Last updated: July 6, 2026 · Version 2.0
Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the agreement between SOCSimulator LLC and its business or enterprise customers and governs the processing of personal data that SOCSimulator LLC carries out on the customer's behalf when the customer uses the SOCSimulator service for its organization.
Table of Contents
- Introduction & Roles
- Definitions
- Subject-Matter & Duration
- Nature & Purpose of Processing
- Categories of Data Subjects & Personal Data
- Processor Obligations
- Security
- Sub-Processing
- Assistance to the Controller
- International Transfers
- Return & Deletion on Termination
- Audits & Information
- Liability
- Annex I — Processing Details
- Annex II — Technical & Organizational Measures
- Annex III — Approved Sub-Processors
1. Introduction & Roles
This DPA applies where SOCSimulator LLC processes personal data on behalf of a customer that is an organization or enterprise (the "Customer") in the course of providing the SOCSimulator service, including its skills-assessment features for the Customer's candidates or employees.
For the personal data covered by this DPA, the roles of the parties are as follows:
- Customer acts as the data controller. The Customer determines the purposes and means of the processing and is responsible for providing the candidate- or employee-facing privacy notice and, where applicable, the data protection officer (DPO) contact for the individuals it invites to the service.
- SOCSimulator LLC acts as the data processor. SOCSimulator LLC processes personal data only on the Customer's documented instructions and does not determine the purposes of the processing.
Where SOCSimulator LLC processes personal data of its own direct consumer users for its own purposes, it acts as a controller; that processing is described in our Privacy Policy and is outside the scope of this DPA.
Governing law:This DPA is governed by the laws of the State of Wyoming, United States, without regard to its conflict of law rules, consistent with the agreement between the parties for the Services (the Terms of Service or, for enterprise customers, the applicable Order Form) (the “Principal Agreement”).
2. Definitions
Capitalized terms not defined here have the meaning given in the Principal Agreement. For the purposes of this DPA:
- "Data Protection Laws"means all laws applicable to the processing of personal data under this DPA, including the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, and applicable U.S. state privacy laws.
- "Personal Data" means any information relating to an identified or identifiable natural person that SOCSimulator LLC processes on behalf of the Customer under the Principal Agreement.
- "Processing", "Controller", "Processor", "Data Subject", "Sub-Processor", and "Supervisory Authority" have the meanings given in the GDPR.
- "Standard Contractual Clauses" (SCCs) means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission.
3. Subject-Matter & Duration
The subject-matter of the processing is the provision of the SOCSimulator service to the Customer under the Principal Agreement, including the delivery of training and skills-assessment features to the individuals the Customer invites.
The duration of the processing is the term of the Principal Agreement, plus any additional period during which SOCSimulator LLC is required to retain personal data to comply with a legal obligation or as instructed by the Customer, after which the personal data is returned or deleted in accordance with Section 11.
4. Nature & Purpose of Processing
SOCSimulator LLC processes personal data for the sole purpose of providing, maintaining, securing, and supporting the SOCSimulator service on the Customer's behalf, and for no other purpose. This includes:
- Creating and managing accounts for individuals the Customer invites;
- Delivering training scenarios and recording progress, scores, and completion of assessments;
- Making assessment results available to the Customer through reporting and dashboards;
- Providing technical support and maintaining the security and integrity of the service.
SOCSimulator LLC does not sell personal data and does not use personal data processed under this DPA to build profiles for advertising or for any purpose unrelated to providing the service.
5. Categories of Data Subjects & Personal Data
The categories of data subjects and personal data are set out in Annex I. In summary:
- Data subjects:the Customer's candidates, employees, contractors, and authorized administrators who use the service.
- Personal data: identification and contact data (name, email address), account and profile data, and training/assessment activity data (scenarios attempted, scores, progress, time spent). SOCSimulator LLC does not require or process special categories of personal data for this purpose, and does not perform biometric identity verification in v1 of the assessments feature.
6. Processor Obligations
In accordance with Article 28(3) of the GDPR, SOCSimulator LLC, as processor, undertakes to:
- Documented instructions.Process personal data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law; in that case, SOCSimulator LLC will inform the Customer of the legal requirement before processing, unless the law prohibits such notice.
- Confidentiality. Ensure that persons authorized to process the personal data are bound by an obligation of confidentiality.
- Security. Implement the technical and organizational measures described in Section 7 and Annex II.
- Sub-processors. Respect the conditions in Section 8 for engaging sub-processors.
- Assistance. Assist the Customer as described in Section 9.
- Return or deletion. Return or delete personal data on termination as described in Section 11.
- Information & audits. Make available the information and audit rights described in Section 12.
SOCSimulator LLC will notify the Customer without undue delay if, in its opinion, an instruction infringes applicable Data Protection Laws.
7. Security
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to data subjects, SOCSimulator LLC implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures are described in Annex II and include, at minimum, encryption of personal data in transit and at rest, measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems, and the ability to restore availability and access to personal data in a timely manner.
8. Sub-Processing
The Customer provides a general authorization for SOCSimulator LLC to engage sub-processors to process personal data, subject to the conditions in this Section. The current list of approved sub-processors is published and kept up to date at socsimulator.com/subprocessors (see also Annex III).
