Data by Administr on behalf of the Customer in connection with the Agreement.

  • The Customer acts as the Controller of Personal Data.
  • Administr acts as the Processor of Personal Data.
  • The subject matter, duration, nature, and purpose of Processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex 1.

3. Customer Obligations

The Customer represents and warrants that: (a) it has obtained all necessary consents and authorizations for the Processing of Personal Data; (b) it will comply with all applicable Data Protection Laws; (c) its instructions to Administr will comply with applicable laws; and (d) it has provided appropriate notices to Data Subjects regarding the Processing of their Personal Data.

4. Administr Obligations

Administr agrees to:

  • Process Personal Data only on documented instructions from the Customer, unless required by applicable law.
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures.
  • Assist the Customer in responding to Data Subject requests.
  • Assist the Customer in ensuring compliance with security, breach notification, and data protection impact assessment obligations.
  • Delete or return all Personal Data upon termination of the Agreement, unless retention is required by law.
  • Make available all information necessary to demonstrate compliance with this DPA.

5. Security Measures

Administr implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption of Personal Data in transit and at rest.
  • Access controls and authentication mechanisms.
  • Regular security assessments and vulnerability testing.
  • Incident response and breach notification procedures.
  • Employee security training and awareness programs.
  • Physical security measures for data center facilities.

6. Sub-processors

The Customer authorizes Administr to engage Sub-processors to process Personal Data. Administr will:

  • Maintain a list of current Sub-processors available upon request.
  • Notify the Customer of any intended changes to Sub-processors.
  • Enter into written agreements with Sub-processors imposing data protection obligations substantially similar to this DPA.
  • Remain liable for the acts and omissions of its Sub-processors.

7. Data Transfers

Administr may transfer Personal Data to countries outside the European Economic Area ("EEA") only where appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or where the transfer is to a country with an adequacy decision. Upon request, Administr will provide information about the safeguards in place for international transfers.

8. Data Subject Rights

Administr will assist the Customer in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection. Administr will promptly notify the Customer of any request received directly from a Data Subject.

9. Data Breach Notification

Administr will notify the Customer without undue delay upon becoming aware of a Personal Data breach. The notification will include, to the extent known: (a) the nature of the breach; (b) the categories and approximate number of Data Subjects affected; (c) the likely consequences of the breach; and (d) measures taken or proposed to address the breach.

10. Audits

Administr will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. Upon reasonable notice, Administr will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, provided such audits are conducted during normal business hours and do not unreasonably disrupt Administr's operations.

11. Term and Termination

This DPA will remain in effect for the duration of the Agreement. Upon termination of the Agreement, Administr will, at the Customer's election, delete or return all Personal Data and delete existing copies unless applicable law requires retention. Administr will certify in writing that it has complied with this provision upon request.

12. Contact Information

For questions regarding this DPA, please contact:

Administr LLC.
Attn: Data Protection Officer
Email: privacy@administr.com

Annex 1: Details of Processing

Subject Matter

Provision of the Administr benefits administration and agency management platform.

Duration

For the term of the Agreement plus any retention period required by law.

Nature and Purpose of Processing

Processing is necessary to provide the services, including benefits enrollment, employee management, commission tracking, and related functionality.

Types of Personal Data

  • Contact information (name, email, phone, address)
  • Employment information (employer, job title, compensation)
  • Benefits enrollment data
  • Dependent information
  • Financial information for premium calculations
  • Communication records

Categories of Data Subjects

  • Customer employees and administrators
  • Employees of Customer's clients
  • Dependents and beneficiaries
  • Prospects and leads