Data Processing Addendum

Last Updated: October 7, 2025

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Terms of Service (“Agreement”) between Monarch Software Solutions (“EditSync,” “Processor”) and you (“Customer,” “Controller”).

This DPA applies where and to the extent that EditSync processes Customer Personal Data that is subject to Data Protection Laws. This DPA will be effective and replace any previously applicable data processing and security terms as of the Agreement effective date.

1. Definitions

  • “Controller” means the entity that determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the Customer is the Controller.
  • “Data Protection Laws” means all applicable data protection and privacy laws, including the GDPR and the CCPA/CPRA.
  • “GDPR” means the General Data Protection Regulation (EU) 2016/679.
  • “Personal Data” means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller in the performance of the Service.
  • “Processor” means the entity that processes Personal Data on behalf of the Controller. For the purposes of this DPA, EditSync is the Processor.
  • “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • “Service” means the project workflow services provided by EditSync pursuant to the Agreement.
  • “Sub-processor” means any third-party processor engaged by EditSync to process Personal Data.

2. Roles and Scope of Processing

2.1. Roles. The parties acknowledge that for the purposes of the Data Protection Laws, the Customer is the Controller and EditSync is the Processor of Customer Personal Data processed to provide the Service. EditSync acts as a Controller for its own account and operational data as detailed in our Privacy Policy.

2.2. Details of Processing. The subject matter, nature, purpose, and duration of the processing, as well as the types of Personal Data and categories of data subjects, are described in Appendix C to this DPA.

2.3. Controller’s Instructions. Processor will process Personal Data only in accordance with Controller’s documented instructions, including as set forth in the Agreement, this DPA, and through Customer’s use of the Service. Processor will immediately inform Controller if, in its opinion, an instruction infringes applicable Data Protection Laws.

3. Security and Confidentiality

3.1. Security Measures. Processor will implement and maintain appropriate technical and organizational security measures to protect Personal Data against Security Incidents. Such measures are detailed in Appendix A.

3.2. Confidentiality. Processor shall ensure that its personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. Security Incidents. Upon becoming aware of a Security Incident, Processor will notify Controller without undue delay and provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Controller to allow Controller to meet its data breach notification obligations under Data Protection Laws.

4. Sub-processing

4.1. Authorization. Controller provides a general authorization for Processor to engage Sub-processors to provide the Service. A current list of Sub-processors is maintained on our public Subprocessor List page, which is referenced in Appendix B.

4.2. Obligations. Processor will enter into a written agreement with each Sub-processor containing data protection obligations no less protective than those in this DPA. Processor shall remain liable for all acts or omissions of its Sub-processors.

4.3. New Sub-processors. Processor will provide Controller with at least thirty (30) days' prior notice of any new Sub-processor engagement, thereby giving Controller the opportunity to object. If Controller has a reasonable objection, the parties will work in good faith to resolve it. If it cannot be resolved, Controller may terminate the applicable portion of the Service.

5. Data Subject Rights

Processor will, to the extent legally permitted, provide reasonable assistance to Controller to respond to requests from data subjects to exercise their rights under Data Protection Laws (e.g., access, rectification, erasure). Controller is responsible for validating and responding to such requests. If Processor receives a request directly from a data subject, it will promptly notify Controller.

6. International Transfers

For transfers of Personal Data from the European Economic Area (EEA), the UK, or Switzerland to a country that does not ensure an adequate level of protection, the parties agree that such transfers will be governed by the standard contractual clauses approved by the European Commission (“SCCs”), which are deemed incorporated into this DPA.

7. Deletion and Return of Data

Upon termination of the Agreement, Processor will delete all Personal Data in its possession in accordance with the data retention periods specified in the Privacy Policy, unless applicable law requires storage of the Personal Data.

8. General Provisions

This DPA is governed by the laws of the State of California, and any disputes will be resolved in accordance with the dispute resolution mechanism in the Agreement. In the event of a conflict between this DPA and the Agreement, the terms of this DPA shall prevail with regard to data processing matters.

Appendix A: Technical and Organizational Security Measures

Processor implements the following measures to ensure a level of security appropriate to the risk:

  • Access Control: Access to systems is restricted to authorized personnel. Authentication is required for access to systems processing Personal Data.
  • Encryption: Data is encrypted in transit using HTTPS (TLS). Sensitive data, such as OAuth tokens and 2FA secrets, are encrypted at rest.
  • Data Minimization: Processor collects and processes only the Personal Data necessary to provide the Service.
  • Resilience: Systems are designed for resilience and availability, with regular backups maintained.
  • Logging and Monitoring: Security and access logs are maintained to detect and respond to potential security issues.
  • Software Security: Processor uses input sanitization (e.g., Bleach) to mitigate cross-site scripting (XSS) risks and implements CSRF protection.
  • Password Security: User passwords are not stored in plaintext. They are stored as strong, salted, one-way hashes using modern, industry-standard algorithms.

Appendix B: Sub-processors

A current list of all Sub-processors engaged by EditSync is maintained on our public Subprocessor List page, which can be viewed here: /subprocessors.

Appendix C: Details of Processing

Subject Matter The provision of project management and workflow automation services as described in the Agreement.
Duration of Processing For the term of the Agreement, and until deletion of all Personal Data as described in the Privacy Policy.
Nature and Purpose of Processing To provide, secure, and improve the Service, including user authentication, project management, team collaboration, client communication via integrations, and customer support.
Categories of Data Subjects
  • Customer's employees and authorized users (Admins, Moderators, Shooters, Editors).
  • Customer's clients and their employees or guests (Client Admins, Client Guests).
  • Contacts whose data is provided by the Customer via integrations (e.g., GHL Webhooks).
Types of Personal Data
  • Account Data: Username, email, phone number, role, hashed password.
  • Project Data: Client names, project details, notes, team assignments.
  • Contact Data (from integrations): Names, email addresses, phone numbers, and metadata sent from Customer's systems (e.g., GHL).
  • Technical Data: IP addresses, security logs, user-agent strings.