Data Processing Agreement

1. Parties and Scope

This Data Processing Agreement (the “DPA”) forms part of and is incorporated into the Terms of Service, Order Form, or other written or electronic agreement governing the provision of [PRODUCT NAME](the “Agreement”) between [CUSTOMER LEGAL NAME] (“Customer”) and [LEGAL ENTITY NAME] (“Processor”, “we”, “us”, or “our”).

This DPA applies only to the extent that Processor processes Personal Data on behalf of Customer as a processor or service provider in connection with the Service and where applicable data protection law requires a contract governing such processing.

If Customer is not a controller, business, or other entity with authority to bind a controller or business, Customer represents that it has full authority to enter into this DPA on behalf of the relevant controller or business.

2. Definitions

Capitalized terms not defined in this DPA have the meanings given to them in the Agreement.

For purposes of this DPA:

• “Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable, the GDPR, UK GDPR, Swiss data protection law, and other applicable privacy laws.
• “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, and “Processing” have the meanings given in Applicable Data Protection Law.
• “Customer Personal Data” means Personal Data processed by Processor on behalf of Customer under the Agreement.
• “GDPR” means Regulation (EU) 2016/679.
• “Subprocessor” means any third party engaged by Processor to process Customer Personal Data on behalf of Customer.
• “SCCs” means the standard contractual clauses approved by the European Commission, the UK addendum, or other recognized transfer mechanism, as applicable.

3. Roles of the Parties

As between the parties, Customer acts as the Controller or the relevant business, and Processor acts as the Processor or service provider with respect to Customer Personal Data processed under this DPA.

Customer is responsible for determining the purposes and means of the processing of Customer Personal Data, for providing all notices, and for obtaining all rights, consents, and authorizations necessary for the lawful processing of Customer Personal Data under the Agreement.

4. Processor Obligations

Processor will:

• process Customer Personal Data only on documented instructions from Customer, including as set out in the Agreement and this DPA, unless otherwise required by applicable law;
• promptly inform Customer if, in Processor’s opinion, an instruction infringes Applicable Data Protection Law, unless prohibited by law from doing so;
• ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations;
• implement appropriate technical and organizational measures as described in this DPA;
• assist Customer with its obligations under Applicable Data Protection Law to the extent required and taking into account the nature of the processing and the information available to Processor; and
• not sell, share, retain, use, or disclose Customer Personal Data outside the direct business relationship between the parties except as permitted by the Agreement, this DPA, or applicable law.

5. Customer Instructions

Customer instructs Processor to process Customer Personal Data as necessary to provide, secure, support, and improve the Service, in accordance with the Agreement, this DPA, and Customer’s use and configuration of the Service.

Customer may provide additional reasonable written instructions consistent with the Agreement and Applicable Data Protection Law. Processor may charge reasonable fees for assistance or changes required by instructions outside the standard scope of the Service.

6. Details of Processing

7. Technical and Organizational Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, Processor will implement appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

These measures may include, as appropriate:

• access controls and role-based permissions;
• authentication safeguards;
• encryption in transit and, where applicable, at rest;
• logging and audit controls;
• secrets-handling and redaction practices;
• network and infrastructure security controls;
• backup and recovery practices where relevant to the Service architecture; and
• incident detection and response processes.

Customer acknowledges that no security measure is infallible and that the security of the Service also depends on Customer’s own configuration, access management, credentials, connected providers, and operational practices.

8. Confidentiality

Processor will ensure that personnel authorized to process Customer Personal Data are subject to confidentiality obligations, whether by contract, policy, or applicable law, that survive the termination of their engagement where appropriate.

9. Subprocessors

Customer authorizes Processor to engage Subprocessors to process Customer Personal Data in connection with the Service.

Processor will maintain an up-to-date list of material Subprocessors, whether in the Privacy Policy, on a subprocessors page, or by other reasonable means.

Processor will impose data protection obligations on Subprocessors that are substantially similar to those set out in this DPA, to the extent applicable to the services they provide. Processor remains responsible for the performance of its Subprocessors to the extent required by Applicable Data Protection Law.