Where SOCSimulator LLC engages a sub-processor, it will impose on that sub-processor, by written contract, data protection obligations that are no less protective than those set out in this DPA, and it remains fully liable to the Customer for the performance of the sub-processor's obligations.
SOCSimulator LLC will notify the Customer at least 30 days before adding or replacing a sub-processor, giving the Customer the opportunity to object on reasonable data protection grounds within that period. If the parties cannot resolve a legitimate objection, the Customer may terminate the affected portion of the service in accordance with the Principal Agreement.
9. Assistance to the Controller
Taking into account the nature of the processing and the information available to it, SOCSimulator LLC will assist the Customer with the following:
Data-Subject Requests
SOCSimulator LLC will provide reasonable assistance, by appropriate technical and organizational measures, to enable the Customer to respond to requests from data subjects exercising their rights under Data Protection Laws (access, rectification, erasure, restriction, portability, and objection). If SOCSimulator LLC receives such a request directly, it will promptly forward it to the Customer and will not respond to it itself except on the Customer's instructions or as required by law.
Data Protection Impact Assessments
SOCSimulator LLC will provide reasonable assistance to the Customer with data protection impact assessments (DPIAs) and any prior consultation with a supervisory authority, where required under Articles 35 and 36 of the GDPR and relating to the Customer's use of the service.
Breach Notification
SOCSimulator LLC will notify the Customer without undue delay after becoming aware of a personal data breach affecting personal data processed under this DPA, and will provide the Customer with the information reasonably necessary to enable the Customer to meet its own breach-notification obligations to supervisory authorities and affected data subjects.
10. International Transfers
SOCSimulator LLC is based in the United States and may process personal data in the United States and in other jurisdictions where its sub-processors operate (see Annex III).
Where SOCSimulator LLC processes personal data subject to EU/UK data-protection law and transfers it outside the EEA/UK to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) and, for UK data, the UK International Data Transfer Addendum, completed with the details in the Annexes. SOCSimulator LLC will implement any supplementary measures reasonably necessary to ensure an adequate level of protection and, where possible, uses sub-processors that offer EU-based processing (for example, the Supabase EU region).
To the extent the SCCs apply, they govern the transfers they cover and prevail over any conflicting term of this DPA (including governing law) as to those transfers.
11. Return & Deletion on Termination
On termination or expiry of the Principal Agreement, SOCSimulator LLC will, at the Customer's choice, return or delete all personal data processed on the Customer's behalf, and delete existing copies, unless applicable law requires continued storage. SOCSimulator LLC will carry out such return or deletion within a reasonable period after termination and, on request, will confirm in writing that it has done so. Personal data retained to comply with a legal obligation will be isolated and protected from further processing until deletion is permitted.
12. Audits & Information
SOCSimulator LLC will make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations in Article 28 of the GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.
To minimize disruption, the Customer will give reasonable prior notice, audits will take place during normal business hours no more than once per year (unless required following a personal data breach or by a supervisory authority), and the parties will agree on the scope in advance. Where available, SOCSimulator LLC may satisfy an audit request by providing existing third-party audit reports or security documentation.
13. Liability
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement. Nothing in this DPA limits any liability that cannot be limited or excluded under applicable Data Protection Laws.
14. Annex I — Processing Details
This Annex describes the processing carried out by SOCSimulator LLC as processor on behalf of the Customer, in particular for the skills-assessment feature.
| Item | Detail |
|---|---|
| Controller | The Customer (organization / employer) |
| Processor | SOCSimulator LLC |
| Categories of data subjects | Candidates, employees, contractors, and administrators invited by the Customer |
| Categories of personal data | Name, email address, account and profile data, training/assessment activity (scenarios, scores, progress, time spent) |
| Special categories | None processed for this purpose |
| Nature & purpose | Delivering training and skills assessments and reporting results to the Customer |
| Duration | Term of the Principal Agreement (see Section 3) |
Assessments feature — controller responsibilities
For the assessments feature, the Customer (employer) is the controller and is responsible for providing the candidate-facing privacy notice and the data protection officer (DPO) contact to the individuals it invites, and for establishing a lawful basis for inviting them. SOCSimulator LLC does not perform biometric identity verification in v1 of the assessments feature.
15. Annex II — Technical & Organizational Measures
SOCSimulator LLC maintains the following technical and organizational measures in accordance with Article 32 of the GDPR:
Technical Measures
- Encryption in transit (TLS) and at rest, provided by our infrastructure providers (Supabase, Vercel)
- Authentication and password storage managed by our identity provider (Supabase Auth)
- Automated dependency-vulnerability monitoring on our codebase
- Encrypted, access-controlled database backups (managed by Supabase)
Organizational Measures
- Least-privilege access to production data, limited to the company principal
- Sub-processors selected for recognized security certifications (e.g., SOC 2) and bound by data-processing terms
- A documented incident-response process, including breach notification
- Risk assessments for new processing, including a legitimate-interest assessment for product analytics
16. Annex III — Approved Sub-Processors
SOCSimulator LLC engages the sub-processors listed in its public sub-processor register. The current, authoritative list — including each sub-processor's purpose, the categories of data involved, and its processing location — is maintained at socsimulator.com/subprocessors.
Changes to the list are governed by the notification and objection process described in Section 8.
For any questions about this DPA or to exercise rights under it, the Customer may contact SOCSimulator LLC at support@socsimulator.com.