data processing addendum

Last Updated: May 7, 2026

This Data Processing Addendum ("DPA") forms part of Indigo Engineering, LLC's Subscription Terms and any applicable Order Form (collectively, the "Agreement") between Indigo Engineering, LLC ("Indigo") and the entity or individual that accepts the Agreement, creates an account, accesses or uses the Products, or enters into an Order Form referencing the Agreement ("Customer"). The purpose of this DPA is to reflect the parties' agreement regarding the Processing of Personal Data in accordance with applicable United States federal and state data protection and privacy laws.

This DPA is an online addendum to and forms part of the Agreement and supersedes any previously applicable terms relating to its subject matter (including any data processing amendment, agreement, or addendum relating to the Products), effective from the date on which Customer first accepts the Agreement, creates an account, accesses or uses the Products, or enters into an Order Form referencing the Agreement (the "DPA Effective Date").

For the duration of the Agreement, and in the course of providing the Products to Customer pursuant to the Agreement, Indigo may Process Personal Data on behalf of Customer. This DPA applies where Indigo Processes Personal Data as a Processor, Service Provider, or Contractor on behalf of Customer and such Personal Data is subject to US Privacy Laws (as defined below).

1. Definitions

   Capitalized terms not otherwise defined in this DPA have the meanings given to them in the Agreement or in US Privacy Laws, in that order of precedence. The following terms have the meanings set forth below:

