Legal
Data Processing Agreement
This Data Processing Agreement (DPA) describes the obligations of JHBRIDGE Translation Services when processing personal data on behalf of clients in connection with translation, interpretation, and related services.
Effective Date: June 2026
Scope and Applicability
This Data Processing Agreement (DPA) applies when JHBRIDGE Translation Services ("JHBRIDGE" or "Processor") processes personal data on behalf of a client ("Controller") in connection with translation, interpretation, or related services. The DPA governs the relationship between the Controller and JHBRIDGE with respect to the processing of personal data and supplements the underlying service agreement or accepted business terms between the parties.
This DPA applies only when incorporated into a signed service agreement, accepted business terms, or other binding arrangement between the Controller and JHBRIDGE. This DPA does not create independent obligations outside the context of an active service relationship. If there is a conflict between this DPA and the underlying service agreement, the terms of this DPA will prevail with respect to data processing matters, unless the service agreement explicitly provides otherwise.
The scope of personal data processing covered by this DPA is limited to the personal data that JHBRIDGE processes on behalf of the Controller as necessary to provide the agreed-upon services. This may include personal data contained within documents submitted for translation, information about individuals referenced in interpretation sessions, and contact information of the Controller's personnel who interact with JHBRIDGE in connection with service delivery.
Definitions
"Controller" means the party that determines the purposes and means of processing personal data. In the context of this DPA, the Controller is the client who engages JHBRIDGE to provide translation, interpretation, or related services and submits or makes available personal data to JHBRIDGE for processing in connection with those services.
"Processor" means JHBRIDGE Translation Services when processing personal data on behalf of and under the instructions of the Controller. "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to names, contact information, identification numbers, location data, and any other information that can be used directly or indirectly to identify a specific individual.
"Processing" means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, and destruction. "Subprocessor" means any third party engaged by JHBRIDGE to assist with the processing of personal data on behalf of the Controller.
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed by JHBRIDGE in connection with the services provided under the applicable service agreement.
Processing Instructions
JHBRIDGE will process personal data only in accordance with the Controller's documented instructions and as necessary to provide the agreed-upon services. The Controller's instructions are defined by the scope of services described in the applicable service agreement, work orders, project briefs, and any supplemental written instructions provided by the Controller to JHBRIDGE.
JHBRIDGE will not process personal data for its own independent purposes beyond what is necessary for service delivery, unless separately authorized by the Controller in writing or required by applicable law. If JHBRIDGE is required by applicable law to process personal data for a purpose other than providing services to the Controller, JHBRIDGE will inform the Controller of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.
If JHBRIDGE believes that an instruction from the Controller would violate applicable data protection laws, JHBRIDGE will promptly notify the Controller and may suspend processing of the affected personal data until the Controller provides clarified instructions. JHBRIDGE is not required to independently assess the legality of the Controller's processing purposes but will cooperate in good faith if concerns arise.
Confidentiality
JHBRIDGE will ensure that all personnel, employees, contractors, translators, interpreters, and other individuals who have access to personal data processed on behalf of the Controller are subject to appropriate confidentiality obligations. These obligations may be imposed through employment agreements, contractor agreements, non-disclosure agreements, or other binding instruments that require individuals to maintain the confidentiality of personal data they access in the course of their work.
Access to personal data will be limited to those individuals who need access to perform their assigned tasks in connection with the services provided to the Controller. JHBRIDGE implements access control measures to restrict access to personal data on a need-to-know basis and maintains records of individuals authorized to access personal data.
Confidentiality obligations survive the termination or expiration of the individual's relationship with JHBRIDGE and the termination or expiration of the service agreement between JHBRIDGE and the Controller. JHBRIDGE will take reasonable steps to enforce confidentiality obligations against individuals who breach them.
Security Measures
JHBRIDGE will implement and maintain reasonable technical and organizational security measures appropriate to the nature, scope, context, and purposes of the personal data processed, as well as the risks to the rights and freedoms of the individuals whose data is processed. These measures are designed to protect personal data against unauthorized access, accidental loss, destruction, alteration, and other forms of unlawful or unauthorized processing.
