DATA PROCESSING AGREEMENT

1.1The following terms shall have the meanings set forth below:

• "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party.
• "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data, including but not limited to GDPR, UK GDPR, CCPA, and equivalent laws.
• "CCPA" means the California Consumer Privacy Act of 2018, as amended.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
• "Data Controller" or "Controller" means the entity that determines the purposes and means of processing Personal Data.
• "Data Processor" or "Processor" means the entity that processes Personal Data on behalf of the Controller.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679.
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Applicable Data Protection Law.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• "Special Categories of Personal Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.
• "Sub-processor" means any third party appointed by Processor to process Personal Data on behalf of Controller.
• "Supervisory Authority" means an independent public authority established by an EU Member State to oversee compliance with data protection law.

2.1Subject Matter and Duration. This DPA applies to the processing of Personal Data by Processor on behalf of Controller in connection with the Principal Agreement for the duration of that agreement.

2.2Nature and Purpose of Processing. Processor shall process Personal Data for the following purposes:

[DESCRIBE PURPOSE: e.g., customer relationship management, service delivery, technical support, analytics, etc.]

2.3Types of Personal Data. The processing involves the following categories of Personal Data:

• ☐ Contact information (name, email, phone, address)
• ☐ Identification data (ID numbers, passport, driver's license)
• ☐ Financial data (payment information, bank details)
• ☐ Technical data (IP address, device ID, usage data)
• ☐ Professional data (job title, employer, work history)
• ☐ Authentication data (usernames, passwords, security questions)
• ☐ Communication data (emails, chat logs, support tickets)
• ☐ [OTHER - SPECIFY]

2.4Categories of Data Subjects. The Personal Data relates to the following categories of Data Subjects:

• ☐ Customers/Clients
• ☐ Employees
• ☐ Contractors
• ☐ Suppliers
• ☐ Website visitors
• ☐ [OTHER - SPECIFY]

2.5Special Categories of Personal Data.

• ☐ This processing does NOT involve Special Categories of Personal Data
• ☐ This processing involves the following Special Categories: [SPECIFY]

3.1Processing Instructions. Processor shall:

• Process Personal Data only on documented instructions from Controller, including transfers to third countries, unless required by applicable law;
• Immediately inform Controller if, in its opinion, an instruction infringes Applicable Data Protection Law;
• Not process Personal Data for any purpose other than as instructed by Controller;
• Maintain a record of all categories of processing activities carried out on behalf of Controller.

3.2Confidentiality. Processor shall ensure that persons authorized to process Personal Data:

• Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• Receive appropriate training on data protection;
• Are only granted access to Personal Data to the extent necessary for performing their duties.

3.3Technical and Organizational Measures. Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Pseudonymization and encryption of Personal Data where appropriate;
• Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems;
• Ability to restore availability and access to Personal Data in a timely manner in the event of incident;
• Regular testing, assessment, and evaluation of effectiveness of security measures;
• Access controls and authentication mechanisms;
• Physical security of facilities where Personal Data is processed;
• Measures to protect against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Specific security measures are detailed in Annex 2.

3.4Assistance to Controller. Processor shall, taking into account the nature of processing, assist Controller by appropriate technical and organizational measures in:

• Fulfilling Controller's obligation to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection);
• Ensuring compliance with security obligations;
• Conducting data protection impact assessments when required;
• Consulting with Supervisory Authorities when required.

3.5Data Breach Notification. Processor shall:

• Notify Controller without undue delay (and in any event within [24] hours) after becoming aware of a Data Breach;
• Provide Controller with sufficient information to enable it to comply with any obligations to notify Data Subjects or Supervisory Authorities;
• Cooperate with Controller and take reasonable steps to remediate the Data Breach;
• Document all Data Breaches and provide records to Controller upon request.

Notification must include: nature of breach, categories and approximate number of affected Data Subjects and records, likely consequences, measures taken or proposed to address the breach, and contact details for further information.

4.1Authorization.

• ☐ General Authorization: Controller provides general authorization for Processor to engage Sub-processors, subject to the conditions in this Section.
• ☐ Prior Specific Authorization: Processor must obtain Controller's prior written consent before engaging any Sub-processor.

4.2Current Sub-processors. Processor currently uses the following Sub-processors:

[LIST CURRENT SUB-PROCESSORS, SERVICES PROVIDED, LOCATION]

• Example: [Cloud Provider Name] - Cloud hosting services - [Location]
• Example: [Email Service] - Email delivery - [Location]

4.3New Sub-processors. If Processor intends to engage a new Sub-processor:

• Processor shall inform Controller at least [30] days in advance;
• Controller may object on reasonable data protection grounds within [14] days;
• If Controller objects, Parties shall discuss in good faith to resolve the issue;
• If unresolved, Controller may terminate the Principal Agreement with respect to the affected services.

4.4Sub-processor Requirements. Processor shall:

• Impose on Sub-processors the same data protection obligations as set out in this DPA;
• Ensure Sub-processor agreements are in writing and provide adequate security;
• Remain fully liable to Controller for performance of Sub-processor's obligations;
• Conduct appropriate due diligence on Sub-processors;
• Monitor Sub-processor compliance and conduct regular audits.

