Data Processing Agreement (DPA)

1. Definitions

• "Controller": Your organization requesting insurance quotes
• "Processor": BPC Group (Insurial operator)
• "Personal Data": Employee/customer data included in quote requests
• "Processing": Quote facilitation and partner matching
• "Sub-processor": Insurance partners and service providers

2. Scope of Processing

Categories of Personal Data:

• Contact information (names, emails, phone numbers)
• Business information (company size, industry, location)
• Insurance requirements and preferences

Categories of Data Subjects:

• Your employees and authorized representatives
• Your customers (if included in risk assessment)

3. Processing Instructions

BPC Group will process Personal Data solely for the purpose of providing insurance quote services as outlined in our Terms of Service, and only according to your documented instructions.

4. Security Measures

We implement appropriate technical and organizational measures:

• SSL/TLS encryption for data in transit
• Encrypted storage for data at rest
• Access controls and authentication
• Regular security assessments
• Staff training on data protection
• Incident response procedures

5. Sub-processing

We engage the following categories of sub-processors:

• Insurance Partners: To provide quotes (vetted and contractually bound)
• Cloud Hosting: Secure data storage and processing infrastructure
• Email Services: Quote delivery and communication

All sub-processors are subject to equivalent data protection obligations. We will notify you of any changes to sub-processors with 30 days notice.

6. Data Subject Rights

We will assist you in responding to data subject requests (access, rectification, erasure, etc.) within 72 hours of receiving your request. We provide tools and processes to facilitate compliance.

7. Data Breach Notification

We will notify you of any personal data breach within 24 hours of becoming aware, including details of the breach, affected data, and remediation measures taken.

8. International Transfers

Data transfers between US and EU are protected by Standard Contractual Clauses (SCCs) approved by the European Commission. We ensure adequate protection for all cross-border transfers.

9. Audit Rights

You may request audit information annually. We provide compliance reports and certifications. On-site audits may be arranged for enterprise customers with reasonable notice.

10. Data Retention and Deletion

Personal data is retained for 3 years or as instructed by you. Upon termination or your request, we will delete or return all personal data within 30 days, except where retention is required by law.

Contact & Execution