This Data Processing Addendum (DPA) forms part of the agreement between JHBRIDGE Translation Services ("JHBRIDGE," "we," "us," or "Service Provider") and the client ("Client," "you," or "Data Controller") for the provision of translation, interpretation, localization, and related language services ("Services").

This DPA applies when JHBRIDGE processes personal data on behalf of the Client in connection with the Services, and the Client is subject to data protection obligations under applicable laws, including but not limited to the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), or other privacy regulations.

This DPA supplements and is incorporated into the JHBRIDGE Terms of Service and Privacy Policy. In the event of conflict between this DPA and other terms, this DPA shall prevail with respect to data processing matters.

For purposes of this DPA, the following terms have the meanings provided below, unless otherwise defined by applicable law:

"Personal Data" means any information relating to an identified or identifiable individual that is processed by JHBRIDGE on behalf of the Client in connection with the Services.

"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, storage, use, disclosure, deletion, or other handling.

"Data Controller" means the entity that determines the purposes and means of Processing Personal Data. Typically, the Client acts as the Data Controller when submitting documents or information to JHBRIDGE.

"Data Processor" means the entity that processes Personal Data on behalf of and according to the instructions of the Data Controller. JHBRIDGE generally acts as a Data Processor when providing Services.

"Data Subject" means the individual to whom Personal Data relates.

"Subprocessor" means any third party engaged by JHBRIDGE to process Personal Data on behalf of the Client.

The Client acknowledges and agrees that, in most circumstances, the Client acts as the Data Controller and determines the purposes and means of processing Personal Data when submitting materials to JHBRIDGE. The Client is responsible for ensuring that it has a lawful basis for processing Personal Data and for providing required notices and obtaining necessary consents from Data Subjects.

JHBRIDGE acts as a Data Processor when processing Personal Data on behalf of the Client to provide the Services. JHBRIDGE will process Personal Data only in accordance with the Client's documented instructions, applicable law, and the terms of this DPA.

In some situations, JHBRIDGE may also process Personal Data as an independent Data Controller for its own business purposes, such as managing client accounts, processing payments, responding to support requests, complying with legal obligations, or improving services. When JHBRIDGE acts as a Data Controller, JHBRIDGE is responsible for compliance with applicable data protection laws for such processing.

JHBRIDGE will process Personal Data only as necessary to provide the Services and in accordance with the Client's documented instructions. The Client's instructions are set forth in the Terms of Service, this DPA, and the Client's service requests, project specifications, and other written communications with JHBRIDGE.

Processing activities performed by JHBRIDGE on behalf of the Client may include: receiving and storing documents and materials submitted by the Client; translating, localizing, or otherwise processing the content of submitted documents; assigning projects to translators, interpreters, or other service providers; managing project workflow, quality assurance, and delivery; communicating with the Client regarding projects; and retaining documents and records as specified in the Terms of Service and Privacy Policy.

If JHBRIDGE believes that an instruction from the Client violates applicable data protection law, JHBRIDGE will inform the Client and may refuse to carry out the instruction until the Client provides clarification or modified instructions.

JHBRIDGE will process Personal Data in accordance with applicable data protection principles, including: lawfulness, fairness, and transparency; purpose limitation (processing only for specified, legitimate purposes); data minimization (processing only data necessary for the purposes); accuracy (taking reasonable steps to ensure data is accurate and up to date); storage limitation (retaining data no longer than necessary); integrity and confidentiality (implementing appropriate security measures); and accountability (demonstrating compliance with data protection obligations).

JHBRIDGE will retain Personal Data only for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and fulfill operational needs, as described in the Privacy Policy. Standard retention periods include retaining documents and project files for up to 90 days after project completion, unless earlier deletion is requested or longer retention is required; retaining billing and payment records for the period required by law or accounting standards; and retaining account information and communication records for a reasonable period after account closure.

Upon expiration of applicable retention periods, or upon the Client's written request (subject to legal and operational requirements), JHBRIDGE will delete or anonymize Personal Data unless longer retention is required by law, ongoing disputes, or legitimate business needs.

Clients may request deletion of specific documents or data by contacting JHBRIDGE. Deletion requests will be honored where feasible, subject to legal, billing, and operational constraints.

The Client acknowledges and consents to JHBRIDGE's engagement of Subprocessors to assist in providing the Services. Subprocessors may include: translators, interpreters, and linguists who perform translation, interpretation, or quality assurance work; cloud hosting and infrastructure providers; payment processors; translation management systems and project management platforms; communication and collaboration tools; and other service providers necessary for service delivery.

JHBRIDGE will enter into written agreements with Subprocessors that impose data protection obligations substantially similar to those in this DPA, including confidentiality, security, and data protection requirements. JHBRIDGE remains responsible for the acts and omissions of its Subprocessors to the extent JHBRIDGE would be liable if performing the services directly.

JHBRIDGE may update its Subprocessors from time to time as necessary for business operations. Clients who object to a new Subprocessor may terminate the affected Services upon written notice, provided that termination does not relieve the Client of payment obligations for services already provided.

