Data Processing Agreement

Last updated: June 8, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Juridion LLC ("Processor," "we," "us") and the customer using Dun ("Controller," "you") and governs the processing of personal data by the Processor on behalf of the Controller.

1. Parties

Data Controller: The individual or entity that has subscribed to Dun and determines the purposes and means of processing personal data through the Service.

Data Processor: Juridion LLC, which processes personal data on behalf of the Controller in connection with providing the Dun service.

2. Definitions

3. Scope and Purpose of Processing

The Processor processes Personal Data solely to provide the Dun service to the Controller. This includes:

3.1 Categories of Data Subjects

Clients and customers of the Controller who have outstanding invoices.

3.2 Types of Personal Data

3.3 Duration of Processing

Processing continues for the duration of the Controller's subscription to Dun. Upon termination, the Processor will delete or return Personal Data in accordance with Section 10.

4. Obligations of the Processor

The Processor shall:

  1. Process Personal Data only on documented instructions from the Controller, unless required by law.
  2. Ensure that persons authorized to process Personal Data have committed to confidentiality.
  3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 7).
  4. Not engage another processor (Sub-processor) without prior written authorization from the Controller (see Section 5).
  5. Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, objection).
  6. Assist the Controller in ensuring compliance with obligations related to security, breach notification, and data protection impact assessments.
  7. Delete or return all Personal Data after the end of the provision of services (see Section 10).
  8. Make available to the Controller all information necessary to demonstrate compliance with this DPA.

5. Sub-processors

The Controller authorizes the Processor to engage the following Sub-processors:

Sub-processorPurposeLocation
Google Cloud Platform (Firestore)Database storageUnited States
Stripe, Inc.Payment and invoice data sourceUnited States
Postmark (ActiveCampaign)Transactional email deliveryUnited States

The Processor will notify the Controller before adding or replacing Sub-processors, providing the Controller an opportunity to object. If the Controller objects, the Processor will make reasonable efforts to provide an alternative or the Controller may terminate the agreement.

The Processor will impose data protection obligations on each Sub-processor no less protective than those in this DPA.

6. International Data Transfers

Personal Data is stored and processed in the United States. For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, the Processor relies on:

The Processor will ensure that any Sub-processor to which Personal Data is transferred provides adequate safeguards in accordance with Applicable Data Protection Law.

7. Security Measures

The Processor implements and maintains the following technical and organizational security measures:

8. Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

  1. Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach.
  2. Provide the Controller with sufficient information to enable the Controller to meet its obligations under Applicable Data Protection Law, including:
    • The nature of the breach, including categories and approximate number of Data Subjects and records affected
    • The likely consequences of the breach
    • The measures taken or proposed to address the breach and mitigate its effects
    • The name and contact details of the Processor's point of contact
  3. Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
  4. Not inform any third party of the breach without first obtaining the Controller's written consent, unless required by law.

9. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall:

The Controller shall bear the cost of any audit unless the audit reveals material non-compliance by the Processor.

10. Data Deletion and Return

Upon termination of the Service or upon the Controller's written request:

11. Governing Law

This DPA is governed by the laws of the State of New Mexico, United States, without regard to conflict of law principles. For Data Subjects in the EEA, the provisions of the GDPR shall apply to the extent they provide greater protection.

12. Contact

For questions about this DPA or to exercise any rights:

Juridion LLC
Email: support@getdunned.com