10. International Transfers

To the extent Processor transfers Customer Personal Data outside the EEA, the UK, Switzerland, or another jurisdiction requiring a lawful transfer mechanism, Processor will ensure that an appropriate transfer safeguard is in place, such as adequacy regulations, SCCs, the UK addendum, or another lawful transfer mechanism.

Where required, the SCCs are incorporated by reference into this DPA and apply to such transfers, completed as follows unless otherwise stated in writing:

• the Customer is the data exporter and Processor is the data importer;
• Module Two (Controller to Processor) applies where Customer is a controller and Processor is a processor;
• Module Three (Processor to Processor) applies where Customer is a processor and Processor is a subprocessor;
• the optional docking clause applies;
• the competent supervisory authority and governing law will be those required by the SCCs based on Customer’s location or establishment; and
• the technical and organizational measures described in this DPA and Processor’s security materials form part of Annex II.

11. Assistance with Data Subject Requests

Taking into account the nature of the processing, Processor will provide reasonable assistance to Customer in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law.

If Processor receives a request directly from a Data Subject relating to Customer Personal Data, Processor may, unless prohibited by law, direct the Data Subject to Customer and will not respond to the request except as instructed by Customer or required by law.

12. Assistance with Compliance Obligations

Taking into account the nature of processing and the information available to Processor, Processor will provide reasonable assistance to Customer with:

• security of processing obligations;
• Personal Data Breach notifications;
• data protection impact assessments; and
• consultation with supervisory authorities,

in each case only to the extent required by Applicable Data Protection Law and reasonably necessary in light of the processing performed by Processor.

13. Personal Data Breaches

Processor will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data.

Such notification may be made in phases as information becomes available and will include, to the extent known and reasonably available, information reasonably necessary for Customer to meet its breach-notification obligations.

Processor’s notification of or response to a Personal Data Breach is not an admission of fault or liability.

14. Deletion and Return of Data

Upon termination or expiration of the Agreement, Processor will, at Customer’s choice and subject to the functionality of the Service, delete or return Customer Personal Data, unless retention is required by applicable law.

Customer acknowledges that certain Customer Personal Data may remain in backups, logs, archives, or operational records for a limited period, after which such data will be deleted in accordance with Processor’s retention and deletion practices.

Customer is responsible for exporting any Customer Content or Customer Personal Data it wishes to retain before termination of the Service, except to the extent the Agreement or applicable law requires otherwise.

15. Audit and Information Rights

Processor will make available to Customer information reasonably necessary to demonstrate compliance with this DPA.

Where required by Applicable Data Protection Law, Customer may request an audit of Processor’s compliance with this DPA no more than once annually, except where a Personal Data Breach or supervisory authority request reasonably requires additional review.

Any such audit must:

• be conducted on reasonable prior written notice;
• occur during normal business hours;
• avoid unreasonable disruption to Processor’s business;
• be subject to appropriate confidentiality restrictions; and
• be limited to systems, records, and facilities relevant to the processing of Customer Personal Data.

Processor may satisfy audit obligations through existing audit reports, certifications, security documentation, or similar materials where appropriate.

16. Customer Warranties

Customer represents and warrants that:

• it has complied and will comply with Applicable Data Protection Law in connection with its use of the Service;
• it has provided all required notices and obtained all required rights and consents for the processing of Customer Personal Data under the Agreement and this DPA;
• its instructions to Processor are lawful; and
• it will not provide or make available Personal Data to Processor except as necessary and appropriate for the purposes of the Service.

17. Liability

The total aggregate liability of each party arising out of or relating to this DPA will be subject to the exclusions and limitations of liability set out in the Agreement, unless Applicable Data Protection Law requires otherwise.

18. Order of Precedence

In the event of a conflict between this DPA and the Agreement, this DPA will control with respect to the subject matter of this DPA. In the event of a conflict between this DPA and the SCCs, the SCCs will control to the extent required for the relevant transfer.

19. Governing Law

This DPA will be governed by the governing law and jurisdiction provisions of the Agreement, unless Applicable Data Protection Law or the SCCs require otherwise.

20. Contact