Skip to main content
Legal · DPA

Data Processing Addendum.

This DPA governs our processing of personal data on your behalf when you use 1water.ai as a processor. It incorporates the EU Standard Contractual Clauses by reference for customers with data subjects in the EEA or UK.

Effective 2026-04-18 · Last reviewed 2026-04-18

1. Parties & definitions

This DPA is entered into between you (“Controller”) and 1water, Inc. (“Processor”). Terms used here have the meanings set forth in GDPR Art. 4.

2. Subject matter & duration

The Processor will process personal data on behalf of the Controller to operate the 1water.ai service, for the duration of the underlying customer agreement plus any retention period required by 40 CFR § 141.155.

3. Nature & purpose

Drafting, validating, publishing, and archiving Consumer Confidence Reports and related compliance artifacts for U.S. community water systems.

4. Categories of data & data subjects

  • Data subjects: licensed operators, compliance managers, and other Controller-side employees and contractors.
  • Categories: name, business email, utility affiliation, role, interaction logs. The published CCR itself does not contain personal data — it is about water quality.

5. Processor obligations

The Processor will:

  • Process personal data only on documented instructions from the Controller;
  • Ensure authorized personnel are bound by confidentiality;
  • Implement appropriate technical and organizational measures (see our security page);
  • Assist the Controller with data-subject rights requests;
  • Notify the Controller of personal data breaches without undue delay;
  • Delete or return personal data at the end of processing.

6. Subprocessors

The Processor uses subprocessors listed on the subprocessor page. The Controller gives general authorization; the Processor will provide 30 days’ notice of any new subprocessor and the Controller may object on reasonable grounds.

7. International transfers

Data processed in the United States by the Processor and its subprocessors. For data subjects in the EEA or UK, the parties incorporate the EU Standard Contractual Clauses (Module 2: controller to processor) by reference.

8. Security

The Processor implements measures described on our security page, including encryption at rest and in transit, tenant isolation via row-level security, least-privilege access, audit logging, and annual penetration testing.

9. Audit

On reasonable notice and subject to confidentiality, the Controller may conduct an audit of the Processor’s compliance with this DPA, or accept a SOC 2 report in lieu of an onsite audit.

10. Return or deletion

At the end of the underlying customer agreement, the Processor will delete personal data within 90 days or return it to the Controller on request — subject to the § 141.155 5-year retention obligation for published CCRs.

11. Counter-signed copy

Procurement teams can request a counter-signable PDF of this DPA at privacy@1water.ai.