Data Processing Agreement

1. Parties and Scope

This DPA supplements the engagement agreement, statement of work, or master services agreement (the "Engagement Agreement") between Egan Rose Consulting LLC ("Egan Rose," "Processor") and the client organization that has retained Egan Rose ("Client," "Controller"). This DPA applies to the extent Egan Rose processes Personal Data on behalf of Client in connection with the agreed Services.

2. Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the Engagement Agreement. For purposes of this DPA:

Applicable Data Protection Law	All laws and regulations applicable to the processing of Personal Data under the Engagement Agreement, including the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"), the UK Data Protection Act 2018 and UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable U.S. state privacy laws.
Personal Data	Any information relating to an identified or identifiable natural person that is provided to or processed by Egan Rose on behalf of Client in connection with the Services.
Data Subject	An identified or identifiable natural person to whom Personal Data relates, including Client's employees, contractors, vendors, subcontractors, and other individuals whose information is processed under the Engagement Agreement.
Processing	Any operation or set of operations performed on Personal Data, whether or not by automated means.
Controller, Processor, Subprocessor	Have the meanings given in the GDPR, with "Controller" including a "business" and "Processor" including a "service provider" under the CCPA/CPRA.
Personal Data Breach	A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
Services	The consulting and advisory services described in the Engagement Agreement.
Standard Contractual Clauses	The standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission, as amended or replaced from time to time.

3. Roles of the Parties

The parties acknowledge and agree that, with respect to the processing of Personal Data under the Engagement Agreement, Client is the Controller and Egan Rose is the Processor. Each party will comply with its respective obligations under Applicable Data Protection Law.

Client is responsible for the lawfulness of the Personal Data it provides to Egan Rose, including obtaining all necessary consents, providing required notices to Data Subjects, and establishing a lawful basis for processing under Applicable Data Protection Law.

4. Details of Processing

The subject matter, nature, purpose, duration, categories of Data Subjects, and categories of Personal Data for a specific engagement are described in Annex A, supplemented as necessary by the Engagement Agreement.

5. Processor Obligations

Egan Rose will:

• Process Personal Data only on documented instructions from Client, including with regard to transfers of Personal Data to a third country, unless required to do so by law applicable to Egan Rose, in which case Egan Rose will inform Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
• Ensure that personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• Implement and maintain the technical and organizational measures described in Annex B;
• Engage Subprocessors only in accordance with Section 6;
• Taking into account the nature of the processing, assist Client by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Client's obligation to respond to requests for exercising Data Subject rights;
• Assist Client in ensuring compliance with obligations relating to security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to Egan Rose;
• At the choice of Client, delete or return all Personal Data to Client after the end of the Services relating to processing, and delete existing copies unless storage is required by applicable law;
• Make available to Client all information necessary to demonstrate compliance with the obligations in this DPA and allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client, subject to Section 11.

Egan Rose will inform Client if, in its opinion, an instruction infringes Applicable Data Protection Law.

6. Subprocessors

Client provides general written authorization for Egan Rose to engage Subprocessors, subject to the conditions in this Section.

Egan Rose will impose on each Subprocessor data protection obligations no less protective than those in this DPA. Egan Rose remains liable for the acts and omissions of its Subprocessors in performing the obligations under this DPA.

A current list of authorized Subprocessors is set out in Annex C and made available to Client on request. Egan Rose will provide notice of any intended addition or replacement of Subprocessors that materially affects the processing under a specific Engagement Agreement, giving Client a reasonable opportunity to object. If Client reasonably objects to a proposed new Subprocessor on data protection grounds, the parties will work in good faith to resolve the objection, and if no resolution is reached, Client may terminate the affected portion of the Services in accordance with the Engagement Agreement.

7. Security Measures

Egan Rose will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risk to Data Subjects. Egan Rose's measures are described in Annex B and may be updated from time to time, provided that the overall level of protection is not materially diminished.

8. Data Subject Rights

Egan Rose will, taking into account the nature of the processing, assist Client by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Client's obligations to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Law, including rights of access, correction, deletion, restriction, portability, and objection.

If Egan Rose receives a request directly from a Data Subject relating to Client's processing, Egan Rose will, where lawful, promptly direct the request to Client and will not otherwise respond except on Client's documented instructions or as required by law.

9. Personal Data Breaches

Egan Rose will notify Client without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. The notification will include, to the extent known, a description of the nature of the breach, the categories and approximate number of Data Subjects and Personal Data records concerned, the likely consequences, and the measures taken or proposed to address the breach.

Egan Rose will reasonably cooperate with Client in investigating, mitigating, and remediating the breach. Egan Rose's notification or cooperation in connection with a Personal Data Breach is not an acknowledgement of fault or liability.

10. International Data Transfers

Where Egan Rose's processing of Personal Data involves a transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of data protection, the parties agree that the Standard Contractual Clauses (Module Two: Controller to Processor) are hereby incorporated by reference and will apply to such transfers, completed with the details set out in Annex A and, where applicable, the UK International Data Transfer Addendum.

