Data Processing Agreement

Emotional Reset Center — Last Updated: February 2026

This DPA forms part of the Terms of Service between Emotional Reset Center ("Processor") and the subscribing organization ("Personal Information Controller").

1. Roles of the Parties

  • The Organization is the Personal Information Controller (PIC).
  • ERC acts as a Personal Information Processor (PIP) under RA 10173.

2. Categories of Data Processed

ERC may process:

  • Personal information (name, email)
  • Organizational information
  • Assessment responses
  • Assessment results
  • Usage analytics

Some data may qualify as Sensitive Personal Information.

3. Purpose of Processing

Data is processed solely for:

  • Providing access to mental health tools
  • Delivering assessment scoring
  • Generating anonymized analytics
  • Providing organizational insights
  • Customer support

ERC does not sell personal data.

4. Aggregation & De-Identification

ERC may generate anonymized or aggregated data for cohort-based reporting, demographic insights, and platform improvements. Such aggregated data cannot identify individual users, does not include names or direct identifiers, and may be retained for statistical purposes.

5. Security Measures

ERC implements:

  • HTTPS encryption
  • Secure hosting infrastructure
  • Access controls
  • Confidentiality agreements with staff
  • Logging and monitoring mechanisms

6. Data Breach Notification

In case of a personal data breach, ERC shall notify the Organization without undue delay, cooperate in compliance with NPC breach reporting rules, and assist in mitigation efforts.

7. Data Subject Rights

The Organization remains responsible for responding to access, correction, erasure, and data portability requests. ERC shall reasonably assist where required.

8. Retention & Deletion

Personal data is retained for the duration of the subscription and as required by law. Upon termination, data will be returned or securely deleted within a reasonable period, unless legally required to retain.

9. Sub-Processors

ERC may engage third-party providers (e.g., hosting, payment processors). Such providers are contractually bound to data protection obligations consistent with RA 10173.

10. Cross-Border Transfers

If data is transferred outside the Philippines, ERC ensures adequate safeguards in accordance with NPC guidelines.

11. Governing Law

This DPA is governed by the laws of the Republic of the Philippines.