Data Processing Agreement (DPA)

Effective Date: 04/24/2025

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, whether automated or not.
  • "Data Subject" is the identified or identifiable person to whom the Personal Data relates.
  • "Sub-processor" means any third party engaged by the Data Processor to process Personal Data.
  • "Applicable Data Protection Law" includes the GDPR (EU) 2016/679 and other relevant laws.

2. Subject Matter

This DPA governs the Processing of Personal Data by the Data Processor on behalf of the Data Controller in connection with the services described in the main agreement between the parties (the "Services Agreement").

3. Duration

This DPA is effective for the duration of the Services Agreement and will remain in effect until all Personal Data processed on behalf of the Data Controller has been deleted or returned.

4. Nature and Purpose of Processing

Nature: The processing may include storage, access, analysis, and deletion of Personal Data.

Purpose: To fulfill obligations under the Services Agreement.

5. Categories of Data Subjects and Data

Data Subjects: May include employees, customers, users, or other individuals whose data is provided.

Data Types: May include names, emails, contact info, IP addresses, and other personal identifiers.

6. Obligations of the Data Processor

The Data Processor shall:

  • Process Personal Data only on documented instructions from the Data Controller.
  • Ensure confidentiality and train personnel accordingly.
  • Implement appropriate technical and organizational security measures.
  • Assist the Data Controller in responding to Data Subject requests.
  • Notify the Data Controller without undue delay after becoming aware of a Personal Data breach.
  • Cooperate with supervisory authorities.
  • Maintain records of processing activities.

7. Sub-processors

  • The Data Processor may not engage Sub-processors without prior written consent from the Data Controller.
  • Where consent is given, the Data Processor shall enter into a written agreement with each Sub-processor that imposes equivalent data protection obligations.

8. Data Subject Rights

The Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, in fulfilling its obligations to respond to Data Subject requests.

9. Data Transfers

The Data Processor shall not transfer Personal Data outside the European Economic Area (EEA) unless it has ensured appropriate safeguards in accordance with Chapter V of the GDPR.

10. Return or Deletion of Data

Upon termination of the Services Agreement, the Data Processor shall, at the choice of the Data Controller, delete or return all Personal Data and delete existing copies, unless storage is required by law.

11. Audit Rights

The Data Controller may audit or inspect the Data Processor’s compliance with this DPA. The Data Processor shall make available all information necessary to demonstrate compliance.

12. Liability

Each party shall be liable for any damages arising from its own violations of the DPA or Applicable Data Protection Law.

13. Governing Law and Jurisdiction

This DPA shall be governed by the laws of the United States. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of the United States.

14. Miscellaneous

This DPA forms part of the Services Agreement. In the event of a conflict, this DPA shall prevail regarding Personal Data protection obligations.