   1. "Affiliate" means, with respect to a party, any entity that, directly or indirectly, Controls, is Controlled by, or is under common Control with such party (but only for so long as such Control exists). For purposes of this definition, an entity "Controls" another entity if it (a) holds a majority of the voting rights in it; (b) is a member or shareholder of it and has the right to remove a majority of its board of directors or equivalent managing body; (c) is a member or shareholder of it and controls alone, or pursuant to an agreement with other shareholders or members, a majority of the voting rights in it; or (d) has the right to exercise a dominant influence over it pursuant to its constitutional documents or pursuant to a contract.
   2. "CCPA/CPRA" means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100–1798.199, as amended by the California Privacy Rights Act of 2020, and the regulations issued thereunder, each as amended from time to time.
   3. "Controller" means an entity that determines the purposes and means of the Processing of Personal Data, and includes a "Business" or analogous term under US Privacy Laws.
   4. "Customer Data" has the meaning given to it in the Agreement and, for purposes of this DPA, includes Personal Data to the extent contained in Customer Data.
   5. "Data Subject" means the natural person to whom Personal Data relates, and includes a "Consumer," "resident," or analogous term under US Privacy Laws.
   6. "Personal Data" means information that is Processed by Vendor under the Agreement and that is defined as "personal data," "personal information," "personally identifiable information," or an analogous term under US Privacy Laws.
   7. "Processing" means any operation or set of operations performed on Personal Data, including collection, use, storage, disclosure, analysis, deletion, or other handling of Personal Data. "Process" and "Processed" have correlative meanings.
   8. "Processor" means an entity that Processes Personal Data on behalf of a Controller, and includes a "Service Provider," "Contractor," or analogous term under US Privacy Laws.
   9. "Regulator" means any United States federal or state regulatory body or attorney general with responsibility for enforcing US Privacy Laws.
   10. "Sub-processor" means any third-party Processor engaged by Indigo to Process Personal Data in order to provide the Products to Customer under the Agreement and/or this DPA.
   11. "US Privacy Laws" means all United States federal and state data protection, data security, breach notification, and privacy laws and regulations applicable to the Processing of Personal Data under the Agreement, including, to the extent applicable, the CCPA/CPRA and other comprehensive United States state consumer privacy laws, each as amended from time to time. Where the context requires, references in this DPA to "Applicable Data Protection Laws" are deemed references to US Privacy Laws.
2. Status of the Parties
   1. Subject Matter and Details of Processing. The subject matter, duration, nature, and purpose of the Processing, the type of Personal Data Processed, and the categories of Data Subjects are described in Schedule 1 (Description of the Processing), as further limited by the Agreement, the applicable Order Form, and any applicable Upstream Data Provider Terms.
   2. Compliance. Each party warrants that it will comply with US Privacy Laws applicable to it. As between the parties, Customer has sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data, including all necessary rights, permissions, notices, opt-out records, and consents required for Indigo to Process Personal Data in connection with the Products, Licensed Data, and any applicable Upstream Data.
   3. Roles. For purposes of this DPA and the Personal Data Processed under it, Customer is the Controller (or a Processor acting on behalf of a third-party Controller), and Indigo is the Processor.
   4. Customer as Processor. If Customer is itself a Processor, Customer warrants to Indigo that Customer's instructions and actions with respect to the Personal Data, including its appointment of Indigo as a Sub-processor, have been (and will, for the duration of this DPA, continue to be) authorized by the relevant Controller.
3. Processing of Personal Data
   1. Roles of the Parties. The parties acknowledge and agree that with respect to the Processing of Personal Data, Customer is the Controller and determines the purposes for which and the manner in which Personal Data is Processed, and Indigo is the Processor acting on behalf of Customer. Indigo may engage Sub-processors pursuant to Section 7 (Sub-processors).
   2. Customer's Processing of Personal Data. Customer shall, in its use of the Products, Process Personal Data in accordance with the requirements of US Privacy Laws. Customer shall ensure that its instructions for the Processing of Personal Data comply with US Privacy Laws and that Indigo's Processing of Personal Data, when carried out in accordance with Customer's instructions, will not cause Indigo to violate any applicable law or regulation, including US Privacy Laws, the Agreement, or any applicable Upstream Data Provider Terms. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer shall ensure that it is entitled to transfer the Personal Data to Indigo so that Indigo and its Sub-processors may lawfully Process the Personal Data on Customer's behalf in accordance with this DPA and the Agreement, including with respect to any Data Subject who has exercised an opt-out right (e.g., regarding sale, sharing, targeted advertising, or profiling) under US Privacy Laws. Indigo will inform Customer if Indigo becomes aware, or reasonably believes, that Customer's instructions violate US Privacy Laws.
   3. Indigo's Processing of Personal Data. Indigo shall Process Personal Data on behalf of and in accordance with Customer's written instructions and shall treat Personal Data as Confidential Information; provided that any exclusions or carve-outs that apply to Confidential Information under the Agreement shall not apply to Personal Data. Customer discloses or makes available Personal Data to Indigo only for the limited and specified business purposes described in this DPA and the Agreement. Customer instructs Indigo to Process Personal Data for the following purposes:
      1. Processing in accordance with the Agreement and any applicable Order Form, including updating the Products and preventing or addressing Product, service, or technical issues;
      2. Processing initiated by Customer's authorized users in their use of the Services;
      3. Processing to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement and US Privacy Laws;
      4. Processing as otherwise required by applicable law; and
      5. The Agreement and this DPA, together with Customer's configuration and use of the Products, are Customer's complete and final instructions to Indigo in relation to the Processing of Personal Data. Any Processing required outside the scope of these instructions will require the prior written agreement of the parties.

      For clarity, this DPA does not restrict Indigo's rights under the Agreement to collect, create, use, analyze, publish, and otherwise exploit de-identified or aggregated data derived from Customer Data or Customer's use of the Products, provided that such data does not identify Customer or any individual and is not reasonably capable of being re-identified.

