CREDMINDER
Data Processing Agreement
Last Updated: April 2, 2026
This Data Processing Agreement ("DPA") is entered into between the Organization subscribing to CredMinder Enterprise ("Data Controller" or "Controller") and Be Prepared Education LLC ("Data Processor" or "Processor").
This DPA supplements the CredMinder Enterprise Terms of Service Addendum (the "Enterprise Addendum") and the CredMinder Privacy Policy Enterprise Addendum (the "Privacy Addendum"). It governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the Enterprise Service.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Enterprise Service.
"Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, combination, erasure, or destruction.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Breach" means any unauthorized access to, acquisition of, or disclosure of Personal Data that compromises the security, confidentiality, or integrity of such data.
"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the Virginia Consumer Data Protection Act (VCDPA), the California Privacy Rights Act (CPRA), and, to the extent applicable, the General Data Protection Regulation (GDPR).
2. Scope and Purpose of Processing
2.1 Purpose
The Processor processes Personal Data solely for the purpose of providing the CredMinder Enterprise Service to the Controller, as described in the Enterprise Addendum. The Processor shall not process Personal Data for any other purpose unless instructed to do so by the Controller in writing.
2.2 Categories of Personal Data
The following categories of Personal Data are processed under this DPA:
| Category | Data Elements | Source |
|---|---|---|
| Employee identity | Full name, email address, Employee ID | Controller input and Employee account |
| Credential metadata | Credential titles, types, ID/license numbers, expiration dates, compliance status | Employee input (shared via visibility toggle) |
| Credential images | Photographs of licenses, certifications, IDs | Employee upload (shared via visibility toggle) |
| Membership records | Role, status, join date, deactivation date | System-generated |
| Compliance data | Compliance status calculations, historical snapshots | System-generated from credential data |
| Audit trail | Administrative actions, timestamps, actor identity | System-generated |
| Organization profile | Organization name, Admin emails, settings | Controller input |
2.3 Categories of Data Subjects
The Controller's employees, contractors, and agents who are linked to the Organization through the Enterprise Service ("Employees"), and the Controller's designated Admins.
2.4 Duration of Processing
Processing continues for the duration of the Enterprise subscription and the applicable data retention period thereafter, as configured by the Controller through the Admin Dashboard.
2.5 Exclusion of Protected Health Information
⛔ This DPA does not cover the processing of Protected Health Information ("PHI") as defined under HIPAA. The Enterprise Service is not designed, intended, or authorized for use with PHI. The Processor does not operate as a Business Associate under HIPAA and will not enter into a Business Associate Agreement. The Controller is solely responsible for ensuring that no PHI is submitted to the Service.
3. Processor Obligations
The Processor shall:
(a) Process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data, unless required to do so by applicable law. If the Processor is required by law to process Personal Data for a different purpose, it shall inform the Controller of that legal requirement before processing, unless prohibited by law from doing so.
(b) Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) Implement appropriate technical and organizational security measures to protect Personal Data, including:
- Encryption at rest (AES-256) via Firebase's default encryption.
- Encryption in transit (TLS 1.2+) for all API communications.
- Role-based access controls enforced through Firestore security rules.
- Cross-organization data isolation at the database level.
- Audit logging of administrative actions.
- Secure deletion upon request or expiration of the configured retention period.
(d) Not engage a Sub-processor without the prior authorization of the Controller, as set forth in Section 5.
(e) Assist the Controller, taking into account the nature of the Processing, in responding to requests from data subjects exercising their rights under applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).
(f) Assist the Controller in ensuring compliance with the Controller's obligations regarding security of processing, notification of Data Breaches, data protection impact assessments, and prior consultations with supervisory authorities, taking into account the nature of processing and the information available to the Processor.
(g) At the Controller's choice, delete or return all Personal Data to the Controller after the end of the provision of services relating to Processing, and delete existing copies unless applicable law requires storage of the Personal Data. The Controller may export organizational data through the Admin Dashboard prior to subscription termination.
(h) Make available to the Controller all information necessary to demonstrate compliance with these obligations and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes applicable Data Protection Laws.
4. Controller Obligations
The Controller shall:
(a) Ensure that it has a lawful basis for the processing of Personal Data by the Processor, including obtaining any necessary consents from data subjects (for example, Employee consent via the credential sharing toggle).
(b) Provide documented instructions to the Processor regarding the processing of Personal Data. The Controller's configuration of the Enterprise Service (Required Credentials, data retention settings, notification preferences) constitutes documented instructions.
(c) Ensure that the configuration of Required Credentials and data retention policies is appropriate and lawful for the Controller's jurisdiction and industry.
(d) Ensure that no Protected Health Information (PHI) is submitted to the Service. The Controller acknowledges that the Service is not designed for PHI and that any submission of PHI is a violation of the Enterprise Addendum.
