/

Document

Data Processing Agreement

Effective Date:

This Data Processing Agreement (“DPA”) is entered into by and between you (“Controller,” “you,” or “your”) and [Company Name] (“Processor,” “we,” “us,” or “our”) and forms part of the agreement governing your use of [Product Name] (the “Service”). It applies to the extent that we process personal data on your behalf that is subject to applicable data protection laws.

This DPA reflects the Parties’ agreement regarding such processing. In the event of any conflict between this DPA and our Terms of Service, the provisions of this DPA shall prevail with respect to the processing of personal data.

By using the Service in a manner that involves processing personal data on your behalf, you agree to the terms of this DPA. Terms not otherwise defined here have the meaning given to them in our Terms of Service.


1. Definitions

For the purposes of this DPA:

  • "Personal Data" means any information about an identified or identifiable person

  • "Processing" means any operation on Personal Data, like collection, storage, and deletion

  • "Data Subject" means the individual to whom Personal Data relates

  • "Sub-processor" means a third party processing your Personal Data

  • "Applicable Data Protection Laws" means all relevant data protection laws


2. Roles of the Parties

The Parties acknowledge that, with respect to the processing of Personal Data under this DPA, you are the data controller and we are the data processor.

You are responsible for determining the purposes and means of processing and for ensuring that you have a valid legal basis for it. We process Personal Data solely on your behalf and in accordance with your documented instructions.


3. Processing of Personal Data

Instructions. We process Personal Data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by law. If we are legally required to process beyond your instructions, we will inform you before doing so, unless the law prohibits it.

Purpose limitation. We do not process Personal Data for any purpose other than providing the Service or as otherwise instructed by you.

Lawfulness. You warrant that your instructions and the processing under this DPA comply with Applicable Data Protection Laws, and that you have obtained all necessary consents and provided all necessary notices to Data Subjects.


4. Nature and Purpose of Processing

The subject matter, nature, and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are determined by your use of the Service. In general:

  • Subject matter: the provision of the Service to you

  • Duration: the term of the agreement, plus any applicable retention period

  • Nature and purpose: processing necessary to operate, maintain, and support the Service

  • Types of Personal Data: data you submit through the Service, such as names, contact details, and account information

  • Categories of Data Subjects: your users, customers, employees, or others whose data you process through the Service


5. Confidentiality

We ensure that any person authorized to process Personal Data is bound by an appropriate duty of confidentiality and is aware of the confidential nature of the data.

We limit access to Personal Data to those personnel who require it in order to perform their duties in connection with the Service.


6. Security Measures

We implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk. These measures may include, as appropriate:

  • encryption of Personal Data in transit and, where appropriate, at rest

  • measures to ensure the ongoing confidentiality, integrity, and availability of systems

  • the ability to restore access to Personal Data in a timely manner after an incident

  • a process for regularly testing and evaluating the effectiveness of these measures

The Parties acknowledge that security requirements evolve over time and that appropriate measures may change accordingly.


7. Sub-processing

You provide general authorization for us to engage Sub-processors to support the provision of the Service, subject to the conditions in this section.

We enter into a written agreement with each Sub-processor imposing data protection obligations substantially similar to those in this DPA, and we remain responsible for each Sub-processor’s performance.

We make a current list of Sub-processors available upon request and will inform you of any intended changes concerning the addition or replacement of Sub-processors, giving you the opportunity to object.


8. Data Subject Rights

Taking into account the nature of the processing, we assist you by appropriate technical and organizational measures, insofar as possible, in fulfilling your obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws.

If we receive a request from a Data Subject relating to Personal Data processed on your behalf, we will, where legally permitted, direct them to you or promptly notify you of the request.


9. Personal Data Breaches

We notify you without undue delay after becoming aware of a Personal Data breach affecting your data. The notification will include, to the extent available, the information reasonably necessary to help you meet any obligations to report or notify the breach under Applicable Data Protection Laws.

We take reasonable steps to mitigate the effects of a potential breach.


10. Assistance to the Controller

Taking into account the nature of processing and the information available to us, we provide reasonable assistance to you in ensuring compliance with your obligations relating to the security of processing, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, where applicable.


11. International Transfers

We do not transfer Personal Data to a country outside your jurisdiction unless appropriate safeguards are in place in accordance with Applicable Data Protection Laws. Where required, the Parties agree to put in place standard contractual clauses or rely on another recognized transfer mechanism.


12. Deletion or Return of Personal Data

Upon termination of the Service, or upon your written request, we will, at your choice, delete or return all Personal Data processed on your behalf and delete existing copies, unless retention is required by law.

Where deletion is not immediately possible, for example because the data is held in backup systems, we securely isolate it from further processing until deletion is possible.


13. Audits and Compliance

We make available to you the information reasonably necessary to demonstrate compliance with the obligations set out in this DPA.

You may, upon reasonable prior notice and no more than once per year unless required by a supervisory authority, request an audit of our relevant processing activities. The Parties will agree in advance on the scope, timing, and reasonable costs of any such audit, conducted in a manner that does not unreasonably disrupt our operations.


14. Liability

Each Party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in our Terms of Service. Nothing in this DPA limits either Party’s liability to the extent such limitation is not permitted by Applicable Data Protection Laws.


15. Term and Termination

This DPA remains in effect for as long as we process Personal Data on your behalf in connection with the Service. The provisions that by their nature should survive termination will continue to apply following termination.


16. Contact

For any questions relating to this Data Processing Agreement, please contact us at:

[Company Name] [Street Address] [City, Postal Code, Country] Email: [contact email]

Where modern teams operate.

Where modern teams operate.

Create a free website with Framer, the website builder loved by startups, designers and agencies.