Data Processing Addendum

Effective Date: 12.08.2025 • Last Updated: 02.02.2026

1. Parties and roles

Under this DPA, the district is the controller and EquiOps is the processor for district personal data processed through the services.

2. Scope and processing instructions

EquiOps processes personal data only on documented district instructions and solely for the purpose of delivering contracted services.

3. Confidentiality

Personnel authorized to process district data are bound by confidentiality obligations and receive security and privacy training appropriate to their roles.

4. Security controls

EquiOps implements security measures appropriate to processing risk, including access controls, encryption safeguards, monitoring, and incident response.

5. Subprocessors

EquiOps may engage subprocessors for infrastructure and support services. Subprocessors are contractually required to provide privacy and security protections substantially equivalent to this DPA.

6. Data subject requests

EquiOps provides reasonable assistance to support district responses to access, correction, deletion, and related data subject rights obligations.

7. Breach notification

EquiOps notifies districts without undue delay upon confirmed incidents involving district personal data, consistent with law and contract requirements.

8. Return and deletion

Upon termination, EquiOps supports district data export and deletion processes in accordance with district instructions and legal obligations.

9. Audit and assurance

EquiOps provides reasonable information needed to demonstrate compliance with this DPA, subject to confidentiality and security safeguards.

10. Data locality and term

District data is processed and stored within U.S.-based infrastructure, unless otherwise agreed in writing. DPA obligations remain in effect for the duration of services and survive as required for confidentiality and security.