As Data Processor, JHBRIDGE will assist the Client in responding to requests from Data Subjects to exercise their rights under applicable data protection laws, including rights to access, correction, deletion, restriction of processing, data portability, and objection to processing.

If JHBRIDGE receives a request directly from a Data Subject regarding Personal Data processed on behalf of the Client, JHBRIDGE will promptly notify the Client and, unless legally prohibited, redirect the Data Subject to submit the request to the Client. JHBRIDGE will cooperate with the Client's reasonable instructions to fulfill Data Subject requests, taking into account the nature of the processing and the information available to JHBRIDGE.

The Client is primarily responsible for responding to Data Subject requests and determining appropriate action in accordance with applicable law.

JHBRIDGE implements and maintains appropriate technical and organizational security measures to protect Personal Data against unauthorized access, disclosure, alteration, destruction, loss, or misuse. Security measures include: encryption in transit (HTTPS/TLS) and encryption at rest for sensitive data; access controls and authentication mechanisms, including password protection and role-based access; regular security monitoring, vulnerability assessments, and security updates; secure cloud infrastructure with redundancy and backup capabilities; confidentiality obligations and security training for employees and contractors; and incident response and breach notification procedures.

JHBRIDGE reviews and updates security measures regularly to address emerging threats and evolving best practices. However, no security system is entirely infallible, and JHBRIDGE cannot guarantee absolute security.

In the event of a confirmed or suspected personal data breach involving Personal Data processed on behalf of the Client, JHBRIDGE will: promptly investigate the incident to determine the nature, scope, and impact of the breach; notify the Client without undue delay after becoming aware of the breach, and in any event within the timeframe required by applicable law; provide the Client with available information about the breach, including the categories and approximate number of affected Data Subjects and data records, the likely consequences, and measures taken or proposed to address the breach; and cooperate with the Client's investigation and response efforts, including providing reasonable assistance with breach notification to Data Subjects and regulatory authorities, as required by law.

The Client acknowledges that JHBRIDGE's notification obligations are subject to law enforcement, regulatory, or legal restrictions that may delay or limit disclosure.

JHBRIDGE is based in the United States and provides Services primarily within the United States, including Massachusetts, New York, Florida, Texas, California, and remote services nationwide. Personal Data submitted to JHBRIDGE may be processed and stored in the United States and, in some cases, may be accessed by translators, interpreters, or service providers located in other jurisdictions.

For Clients located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with data export restrictions, the transfer of Personal Data to JHBRIDGE in the United States may constitute an international data transfer subject to additional safeguards. Clients are responsible for ensuring that appropriate legal mechanisms are in place for such transfers, which may include Standard Contractual Clauses (SCCs), adequacy decisions, or other approved transfer mechanisms.

JHBRIDGE will cooperate with Clients to implement appropriate transfer mechanisms and provide reasonable assistance to support compliance with international data transfer requirements.

JHBRIDGE will make available to the Client information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA, subject to confidentiality and operational constraints. Upon reasonable advance written notice, and subject to confidentiality obligations, the Client may request information regarding JHBRIDGE's data processing practices or conduct audits (or engage a qualified third-party auditor) to verify compliance with this DPA.

Audit requests must be reasonable in scope, conducted during normal business hours, and must not unreasonably interfere with JHBRIDGE's operations. Costs associated with audits shall be borne by the Client, except where the audit reveals material non-compliance by JHBRIDGE.

If the Client is required to conduct a Data Protection Impact Assessment (DPIA) under applicable law, JHBRIDGE will provide reasonable assistance and information regarding JHBRIDGE's processing activities, security measures, and data protection practices to support the Client's DPIA.

If the Client is required to consult with a supervisory authority regarding high-risk processing, JHBRIDGE will cooperate with the Client and provide reasonable information and assistance in connection with such consultation.

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. To the extent permitted by law, JHBRIDGE's liability for data protection breaches or violations of this DPA shall be limited to direct damages and shall not exceed the total fees paid by the Client for the Services in the 12 months preceding the claim.

The Client agrees to indemnify and hold harmless JHBRIDGE from claims, damages, and expenses arising from the Client's breach of its obligations under this DPA, including claims related to unlawful processing instructions, failure to obtain required consents, or submission of unauthorized or infringing materials.

This DPA becomes effective on the Effective Date and remains in effect for the duration of the Services. Upon termination or expiration of the Services, JHBRIDGE will delete or return Personal Data to the Client in accordance with the Client's written instructions, subject to legal retention requirements and operational constraints.

Provisions of this DPA that by their nature should survive termination, including confidentiality, liability limitations, and indemnification, shall survive termination of this DPA and the Services.

JHBRIDGE may update this DPA from time to time to reflect changes in law, business practices, or service offerings. Material updates will be communicated to Clients by email or prominent notice on the website. Continued use of the Services after updates means acceptance of the updated DPA.

This DPA is governed by the laws of the Commonwealth of Massachusetts, without regard to conflict of law provisions. Disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms of Service.