   4. Data Residency. Indigo may Store and Process Personal Data in the United States or any other location in which Indigo, its Affiliates, or its Sub-processors maintain data processing operations, subject to the terms of this DPA and US Privacy Laws. Personal Data Processed through the Products may be disclosed to, transferred to, or accessed by Indigo's personnel or Sub-processors as reasonably necessary to provide, secure, maintain, and support the Products.
4. Rights of Data Subjects

   Taking into account the nature of the Processing and the information available to Indigo, Indigo shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, in the fulfillment of Customer's obligation to respond to requests by Data Subjects to exercise their rights under US Privacy Laws (including rights of access, deletion, correction, portability, opt-out from sale or sharing, opt-out from targeted advertising, opt-out from profiling, and limitation on use of sensitive personal information). Indigo shall, to the extent legally permitted, promptly notify Customer if Indigo receives a request from a Data Subject for the exercise of any such right with respect to Personal Data Processed on Customer's behalf. Indigo shall not respond to any such Data Subject request without Customer's prior written consent, except to confirm that the request relates to Customer. To the extent Customer, in its use of the Products, does not have the ability to access, correct, amend, delete, or otherwise act on Personal Data as required by US Privacy Laws, Indigo shall provide Customer with commercially reasonable cooperation and assistance in responding to such request, to the extent Indigo is legally permitted to do so.

5. Indigo Obligations

   With respect to all Personal Data it Processes in its role as a Processor, Indigo shall:

   1. only Process Personal Data in order to provide the Products and in accordance with (a) Customer's written instructions as set out in the Agreement and this DPA, unless required to do so by applicable law to which Indigo is subject, and (b) the requirements of US Privacy Laws. If Indigo is required by applicable law to Process Personal Data outside Customer's instructions, Indigo shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Indigo shall promptly inform Customer if Indigo determines that it can no longer meet its obligations under this DPA or under US Privacy Laws;
   2. not Sell or Share Personal Data and not retain, use, or disclose Personal Data (a) for any purpose other than for the specific purpose of performing the Products, including any commercial purpose other than providing the Products, except as otherwise permitted by US Privacy Laws, or (b) outside the direct business relationship between Customer and Indigo, except as permitted by US Privacy Laws. Indigo shall not use Personal Data for the purposes of cross-context behavioral advertising or targeted advertising. Indigo shall not combine Personal Data Processed under the Agreement with personal data Indigo receives from or on behalf of any other person, or that Indigo collects from its own interaction with a Data Subject, except as permitted by US Privacy Laws. For purposes of this Section 5, "Sell," "Share," "cross-context behavioral advertising," and "targeted advertising" have the meanings given in the applicable US Privacy Laws. Indigo's performance of the Products may include disclosing Personal Data to Sub-processors in accordance with Section 7 (Sub-processors);
   3. inform Customer if, in Indigo's opinion, any instructions provided by Customer infringe US Privacy Laws;
   4. implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risks presented by the Processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Personal Data. Customer acknowledges that the security measures are subject to technical progress and development and that Indigo may update or modify them from time to time, provided that such updates and modifications do not materially degrade or diminish the overall security of the Products;
   5. ensure that only authorized personnel have access to Personal Data and that any persons it authorizes to access Personal Data are under contractual or statutory obligations of confidentiality;
   6. without undue delay (and in any event within the timeframe set forth in Section 9 (Security Breach Management and Notification)) notify Customer upon becoming aware of any Security Breach (as defined in Section 9) and provide Customer with commercially reasonable cooperation and assistance in respect of that Security Breach;
   7. not make any public announcement about a Security Breach without the prior written consent of Customer, unless required by applicable law;
   8. to the extent Indigo is able to verify that a Data Subject is associated with Customer, promptly notify Customer if Indigo receives a request from a Data Subject to exercise any rights in respect of that Data Subject's Personal Data (a "Data Subject Request"). Indigo shall not respond to a Data Subject Request without Customer's prior written consent, except to confirm that such request relates to Customer, to which Customer hereby agrees;
   9. to the extent Indigo is able and as required by US Privacy Laws, provide reasonable assistance to Customer in responding to a Data Subject Request if Customer does not have the ability to address the request without Indigo's assistance. Customer is responsible for verifying that the requestor is the Data Subject in respect of whose Personal Data the request is made. Indigo bears no responsibility for information provided in good faith to Customer in reliance on this subsection;
   10. other than to the extent required to comply with applicable law, following termination or expiration of the Agreement or completion of the Services, at the choice of Customer, delete or return all Personal Data (including copies thereof) Processed pursuant to this DPA in accordance with Section 10 (Return and Deletion of Personal Data); and
   11. taking into account the nature of Processing and the information available to Indigo, provide such assistance to Customer as Customer reasonably requests in relation to:
       1. data protection or privacy risk assessments required of Customer under US Privacy Laws;
       2. notifications to Regulators and/or communications to Data Subjects by Customer in response to any Security Breach; and
       3. Customer's compliance with its obligations under US Privacy Laws with respect to the security of Processing.
6. Indigo Personnel