5. Sub-processors
5.1 Authorized Sub-processors
The Controller grants general authorization for the Processor to engage the following Sub-processors:
| Sub-processor | Data Processed | Purpose | Location |
|---|---|---|---|
| Google LLC (Firebase) | All Firestore data, Storage files, Auth records, FCM tokens | Database, file storage, authentication, analytics, push notifications | United States |
| Stripe, Inc. | Organization name, Admin email, subscription events | Enterprise subscription billing and payment processing | United States |
| SendGrid (Twilio) or equivalent | Employee email addresses, notification content | Transactional email delivery | United States |
No Sub-processor receives Employee credential data except Google/Firebase, which hosts the database. Stripe and the email provider receive only the minimum data necessary for their specific functions.
5.2 Changes to Sub-processors
The Processor shall inform the Controller of any intended additions to or replacements of Sub-processors by providing at least thirty (30) days' written notice to the Organization's Super Admin. If the Controller objects on reasonable data protection grounds within fourteen (14) days of receiving notice, the parties shall work in good faith to resolve the objection. If no resolution is reached, the Controller may terminate the Enterprise subscription.
5.3 Sub-processor Obligations
The Processor shall impose equivalent data protection obligations on any Sub-processor by way of a written contract. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.
6. Data Breach Notification
6.1 Notification Timing
The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Data Breach affecting the Controller's Personal Data.
6.2 Notification Content
The notification shall include, to the extent reasonably available:
- A description of the nature of the Data Breach, including the categories and approximate number of data subjects and records affected.
- The name and contact details of the Processor's point of contact for further information.
- A description of the likely consequences of the Data Breach.
- A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects.
6.3 Cooperation
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any Data Breach. The Processor shall not notify any third party of a Data Breach without first consulting the Controller, unless required by law.
7. International Data Transfers
All Personal Data is processed and stored within the United States using Google Firebase infrastructure hosted in US data centers.
The Processor does not transfer Personal Data outside the United States. If international transfers become necessary in the future (for example, due to a change in Sub-processor infrastructure), the Processor will:
- Notify the Controller at least thirty (30) days in advance.
- Implement appropriate transfer safeguards as required by applicable Data Protection Laws (such as Standard Contractual Clauses for GDPR purposes).
- Obtain the Controller's consent before proceeding with the transfer.
8. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests under applicable Data Protection Laws. This includes providing technical mechanisms and cooperation for:
- Access: Employees can view all their personal credential data through the CredMinder app. Admins can export organizational data through the Admin Dashboard.
- Rectification: Employees can edit their credential data through the app. Admins can update Employee records through the Dashboard.
- Erasure: Employees can delete individual credentials or their entire account. Admins can deactivate Employees, triggering the configured retention and deletion schedule.
- Restriction: Employees can revoke credential visibility to the Organization at any time via the sharing toggle.
- Portability: Employees can export individual credentials as PDF. Admins can export compliance reports and employee rosters.
The Processor shall respond to Controller requests for assistance with data subject rights within ten (10) business days.
9. Audit Rights
The Controller may audit the Processor's compliance with this DPA, subject to the following conditions:
(a) The Controller shall provide at least thirty (30) days' written notice of any planned audit.
(b) Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.
(c) The Controller shall bear its own costs for any audit. If the Controller engages a third-party auditor, the auditor must execute a confidentiality agreement acceptable to the Processor.
(d) The Processor may satisfy audit requests by providing relevant documentation, certifications, or third-party audit reports (such as SOC 2 reports, when available) in lieu of on-site inspections, provided such documentation reasonably addresses the Controller's audit objectives.
(e) Audit findings and reports shall be treated as confidential information of the Processor.
10. Term and Termination
This DPA shall remain in effect for the duration of the Enterprise subscription and shall automatically terminate upon the deletion of all Personal Data by the Processor in accordance with the data retention provisions of the Enterprise Addendum and this DPA.
Upon termination of the Enterprise subscription, the Processor shall delete all Personal Data in accordance with the Controller's configured retention policy. The Controller may export organizational data through the Admin Dashboard during the remaining billing period prior to data deletion.
The following obligations survive termination of this DPA: confidentiality (Section 3(b)), Data Breach notification (Section 6), cooperation with data subject requests for data that remains in the Processor's possession (Section 8), and audit rights for a period of twelve (12) months following termination (Section 9).
11. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the Commonwealth of Virginia, without regard to its conflict of law provisions, consistent with the Enterprise Addendum. To the extent that Data Protection Laws of another jurisdiction apply to the processing of a particular data subject's Personal Data, the relevant provisions of those laws shall also apply.
12. Contact
For questions or requests related to this DPA:
Data Processor: Be Prepared Education LLC
By email: support@bepreparededu.com
Online: www.bepreparededu.com/contact
This Data Processing Agreement is effective as of the date the Organization first subscribes to CredMinder Enterprise and is governed by the terms herein and the Enterprise Terms of Service Addendum.