citkcitk
Get Started

Data Processing Addendum (DPA)

Last updated: March 14, 2026

1. Definitions

Controller means the entity that determines the purposes and means of processing personal data (you, the customer).

Processor means the entitythat processes personal data on behalf of the Controller (citk).

Data Subject means an identified or identifiable natural person whose personal data is processed.

Personal Data means any information relating to a Data Subject that is processed through the Service.

2. Scope of Processing

citk processes personal data solely as instructed by the Controllerto provide the Service. Categories of data processed include:

  • Account data (name, email, organization)
  • Directory membership and role assignments
  • Form submissions and announcement content
  • Usage data and audit logs

3. Processor Obligations

citk shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorized to process personal data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in fulfilling data subject requests
  • Delete or return all personal data upon termination of the Service

4. Sub-processors

citk may engage sub-processors to assist in providing the Service.We will notify the Controller before adding or replacing a sub-processor. The current list of sub-processors is available upon request.

5. Data Subject Rights

citk will assist the Controller in responding to Data Subjectrequests for access, rectification, erasure, portability, and restriction of processing, as required under applicable data protection law.

6. Security Measures

citk implements technical and organizational measures including:

  • Encryption of data at rest (AES-256) and in transit (TLS 1.3)
  • Role-based access controls and audit logging
  • Regular security assessments
  • Incident response procedures

7. Data Breach Notification

citk will notify the Controller without undue delay (and in anyevent within 72 hours) upon becoming aware of a personal data breach. Notification will include the nature of the breach, categories and approximate number of data subjects affected, and measures taken to address the breach.

8. Data Deletion & Return

Upon termination of the Service, citk will, at the Controller'selection, delete or return all personal data within 30 days. We will certify deletion upon request, unless retention is required by applicable law.

9. Contact

For questions about this DPA or to request the sub-processor list, contact us at legal@citk.com.