Each party will perform its obligations under the Standard Contractual Clauses and any applicable supplementary measures, including transfer impact assessments where appropriate.

11. Audits and Inspections

Egan Rose will make available to Client information necessary to demonstrate compliance with this DPA. Upon reasonable prior written notice, and no more than once per twelve-month period (except where required by a supervisory authority or following a Personal Data Breach), Client or an independent auditor mandated by Client and reasonably acceptable to Egan Rose may conduct an audit of Egan Rose's compliance with this DPA, subject to reasonable confidentiality and security restrictions.

Egan Rose may satisfy its obligations under this Section in whole or in part by providing copies of relevant third-party audit reports, certifications, or attestations.

12. Return or Deletion of Data

Upon termination or expiration of the Engagement Agreement, Egan Rose will, at Client's election and within a reasonable period, return Personal Data to Client or delete all Personal Data and existing copies, unless retention is required by applicable law or by professional or federal contracting record-retention obligations. Egan Rose will provide written confirmation of deletion upon request.

13. Term and Termination

This DPA is effective on the effective date of the Engagement Agreement (or, if executed as a standalone supplement, on its own effective date) and continues for the duration of the Engagement Agreement. Provisions that by their nature should survive termination, including obligations relating to confidentiality, Data Subject rights cooperation, and return or deletion of data, will survive.

14. Liability

Each party's liability under or in connection with this DPA is subject to the limitations of liability set forth in the Engagement Agreement.

15. General Provisions

This DPA supplements and forms part of the Engagement Agreement. In the event of any conflict between this DPA and the Engagement Agreement regarding the processing of Personal Data, this DPA controls. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses control with respect to the transfers they govern.

This DPA is governed by the law specified in the Engagement Agreement, except that disputes arising out of the Standard Contractual Clauses are governed by their respective terms.

Annex A: Details of Processing

Subject Matter and Duration

Provision of the consulting and advisory Services described in the Engagement Agreement, for the duration of the Engagement Agreement.

Nature and Purpose of Processing

Review, analysis, classification, documentation, and reporting on information relevant to the agreed scope of Services, which may include Supply Chain Risk Management, regulatory compliance, resiliency and risk readiness, Human Rights Due Diligence, capture and proposal support, and related advisory activities.

Categories of Data Subjects

• Client's employees, contractors, officers, and other personnel whose information is shared with Egan Rose for the purposes of the Services;
• Client's vendors, subcontractors, and other supply-chain participants whose information is shared with Egan Rose for the purposes of the Services;
• Other individuals whose information is provided by Client and relevant to the Services.

Categories of Personal Data

• Identifiers and business contact information (name, business email, role, organization);
• Engagement records and correspondence, including notes, deliverables, audit-trail entries, and supporting documentation;
• Categories specific to the Services, such as supplier diligence records, workforce or psychosocial-risk indicators, certification and registration data, and similar information defined in the Engagement Agreement.

Special Categories of Personal Data

Client should not provide special categories of personal data (such as health data, biometric data, racial or ethnic origin, religious beliefs, trade union membership, or genetic data) unless specifically required for the agreed Services and lawfully justified. Where special categories are necessary, the parties will agree in writing on the additional safeguards that apply.

Frequency of Processing

As needed for the delivery of the Services for the duration of the Engagement Agreement.

Retention

For the duration of the Engagement Agreement and as further described in Section 12 and the Engagement Agreement, including any retention required by professional or federal contracting record-retention obligations.

Annex B: Technical and Organizational Measures

Egan Rose implements technical and organizational measures appropriate to the risk, including:

Access Controls

• Role-based access to Client materials, granted on a least-privilege, need-to-know basis;
• Authentication requirements including multi-factor authentication for accounts with access to Client materials;
• Access logging for material actions on systems holding Client materials.

Encryption

• Encryption of Personal Data in transit using industry-standard transport-layer security;
• Encryption of Personal Data at rest where technically feasible in the storage environments used.

Infrastructure and Tooling

• Use of reputable cloud-based collaboration and storage providers with established security certifications;
• Endpoint protection on devices used to access Client materials, including full-disk encryption and current security patching;
• Periodic review of tools and vendors used in engagement delivery.

Personnel

• Confidentiality obligations imposed on personnel and subcontractors with access to Client materials;
• Security and privacy awareness training for personnel.

Incident Response and Business Continuity

• Documented incident response procedures, including notification protocols for suspected Personal Data Breaches;
• Regular backup of working materials and recovery procedures for engagement records.

Vendor and Subprocessor Management

• Due diligence and contractual obligations imposed on Subprocessors used in engagement delivery.

Annex C: Authorized Subprocessors

Egan Rose engages a limited number of trusted Subprocessors to support engagement delivery. Categories typically include cloud-based document storage and collaboration, transactional email, scheduling, customer relationship management, and form processing.

A current list of authorized Subprocessors will be provided to Client upon written request. Material additions or changes to Subprocessors used in a specific engagement will be communicated to Client in accordance with Section 6.

To request the current Subprocessor list or to raise an objection to a proposed Subprocessor, contact hello@eganrose.com.

Contact