data-processing-agreement.pdf
Home / Data Processing Agreement
Legal

Data Processing Agreement

Last updated: March 6, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Multiplier Software Inc. ("Provider") and the entity agreeing to these terms ("Customer") for Provider's AI technician platform for managed service providers.

This DPA applies where Provider processes Personal Data on behalf of Customer in the course of delivering the Product. Where this DPA is incorporated into a Common Paper Pilot Agreement or Cloud Service Agreement, the Standard Terms at commonpaper.com/standards/data-processing-agreement/1.0 are incorporated by reference.

1. Description of Processing

Subject Matter

Processing of Customer Personal Data by Provider in connection with Provider's AI technician platform. The platform connects to Customer's PSA, RMM, identity provider, and documentation tools to autonomously resolve L1 support tickets and triage higher-complexity tickets.

Nature and Purpose

Provider processes Customer Personal Data to:

  • Ingest and read support tickets from Customer's PSA (e.g., Autotask, ConnectWise Manage, HaloPSA)
  • Query identity providers (e.g., Microsoft Entra ID, Okta, JumpCloud) to look up end-user accounts and execute identity actions such as password resets, account unlocks, MFA resets, permission grants, and onboarding/offboarding
  • Query RMM tools (e.g., NinjaOne, Datto RMM) for device health and endpoint status
  • Query documentation platforms (e.g., IT Glue, Hudu) to retrieve client-specific procedures
  • Correlate data across systems to diagnose issues and identify root causes
  • Execute approved actions across connected tools on Customer's behalf
  • Deliver notifications to end users via Customer's messaging platform (Slack or Microsoft Teams)
  • Update ticket status and resolution notes in Customer's PSA
  • Generate audit logs of all actions taken

Duration

For the term of the Agreement, plus up to 30 days after termination to complete deletion of Customer Personal Data.

2. Categories of Personal Data

  • End-user identity data — Full name, email address, username, job title, department, manager, phone number
  • Account and access data — Account status, group memberships, assigned licenses, MFA enrollment status, last sign-in timestamps
  • Support ticket data — Ticket subject, description, notes, priority, status, timestamps, assigned technician, resolution details
  • Device data — Device name, hostname, operating system, IP address, last check-in time, RMM agent status
  • Communication data — Messages exchanged between Provider's AI agent and end users during ticket resolution in Slack or Microsoft Teams
  • Audit data — Logs of all actions taken by the platform, including timestamps, action type, target system, and outcome

3. Categories of Data Subjects

  • End users — Employees, contractors, and staff of Customer's managed clients whose IT support tickets are processed
  • Customer personnel — Customer's technicians and administrators who interact with the platform
  • Client contacts — Points of contact at Customer's managed client organizations (e.g., approvers for access requests)

4. Subprocessors

Provider uses the following subprocessors to deliver the Product. Provider will notify Customer at least 30 days before engaging any new subprocessor.

Subprocessor Location Processing Activity
Amazon Web Services (AWS) United States Cloud infrastructure, data storage, compute
OpenAI United States Large language model inference for ticket understanding and action planning
Anthropic United States Large language model inference for ticket understanding and action planning
DigitalOcean United States Cloud infrastructure, data storage, compute

5. Technical and Organizational Security Measures

Provider maintains the following measures to protect Customer Personal Data:

  1. Encryption at rest — All Customer Personal Data encrypted using AES-256
  2. Encryption in transit — All data transmitted over TLS 1.2 or higher
  3. Access control — Role-based access control with least-privilege principle for all internal access and API integrations (OAuth2 with scoped permissions)
  4. Multi-tenant isolation — Each Customer's data is logically isolated; no cross-tenant data access
  5. Audit logging — Complete, immutable audit log of every action taken by the platform
  6. Authentication — Multi-factor authentication required for all Provider personnel accessing production systems
  7. Credential management — All Customer API keys and OAuth tokens encrypted at rest; never logged or exposed in plaintext
  8. Incident response — Documented incident response plan; security incidents reported to Customer within 72 hours
  9. Personnel — All Provider personnel with access to Customer Personal Data are bound by confidentiality obligations
  10. Compliance — Provider maintains SOC 2 Type II compliance; audit report available upon request under NDA
  11. Data minimization — Provider processes only the minimum data necessary; ticket and user data are queried on demand, not bulk-exported or stored beyond what is needed for audit logging
  12. Deletion — Customer Personal Data deleted within 30 days of Agreement termination upon Customer request

6. Data Subject Rights

Provider will assist Customer in responding to requests from data subjects exercising their rights under applicable data protection laws, including rights of access, rectification, erasure, restriction, portability, and objection. Provider will promptly notify Customer if it receives a request directly from a data subject.

7. International Transfers

All Customer Personal Data is processed and stored in the United States. If Customer processes personal data of individuals in the European Economic Area, the parties agree to the EU Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by European Commission Decision 2021/914, with Ireland as the governing member state.

8. Audit Rights

Provider will make available to Customer, upon reasonable request and no more than once per year, information necessary to demonstrate compliance with this DPA. This includes Provider's most recent SOC 2 Type II audit report, provided under NDA.

9. Term and Deletion

This DPA is effective for the duration of the Agreement. Upon termination of the Agreement, Provider will delete all Customer Personal Data within 30 days, unless retention is required by applicable law. Provider will certify deletion in writing upon Customer's request.

© 2026 Rallied
Home About Blog