5.1Transfer Restrictions. Processor shall not transfer Personal Data to a country outside the European Economic Area (EEA) or UK unless:

• The transfer is to a country with an adequacy decision from the European Commission or UK;
• Appropriate safeguards are in place (Standard Contractual Clauses, Binding Corporate Rules, etc.);
• A derogation under Article 49 GDPR applies;
• Controller has provided prior written authorization.

5.2Current International Transfers.

Personal Data will be transferred to the following countries: [LIST COUNTRIES]

Transfer mechanism: [ADEQUACY DECISION / STANDARD CONTRACTUAL CLAUSES / OTHER]

5.3Standard Contractual Clauses. If applicable, the Standard Contractual Clauses approved by the European Commission are incorporated by reference and attached as Annex 3.

5.4Government Access Requests. If Processor receives a legally binding request from a government or law enforcement authority for access to Personal Data, Processor shall:

• Immediately notify Controller (unless legally prohibited);
• Challenge the request if appropriate;
• Disclose only the minimum Personal Data required;
• Document all requests and responses.

6.1Data Subject Requests. If Processor receives a request from a Data Subject to exercise their rights under Applicable Data Protection Law (access, rectification, erasure, restriction, portability, objection), Processor shall:

• Immediately forward the request to Controller;
• Not respond to the request without Controller's prior written authorization;
• Provide reasonable assistance to Controller in responding to the request;
• Implement Controller's instructions regarding the request.

6.2Assistance Timeline. Processor shall provide assistance within [5] business days or such shorter period as may be required to enable Controller to comply with applicable legal deadlines.

6.3Reasonable Costs. Controller shall reimburse Processor for reasonable costs of providing assistance that exceeds Processor's normal obligations under the Principal Agreement.

7.1Controller Audit Rights. Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections.

7.2Audit Process.

• Controller may conduct audits up to [ONCE PER YEAR] or more frequently if required by Supervisory Authority;
• Controller shall provide [30] days' written notice;
• Audits shall be conducted during normal business hours;
• Audits shall not unreasonably interfere with Processor's operations;
• Controller may use independent third-party auditors bound by confidentiality;
• Processor may charge reasonable fees for audits exceeding [2] per year.

7.3Certifications and Reports. Processor shall provide Controller with:

• Copies of relevant certifications (ISO 27001, SOC 2, etc.)
• Third-party audit reports and penetration test results
• Security assessment documentation
• Evidence of compliance with security obligations

8.1Upon Termination. Upon termination or expiration of the Principal Agreement, Processor shall, at Controller's choice:

• Return all Personal Data to Controller in a commonly used electronic format; or
• Securely delete or destroy all Personal Data.

8.2Timeline. Processor shall complete return or deletion within [30] days of termination, unless a longer period is required by applicable law.

8.3Certification. Processor shall provide written certification that all Personal Data has been returned or securely deleted, including confirmation that:

• All copies, including backups, have been deleted;
• Deletion methods meet industry standards (e.g., DoD 5220.22-M, NIST 800-88);
• Sub-processors have also deleted all Personal Data.

8.4Legal Retention. Processor may retain Personal Data to the extent required by applicable law, provided that:

• Such retention is limited to what is legally required;
• Processor continues to ensure confidentiality and security;
• Controller is informed of the legal requirement and retention period;
• Personal Data is deleted once the legal requirement expires.

9.1Processor Liability. Processor shall be liable for damages caused by processing where:

• It has not complied with obligations specifically directed to processors under Applicable Data Protection Law; or
• It has acted outside or contrary to lawful instructions from Controller.

9.2Indemnification. Processor shall indemnify, defend, and hold harmless Controller from all claims, losses, damages, fines, and expenses (including legal fees) arising from:

• Processor's breach of this DPA;
• Processor's violation of Applicable Data Protection Law;
• Data Breaches caused by Processor's failure to implement adequate security;
• Processor's unauthorized processing of Personal Data;
• Regulatory fines or penalties imposed due to Processor's non-compliance.

9.3Limitation. Nothing in this DPA shall limit either Party's liability for fraud, gross negligence, willful misconduct, death, or personal injury.

10.1Term. This DPA shall commence on the Effective Date and continue for the duration of the Principal Agreement.

10.2Survival. Sections 3 (security), 6 (Data Subject rights), 7 (audit), 8 (deletion), and 9 (liability) shall survive termination to the extent necessary to fulfill remaining obligations.

10.3Termination for Breach. Controller may terminate this DPA immediately if Processor materially breaches data protection obligations and fails to remedy within [15] days of written notice.

11.1Relationship to Principal Agreement. This DPA is supplemental to and forms part of the Principal Agreement. In case of conflict, this DPA prevails on data protection matters.

11.2Changes in Law. If changes in Applicable Data Protection Law require amendments to this DPA, Parties shall cooperate in good faith to agree on necessary modifications.

11.3Governing Law. This DPA shall be governed by the laws of [STATE/COUNTRY], to the extent not superseded by Applicable Data Protection Law.

11.4Severability. If any provision is found invalid, the remainder shall remain in full force, and invalid provisions shall be modified to achieve the intended effect.

11.5Order of Precedence. In case of conflict: (1) Standard Contractual Clauses, (2) this DPA, (3) Principal Agreement.