C

Join the waitlist

Data Processing Agreement (DPA)

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between [Your Company Name] ("Processor") and the customer ("Controller"). This DPA governs the processing of personal data by [Your Company Name] on behalf of the customer.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable individual.
  • Processing: Any operation performed on personal data, including collection, storage, analysis, or deletion.
  • Subprocessor: Any third party engaged by [Your Company Name] to process personal data.

3. Scope and Role

  • Customer acts as Controller
  • [Your Company Name] acts as Processor, processing personal data on behalf of the Customer.

4. Processing Instructions

  • [Your Company Name] shall only process personal data:
    • As instructed by the customer.
    • As necessary to provide the Services.
    • In compliance with applicable data protection laws.

5. Subprocessors

  • Customer authorizes [Your Company Name] to engage subprocessors.
  • Current subprocessors are listed at: [Your Website / Subprocessors].
  • [Your Company Name] shall ensure all subprocessors comply with equivalent data protection obligations.

6. Data Security

[Your Company Name] shall implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption in transit and at rest.
  • Access controls.
  • Security audits and incident response plans.

7. Data Subject Rights

[Your Company Name] shall assist Customer in fulfilling data subject requests, including:

  • Access.
  • Rectification.
  • Erasure.
  • Data portability.
  • Objection to processing.

8. International Transfers

  • Personal data may be transferred outside the EEA/UK.
  • All such transfers shall comply with:
    • Standard Contractual Clauses (SCCs).
    • Adequacy decisions where applicable.
  • Current transfer mechanisms are available at: [Your Privacy Center URL].

9. Data Breaches

In case of a personal data breach, [Your Company Name] shall:

  • Notify the Customer without undue delay.
  • Provide information necessary for the Customer to comply with its obligations.

10. Return or Deletion of Data

Upon termination of the Agreement, [Your Company Name] shall:

  • Return all personal data to the Customer, or
  • Securely delete all personal data, except where retention is required by law.

11. Audit Rights

Customer may request evidence of [Your Company Name]'s compliance with this DPA, including:

  • Security documentation.
  • Third-party audit reports.
  • Certification evidence (e.g., ISO 27001, SOC 2).

12. Governing Law

This DPA is governed by [Your Country’s Law] and any applicable data protection laws (including GDPR, CPRA, and PIPEDA).

Execution

This DPA is effective as of the date Customer accepts the Terms of Service or signs a direct agreement with [Your Company Name].