Data Processing Agreement
Last updated: June 8, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Juridion LLC ("Processor," "we," "us") and the customer using Dun ("Controller," "you") and governs the processing of personal data by the Processor on behalf of the Controller.
1. Parties
Data Controller: The individual or entity that has subscribed to Dun and determines the purposes and means of processing personal data through the Service.
Data Processor: Juridion LLC, which processes personal data on behalf of the Controller in connection with providing the Dun service.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
- "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, erasure, or destruction.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
- "Service" means the Dun web application and associated services provided by Juridion LLC.
- "Applicable Data Protection Law" means GDPR (Regulation (EU) 2016/679), UK GDPR, and any other applicable data protection legislation.
3. Scope and Purpose of Processing
The Processor processes Personal Data solely to provide the Dun service to the Controller. This includes:
- Synchronizing invoice data from the Controller's Stripe account
- Storing client names, email addresses, and invoice details
- Sending payment reminder emails on behalf of the Controller
- Maintaining escalation schedules and delivery records
3.1 Categories of Data Subjects
Clients and customers of the Controller who have outstanding invoices.
3.2 Types of Personal Data
- Client names
- Client email addresses
- Invoice amounts and due dates
- Payment status
- Email delivery records (sent, bounced, opened)
3.3 Duration of Processing
Processing continues for the duration of the Controller's subscription to Dun. Upon termination, the Processor will delete or return Personal Data in accordance with Section 10.
4. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by law.
- Ensure that persons authorized to process Personal Data have committed to confidentiality.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 7).
- Not engage another processor (Sub-processor) without prior written authorization from the Controller (see Section 5).
- Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, objection).
- Assist the Controller in ensuring compliance with obligations related to security, breach notification, and data protection impact assessments.
- Delete or return all Personal Data after the end of the provision of services (see Section 10).
- Make available to the Controller all information necessary to demonstrate compliance with this DPA.
5. Sub-processors
The Controller authorizes the Processor to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform (Firestore) | Database storage | United States |
| Stripe, Inc. | Payment and invoice data source | United States |
| Postmark (ActiveCampaign) | Transactional email delivery | United States |
The Processor will notify the Controller before adding or replacing Sub-processors, providing the Controller an opportunity to object. If the Controller objects, the Processor will make reasonable efforts to provide an alternative or the Controller may terminate the agreement.
The Processor will impose data protection obligations on each Sub-processor no less protective than those in this DPA.
6. International Data Transfers
Personal Data is stored and processed in the United States. For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, the Processor relies on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission (Implementing Decision (EU) 2021/914)
- The EU-U.S. Data Privacy Framework, where applicable
The Processor will ensure that any Sub-processor to which Personal Data is transferred provides adequate safeguards in accordance with Applicable Data Protection Law.
7. Security Measures
The Processor implements and maintains the following technical and organizational security measures:
- Encryption in transit: All data is transmitted over TLS 1.2+.
- Encryption at rest: Firestore data is encrypted at rest using Google-managed encryption keys (AES-256).
- Access control: Access to production systems is restricted to authorized personnel using role-based access control and multi-factor authentication.
- Network security: The Service runs on Google Cloud Run with managed firewall rules and DDoS protection.
- Logging and monitoring: Access and audit logs are maintained for security monitoring and incident response.
- Input validation: All user input is validated and sanitized to prevent injection attacks (XSS, SQL injection).
- Regular updates: Dependencies and infrastructure are kept up to date with security patches.
8. Data Breach Notification
In the event of a Personal Data breach, the Processor shall:
- Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach.
- Provide the Controller with sufficient information to enable the Controller to meet its obligations under Applicable Data Protection Law, including:
- The nature of the breach, including categories and approximate number of Data Subjects and records affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its effects
- The name and contact details of the Processor's point of contact
- Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
- Not inform any third party of the breach without first obtaining the Controller's written consent, unless required by law.
9. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall:
- Provide the Controller with access to relevant records, systems, and personnel upon reasonable notice (at least 30 days).
- Cooperate with audits conducted by the Controller or an independent third-party auditor appointed by the Controller.
- Audits shall be conducted during normal business hours, no more than once per year, unless a breach has occurred.
The Controller shall bear the cost of any audit unless the audit reveals material non-compliance by the Processor.
10. Data Deletion and Return
Upon termination of the Service or upon the Controller's written request:
- The Processor shall delete all Personal Data within 30 days, unless retention is required by law.
- Upon request, the Processor shall provide the Controller with a copy of the Personal Data in a commonly used, machine-readable format before deletion.
- The Processor shall confirm deletion in writing upon the Controller's request.
- The Processor shall ensure that Sub-processors also delete Personal Data in accordance with this section.
11. Governing Law
This DPA is governed by the laws of the State of New Mexico, United States, without regard to conflict of law principles. For Data Subjects in the EEA, the provisions of the GDPR shall apply to the extent they provide greater protection.
12. Contact
For questions about this DPA or to exercise any rights:
Juridion LLC
Email: support@getdunned.com