   Indigo shall ensure that its personnel and those of its Affiliates engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements. Indigo shall ensure that access to Personal Data is limited to those personnel who require such access to perform Indigo's obligations under the Agreement.

7. Subprocessors

   Indigo may engage subcontractors to assist in Processing Personal Information for the Business Purposes, provided that Service Provider: (a) notifies Business of such engagement; and (b) enters into a written agreement with each subcontractor that requires the subcontractor to comply with obligations no less protective than those imposed on Service Provider under this Addendum with respect to the Personal Information. Indigo shall be liable for the acts and omissions of its Sub-processors with respect to the Processing of Personal Data to the same extent as if performed by Indigo.

8. Security

   Indigo shall maintain appropriate administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of Personal Data, that are appropriate to (a) the size, scope, and type of Indigo's business; (b) the resources available to Indigo; (c) the type of information that Indigo will Process; and (d) the need for security and confidentiality of such information. Indigo shall regularly monitor compliance with these safeguards. Indigo reserves the right to update such measures, provided that any updates shall not materially diminish the level of security applicable to the Products during the term of the Agreement.

9. Security Breach Notifications

   Indigo maintains security incident management policies and procedures and shall, to the extent permitted by law, notify Customer's designated notice or security contact identified in the Agreement, applicable Order Form, Customer's account profile, or other contact information provided by Customer without undue delay (and in any event within seventy-two (72) hours of confirmation) of any breach of security leading to the actual or reasonably suspected unauthorized acquisition of, access to, disclosure of, alteration of, loss of, or destruction of Personal Data Processed by Indigo or its Sub-processors of which Indigo becomes aware (a "Security Breach"). For the avoidance of doubt, "Security Breach" does not include pings or other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing, or similar incidents. Any such notification is not an acknowledgement of fault or responsibility. To the extent the Security Breach is caused by a violation of this DPA by Indigo, Indigo shall make reasonable efforts to identify and remediate the cause of the Security Breach. Indigo will reasonably assist Customer in complying with its reporting obligations under US Privacy Laws in connection with the Security Breach.

