Last updated: June 16, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between Progense LLC ("Progense," "we," "us," "Processor") and the customer agreeing to those Terms ("Customer," "you," "Controller"). This DPA governs the processing of Personal Data by Progense on behalf of Customer in connection with the Progense platform and related services (the "Service").
Where Customer uploads, stores, or otherwise processes within the Service any Personal Data relating to Customer's own clients, end users, employees, or other individuals, Customer acts as the Controller and Progense acts as the Processor of that Personal Data. This DPA reflects the parties' agreement with respect to that processing.
In the event of a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA prevails.
Capitalized terms not defined here have the meanings given in the Agreement.
For Personal Data contained in Customer Data, Customer is the Controller and Progense is the Processor. For information about the Account Holder and Account administration, Progense acts as an independent Controller as described in its Privacy Policy; that processing is outside the scope of this DPA.
Progense will process Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do otherwise by law (in which case Progense will, where legally permitted, inform Customer of that requirement). Customer's instructions are set out in the Agreement, this DPA, and Customer's use and configuration of the Service. Customer's use of the Service constitutes its complete and final instructions to Progense regarding the processing of Personal Data.
The subject matter, duration, nature, purpose, categories of Data Subjects, and types of Personal Data are described in Annex A to this DPA.
Customer represents and warrants that it has established and will maintain a valid legal basis for the processing of Personal Data, has provided all required notices, and has obtained all necessary consents and rights for Progense to process Personal Data as contemplated by the Agreement and this DPA.
Customer's instructions to Progense will comply with Applicable Data Protection Law. Customer is solely responsible for the accuracy, quality, and legality of the Personal Data and the means by which it was acquired.
Progense will process Personal Data only as set out in Section 2.2.
Progense will ensure that personnel authorized to process Personal Data are bound by appropriate obligations of confidentiality.
Progense will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against a Personal Data Breach, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures are described in Annex B.
Taking into account the nature of the processing and the information available to it, Progense will provide reasonable assistance to Customer in:
If Progense receives a request from a Data Subject relating to Personal Data processed on behalf of Customer, Progense will, to the extent legally permitted, promptly notify Customer and will not respond to the request except on Customer's documented instructions or as required by law. The Service provides functionality enabling Customer to access, correct, export, and delete Personal Data within its Account, which assists Customer in responding to such requests.
Customer provides general authorization for Progense to engage Sub-Processors to process Personal Data, provided that Progense:
A current list of Sub-Processors is maintained in the Sub-Processor List referenced in the Agreement and available through the Service.
Progense will provide a mechanism for Customer to be informed of intended additions or replacements of Sub-Processors and an opportunity to object on reasonable data-protection grounds. If Customer objects and the parties cannot resolve the objection, Customer may terminate the affected portion of the Service as its sole remedy.
Progense and its Sub-Processors may process Personal Data in the United States and other countries. Where Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland is transferred to a country that has not received an adequacy determination, the parties agree that such transfers will be governed by an appropriate transfer mechanism, including the Standard Contractual Clauses approved by the European Commission (and the UK Addendum, where applicable), which are incorporated into this DPA by reference and completed as set out in Annex C.
Progense will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer's Personal Data. The notification will include, to the extent available, the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address it. Progense will cooperate with Customer and take reasonable steps to mitigate the effects of the breach.
Progense will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to reasonable confidentiality and security conditions, reasonable advance notice, and frequency limits. Where available, Progense may satisfy this obligation by providing third-party certifications, audit reports, or summaries of its technical and organizational measures.
Upon termination or expiry of the Agreement, Progense will, at Customer's choice, delete or return Personal Data, and delete existing copies, except to the extent retention is required by law. The Service provides export functionality enabling Customer to retrieve Customer Data. Following a reasonable retrieval period after termination, Progense may delete or anonymize Personal Data in accordance with its data-retention practices.
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
This DPA takes effect on the effective date of the Agreement and remains in force for as long as Progense processes Personal Data on behalf of Customer.
Progense maintains measures designed to protect Personal Data, including:
These measures may be updated over time provided they do not materially reduce the overall level of protection.
For restricted transfers of Personal Data originating from the European Economic Area, the Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914), Module Two (Controller to Processor), apply, with Customer as data exporter and Progense as data importer. The optional docking clause does not apply. The governing law and forum for the Clauses follow the Member State determined under the Clauses where Customer is established in the EEA, and otherwise Ireland. For transfers subject to UK data-protection law, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses applies and is incorporated by reference. For transfers subject to Swiss law, references to the GDPR are read as references to the Swiss Federal Act on Data Protection and the competent authority is the Swiss Federal Data Protection and Information Commissioner. Customer may request a counter-signed copy of this DPA with completed annex selections by contacting progense@gmail.com.
This DPA is accepted by Customer upon acceptance of the Agreement or upon Customer's use of the Service. No physical signature is required for this DPA to be binding; however, Customer may request a counter-signed copy by contacting progense@gmail.com.