1. Purpose and scope

This Data Processing Addendum (“DPA”) supplements and forms part of the relationship between Rapid Momentum Consulting (“RAMC”) and any individual or organisation (“You” or “Customer”) whose personal information RAMC processes in the course of providing access to gated resources, self-assessment tools, newsletter subscriptions, discovery-call bookings, and similar Site services.

This DPA reflects the parties' agreement with regard to the processing of personal information in accordance with the requirements of applicable Data Protection Laws, including the GDPR, UK GDPR, India's DPDP Act, and equivalent regimes in the nine jurisdictions in which RAMC operates.

2. Definitions

Terms used and not otherwise defined in this DPA have the meanings given in our Privacy Policy and in the applicable Data Protection Laws. For clarity:

  • Controller”, “Processor”, “Data Subject”, “Personal Data”, and “Processing” have the meanings given in GDPR Article 4
  • Data Protection Laws” means all applicable data-protection and privacy laws in each jurisdiction in which RAMC operates
  • Standard Contractual Clauses” or “SCCs” means the EU Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 and the UK International Data Transfer Addendum to those Clauses (collectively the 2021 SCCs)
  • Subprocessor” means any third party engaged by RAMC to process Personal Data on its behalf

3. Roles of the parties

In the context of Site interactions covered by this DPA, the roles of the parties depend on the nature of the interaction:

  • For personal information You provide about Yourself directly (your own name, email, organisation, role), You are the Data Subject and RAMC is the Controller.
  • For personal information about other individuals (for example, colleagues whose names appear in self-assessment inputs, or third-party contacts included in resource-download requests), You are the Controller and RAMC is the Processor, processing on Your behalf and on Your documented instructions.

This DPA primarily governs the Processor relationship. Where RAMC acts as Controller, our Privacy Policy describes our processing.

4. Processing details

  • Subject matter and duration: Processing necessary to provide You with the requested resources, assessments, communications, and engagement coordination, for the duration of Your relationship with RAMC plus the retention periods described in our Privacy Policy.
  • Nature and purpose: Collection, storage, retrieval, organisation, transmission, and deletion of Personal Data in the course of operating the Site and providing professional services.
  • Categories of Data Subjects: Visitors to the Site, including prospects, existing clients, and other business contacts.
  • Categories of Personal Data: Identification data (name, business email, role), organisational data (company name, country of operation), interaction data (resources accessed, assessment responses, communication history), and technical data (IP address, device information).

5. Security measures

RAMC implements and maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit (TLS 1.2 minimum) and at rest in the Microsoft 365 tenant
  • Role-based access controls following least-privilege principles
  • Multi-factor authentication for all administrative access to RAMC's tenant
  • ISO/IEC 27001:2022 certification of the information security management system at the firm level
  • Regular review of security measures, vulnerability management, and incident response procedures
  • Personnel confidentiality obligations and security training
  • Backup and disaster recovery procedures aligned with ISO 22301 business continuity standards

6. Subprocessors

You authorise RAMC to engage Subprocessors to process Personal Data on its behalf. The current Subprocessors are:

  • Microsoft Corporation — productivity platform, email, document storage, Microsoft Lists, and analytics (Microsoft Clarity)
  • Vercel Inc. — Site hosting and serverless function execution
  • Google LLC — Google Analytics 4 with IP anonymisation
  • LinkedIn Corporation — Insight Tag for marketing campaign measurement (when active)

RAMC will provide notice of any intended changes to the list of Subprocessors at least 30 days in advance. Notice may be provided by updating this DPA, notifying subscribers via email, or otherwise as appropriate. You may object to a proposed change on reasonable Data Protection grounds; if the objection cannot be resolved, You may terminate the affected service.

7. International data transfers

Where Personal Data is transferred from a jurisdiction requiring transfer safeguards (including the EU/EEA, UK, and others) to a jurisdiction not the subject of an adequacy decision, the parties incorporate the relevant Standard Contractual Clauses by reference. For EU/UK to third-country transfers, Module 2 (Controller to Processor) of the 2021 EU SCCs applies, supplemented by the UK International Data Transfer Addendum where applicable.

Transfers involving India occur in accordance with the cross-border transfer provisions of the DPDP Act as in force from time to time, and the relevant restricted countries list as notified.

8. Data Subject rights

RAMC will, taking into account the nature of the processing, assist You by appropriate technical and organisational measures, insofar as possible, for the fulfilment of Your obligation to respond to Data Subject requests under applicable Data Protection Laws.

RAMC will promptly notify You of any Data Subject request received directly that pertains to Personal Data processed on Your behalf, so that You may respond.

9. Personal data breaches

RAMC will notify You without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting Personal Data processed under this DPA. The notification will include the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach.

10. Audits

RAMC will make available to You all information necessary to demonstrate compliance with the obligations laid down in this DPA. Upon reasonable advance notice and during normal business hours, RAMC will permit and contribute to audits conducted by You or an auditor mandated by You, subject to reasonable confidentiality obligations. For the avoidance of doubt, evidence of relevant third-party certifications (including ISO 27001:2022) and SOC 2 attestations of Subprocessors will be accepted in lieu of customer-conducted audits where appropriate.

11. Return or deletion of Personal Data

On termination of the service or on Your written request, RAMC will return or delete all Personal Data processed on Your behalf, save where applicable law requires continued retention. Backup copies created in the ordinary course of business will be deleted in accordance with RAMC's standard backup retention cycle (typically 90 days).

12. Governing law

This DPA is governed by the laws of the Commonwealth of Massachusetts, United States, except where the SCCs apply, in which case the SCCs' choice of law applies for matters within their scope.

13. Contact

Questions about this DPA or to invoke any rights under it: privacy@theramc.com.