10. Data Access Requests
    1. If Indigo becomes aware of any third-party legal process requesting Personal Data that Indigo Processes on behalf of Customer in its role as Processor, Indigo will:
       1. promptly notify Customer of the request, unless such notification is legally prohibited;
       2. inform the third party that Indigo is a Processor of the Personal Data and is not authorized to disclose the Personal Data without Customer's consent;
       3. disclose to the third party the minimum necessary Customer contact details to allow the third party to contact Customer and direct its data request to Customer; and
       4. to the extent Indigo provides access to or discloses Personal Data in response to third-party legal process either with Customer's authorization or due to mandatory legal compulsion, Indigo will disclose only the minimum amount of Personal Data legally required, and in accordance with the applicable legal process.
    2. If Indigo becomes aware of third-party legal process issued by a government authority (including a judicial authority) requesting Personal Data that Indigo Processes on behalf of Customer, then, to the extent that Indigo reviews the request with reasonable efforts and as a result is able to identify a conflict of law, Indigo will (i) take all actions identified in Section 11.1; (ii) pursue legal remedies prior to producing Personal Data, up to an appellate-court level, where reasonably available; and (iii) not disclose Personal Data until (and then only to the extent) required to do so under applicable procedural rules.
    3. Emergency Exception. Sections 11.1 and 11.2 shall not apply if Indigo has a good-faith belief that the government request is necessary due to an emergency involving the danger of death or serious physical injury to an individual. In such event, Indigo shall notify Customer of the data disclosure as soon as possible following the disclosure, and provide Customer with full details, unless such disclosure is legally prohibited.
11. CCPA/CPRA and US State Privacy Laws Specific Terms
    1. Service Provider/Processor Status. The parties acknowledge and agree that, with respect to Personal Data subject to the CCPA/CPRA or any other US Privacy Law that uses the terms "Service Provider," "Processor," or analogous concepts, Indigo is acting as a Service Provider, Processor, or Contractor (as applicable) on behalf of Customer.
    2. Restrictions on Use. Indigo shall not (i) Sell or Share Personal Data; (ii) retain, use, or disclose Personal Data for any purpose other than the specific business purposes set forth in the Agreement and this DPA, including any commercial purpose other than providing the Products, except as otherwise permitted by US Privacy Laws; (iii) retain, use, or disclose Personal Data outside the direct business relationship between Customer and Indigo, except as permitted by US Privacy Laws; or (iv) combine Personal Data Processed under the Agreement with personal data Indigo receives from or on behalf of any other person, or that Indigo collects from its own interaction with a Data Subject, except as permitted by US Privacy Laws. Indigo shall not Process Personal Data for cross-context behavioral advertising or targeted advertising. Indigo certifies that it understands and will comply with these restrictions.
    3. Subprocessors as Service Providers. Indigo's Subprocessors, as described in Section 7 (Sub-processors), are Service Providers, Processors, or Contractors (as applicable) under US Privacy Laws, and Indigo has entered into written contracts with each that include terms substantially similar to those in this DPA. Indigo conducts appropriate due diligence on its Subprocessors.
12. General
    1. Conflict with Agreement. This DPA is without prejudice to the rights and obligations of the parties under the Agreement, which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail to the extent the subject matter concerns the Processing of Personal Data, except that the Agreement, the applicable Order Form, and any applicable Upstream Data Provider Terms control with respect to Product access, Product usage rights and restrictions, Licensed Data, Upstream Data, fees, suspension, termination, and order-specific terms. Indigo's liability under or in connection with this DPA is subject to the exclusions and limitations on liability set forth in the Agreement. In no event does Indigo limit or exclude its liability towards Data Subjects or Regulators to the extent such limitation or exclusion is prohibited by US Privacy Laws.
    2. No Third-Party Beneficiaries. Except where and to the extent required by US Privacy Laws, this DPA does not confer any third-party beneficiary rights and is intended for the benefit of the parties and their respective permitted successors and assigns only.
    3. Governing Law. This DPA and any action related to it shall be governed by and construed in accordance with the laws of the State of Delaware, without giving effect to any principles of conflicts of law. The parties consent to the personal jurisdiction of, and venue in, the state and federal courts located in Delaware.
    4. Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in effect.
    5. Entire Agreement; Updates. This DPA, together with the Agreement, is the final, complete, and exclusive agreement of the parties with respect to its subject matter and supersedes all prior discussions and agreements between the parties with respect to such subject matter. Indigo may update this DPA from time to time by posting an updated version on Indigo's legal terms page or otherwise providing notice through the Products, by email, or through an Order Form. Updates will be effective as of the posted last updated date or as otherwise stated in the notice. Updated terms will apply to new Order Forms, renewals, and continued use of the Products after the effective date of the update, except that material updates will not apply during a then-current fixed Subscription Term unless Customer accepts the updated terms or the update is required by law, security, or Upstream Data Provider Terms.