← Back to home

Data Processing Addendum

Effective date: May 13, 2026 · Custodia, LLC

Custodia, LLC offers a Data Processing Addendum (“DPA”) for customers who, in the course of using the BidFedCMMC platform (the “Service”), process personal information of natural persons in a capacity that triggers controller / processor obligations under U.S. state comprehensive privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, and similar laws). This page summarizes our DPA. The signed DPA controls.

Who needs a DPA

  • Managed Service Providers (MSPs) running the Service on behalf of multiple end-customer organizations.
  • Businesses subject to U.S. state privacy laws that require processor or service-provider terms with vendors.
  • Government contractors with flow-down data-handling obligations from their prime contractor.

What the DPA covers

  • Roles: Customer as controller (or business); BidFedCMMC as processor (or service provider).
  • Scope and purpose limited to delivering the Service.
  • Categories of personal information processed.
  • Confidentiality, security controls, and personnel obligations.
  • Sub-processor authorization with prior notice (see /subprocessors).
  • Assistance with data-subject rights requests.
  • Breach notification within 72 hours of confirmation.
  • Audit rights: BidFedCMMC will respond to reasonable written security questionnaires once per twelve-month period.
  • Deletion or return of personal information at end of term.
  • Liability and indemnification consistent with our Terms of Service.

No international transfer mechanism

The Service is offered only to U.S. legal entities and customer data is stored in the contiguous United States. We do not provide GDPR Standard Contractual Clauses, UK International Data Transfer Agreement, or comparable transfer mechanisms, because the Service is not designed to process data of non-U.S. data subjects.

How to request the DPA

Email legal@bidfedcmmc.com with your legal entity name, the contracting individual's title, and any specific contractual flow-down language you need us to acknowledge. We will return a counter-signature within five (5) business days.