Security measures implemented by JHBRIDGE may include, but are not limited to: encryption of personal data in transit and at rest using industry-standard cryptographic protocols, access controls including role-based permissions and multi-factor authentication for systems that process personal data, secure infrastructure hosted with reputable cloud service providers, regular review and updating of security practices, and secure disposal of personal data when it is no longer needed.
JHBRIDGE will periodically review and update its security measures to address evolving threats, vulnerabilities, and industry best practices. While JHBRIDGE takes reasonable precautions, no security system is impenetrable, and JHBRIDGE cannot guarantee that personal data will never be subject to unauthorized access or breach. JHBRIDGE will promptly address any identified security vulnerabilities and will notify the Controller of any confirmed data breaches as described in the Data Breach Notification section of this DPA.
Subprocessors
JHBRIDGE may engage subprocessors to assist with the delivery of services to the Controller, including but not limited to cloud hosting providers, translation management platform providers, AI tool providers, payment processors, and communication service providers. JHBRIDGE maintains a current list of subprocessors, which is available at /legal/subprocessors or upon request.
JHBRIDGE will impose data protection obligations on subprocessors through written agreements that are no less protective than the obligations set forth in this DPA. These obligations include requirements to process personal data only in accordance with documented instructions, to implement appropriate security measures, and to assist with data subject rights requests and data breach notifications as applicable.
JHBRIDGE will notify the Controller of any intended changes to its list of subprocessors (additions or replacements) within a reasonable timeframe before engaging the new subprocessor. The Controller may object to a new subprocessor on reasonable data protection grounds by notifying JHBRIDGE in writing within a reasonable period after receiving notice. If the Controller objects and the parties cannot resolve the objection, either party may terminate the affected services as provided in the underlying service agreement.
JHBRIDGE remains responsible to the Controller for the acts and omissions of its subprocessors with respect to data processing obligations under this DPA, to the same extent that JHBRIDGE would be responsible if performing the processing directly, subject to the liability limitations set forth in the applicable service agreement.
Data Subject Rights
JHBRIDGE will assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection laws, to the extent reasonably practicable and as required by applicable law. Data subject rights may include the right to access personal data, the right to rectification or correction of inaccurate data, the right to erasure or deletion, the right to restrict processing, the right to data portability, and the right to object to certain types of processing.
If JHBRIDGE receives a request directly from a data subject regarding personal data processed on behalf of the Controller, JHBRIDGE will promptly notify the Controller and will not respond to the request directly unless authorized to do so by the Controller or required to do so by applicable law. The Controller retains primary responsibility for responding to data subject requests, and JHBRIDGE's role is to provide reasonable assistance.
Assistance provided by JHBRIDGE in connection with data subject rights requests may include locating and providing copies of the data subject's personal data held by JHBRIDGE, implementing erasure or correction requests as directed by the Controller, and providing technical assistance with data portability requests. JHBRIDGE may charge reasonable fees for assistance that requires significant effort beyond what is contemplated by the standard service arrangement.
Data Breach Notification
JHBRIDGE will notify the Controller of a confirmed personal data breach without undue delay and in any event within a reasonable timeframe after becoming aware of the breach. JHBRIDGE will make reasonable efforts to provide initial notification as promptly as circumstances permit, taking into account the need to investigate the breach, assess its scope, and implement immediate containment measures.
Breach notification will include, to the extent known at the time of notification: the nature of the personal data breach, including the categories and approximate number of data subjects affected; the categories and approximate volume of personal data records affected; a description of the likely consequences of the breach; a description of the measures taken or proposed to address the breach, including measures to mitigate its potential adverse effects; and the name and contact details of the JHBRIDGE point of contact from whom additional information may be obtained.
If it is not possible to provide all required information at the time of initial notification, JHBRIDGE will provide information in phases as it becomes available through the ongoing investigation. JHBRIDGE will cooperate with the Controller's own breach response efforts, including providing additional information and assistance as reasonably requested.
JHBRIDGE will not notify data subjects directly about a breach involving personal data processed on behalf of the Controller unless the Controller requests or authorizes such notification, or unless JHBRIDGE is independently required to do so by applicable law.
Data Deletion and Return
Upon termination or expiration of the service agreement, or upon the Controller's written request, JHBRIDGE will delete or return all personal data processed on behalf of the Controller within a reasonable period, except where retention is required by applicable law, regulation, or legitimate business purpose. The Controller may specify a preference for deletion or return, and JHBRIDGE will use reasonable efforts to accommodate the requested method.
Certain personal data may be retained by JHBRIDGE after termination of services where retention is required by law (such as tax or financial reporting requirements), necessary for the establishment, exercise, or defense of legal claims, required for legitimate business record-keeping purposes (such as billing records, audit trails, and transaction logs), or contained in backup systems where immediate deletion is not technically feasible, in which case JHBRIDGE will delete the data when the backup is rotated or overwritten in the normal course of operations.
JHBRIDGE will provide written confirmation of data deletion upon the Controller's request. Deletion will be performed using methods appropriate to the media on which the data is stored and will render the data unrecoverable through reasonable means.
International Data Transfers
Personal data processed by JHBRIDGE under this DPA may be processed in the United States. By engaging JHBRIDGE and agreeing to this DPA, the Controller acknowledges that personal data may be transferred to and processed in the United States, where data protection laws may differ from those in the Controller's jurisdiction.
JHBRIDGE is not GDPR compliant by default, does not claim formal certification under the EU General Data Protection Regulation (GDPR), and does not participate in the EU-U.S. Data Privacy Framework. This Data Processing Agreement (DPA) and any standard contractual clauses (SCCs) are not active by default and do not apply unless explicitly executed as a custom, signed contract addendum between the Controller and JHBRIDGE. Controllers located in jurisdictions that impose restrictions on international data transfers (such as the European Economic Area, the United Kingdom, or Switzerland) are responsible for ensuring that an appropriate legal basis exists for the transfer of personal data to JHBRIDGE in the United States.
If the Controller requires specific data transfer safeguards, such as Standard Contractual Clauses (SCCs) or other transfer mechanisms, the Controller must discuss these requirements with JHBRIDGE and execute a custom signed agreement before commencing services. JHBRIDGE will cooperate in good faith to address reasonable transfer mechanism requests, though the availability and terms of specific transfer mechanisms are subject to negotiation and mutual agreement.
Audits
The Controller may request information reasonably necessary to demonstrate JHBRIDGE's compliance with the obligations set forth in this DPA. JHBRIDGE will cooperate with reasonable audit and inspection requests, subject to appropriate confidentiality protections, reasonable scheduling accommodations, and limitations on the scope and frequency of audits to prevent undue disruption to JHBRIDGE's operations.
Audit requests should be submitted in writing with reasonable advance notice and should describe the specific compliance areas to be audited. JHBRIDGE may satisfy audit requests by providing relevant documentation, certifications, summaries of security practices, or reports from independent third-party auditors, rather than granting direct physical or system access, where such alternatives are reasonably sufficient to demonstrate compliance.
If an audit reveals material non-compliance with the obligations set forth in this DPA, JHBRIDGE will promptly take corrective action to address the identified deficiencies and will inform the Controller of the remediation steps taken. The costs of audits initiated by the Controller are borne by the Controller, except where the audit reveals material non-compliance by JHBRIDGE, in which case the reasonable costs of the audit may be borne by JHBRIDGE.
Liability and Limitations
JHBRIDGE's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set forth in the applicable service agreement or Terms of Service between the parties. This DPA does not create liability obligations that exceed or override the liability provisions of the underlying service agreement.
Each party is responsible for its own compliance with applicable data protection laws to the extent such laws apply to the party's role in the processing of personal data. The Controller is responsible for ensuring that it has a lawful basis for processing personal data and for providing instructions to JHBRIDGE that comply with applicable law. JHBRIDGE is responsible for processing personal data in accordance with the Controller's lawful instructions and the terms of this DPA.
Nothing in this DPA limits or excludes liability to the extent that such limitation or exclusion is not permitted by applicable law. To the extent that applicable data protection laws impose mandatory liability obligations that cannot be contractually limited, such obligations will apply notwithstanding any limitations set forth in this DPA or the underlying service agreement.
Contact Information
JHBRIDGE Translation Services
Email: contact@jhbridgetranslation.com
Phone: +1 (774) 223-8771
Address: 500 Grossman Dr, Braintree, MA 02184
