Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

This Data Processing Agreement ("Agreement") is entered into on [Date], by and between:

Controller (Company): [Company Name]
Address: [Company Address]
Website: [Website URL]

and

Processor (Service Provider): [Processor Name / Company Name]
Address: [Processor Address]

1. Purpose

This Agreement governs the processing of personal data by the Processor on behalf of the Controller in connection with the services provided under the main agreement between the Parties ("Main Agreement").

2. Definitions

• "Personal Data": Any information relating to an identified or identifiable natural person.

• "Processing": Any operation or set of operations performed on personal data (e.g., collection, storage, access, deletion).

• "Applicable Law": All relevant data protection laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR").

3. Scope and Duration
The Processor shall process Personal Data only as necessary to perform services under the Main Agreement and for the duration of that agreement unless otherwise required by law.

4. Nature and Purpose of Processing

• Subject matter: [e.g., User data, client data, HR records]

• Categories of data subjects: [e.g., Website users, employees, customers]

• Types of personal data: [e.g., Name, email, IP address, purchase history]

5. Processor Obligations

The Processor agrees to:

• Process Personal Data only on documented instructions from the Controller

• Ensure confidentiality of personnel involved

• Implement appropriate technical and organizational security measures

• Assist the Controller in responding to data subject requests

• Notify the Controller of any data breach without undue delay

• Provide records and audits upon request

6. Sub-processors

The Processor shall not engage sub-processors without prior written authorization from the Controller. A current list of authorized sub-processors shall be maintained and made available upon request.

7. Data Transfers

Processor shall not transfer Personal Data outside the EEA/UK unless such transfer is in compliance with Applicable Law and subject to appropriate safeguards (e.g., SCCs, adequacy decisions).

8. Return or Deletion of Data

Upon termination of the Main Agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data unless legal obligations require retention.

9. Liability and Indemnification

Each party shall be liable for breaches of this Agreement and shall indemnify the other party against claims resulting from non-compliance.

10. Governing Law

This Agreement shall be governed by the laws of [State/Country], and any disputes shall be resolved in the competent courts of that jurisdiction.

IN WITNESS WHEREOF, the Parties have executed this Data Processing Agreement as of the date first written above.

Controller (Company)
Name:
Title:
Date:

Processor (Service Provider)
Name:
Title:
Date: