Data Processing Addendum (DPA)¶
Version: 1.0.0 Effective Date: January 1, 2024
This Data Processing Addendum ("DPA") forms part of any agreement ("Agreement") between Your Organization LLC ("Processor") and the enterprise customer ("Controller") for the use of our Services.
This DPA applies where the Company processes personal data on behalf of the Controller and is required by GDPR Article 28 or equivalent regulations.
1. Definitions¶
| Term | Definition |
|---|---|
| Controller | The enterprise customer that determines purposes and means of processing |
| Processor | Your Organization LLC, processing on Controller's instructions |
| Personal Data | Any information relating to an identified or identifiable natural person |
| Processing | Any operation performed on personal data |
| Sub-processor | Any third party engaged by Processor to assist in processing |
2. Scope and Roles¶
2.1 The Processor processes personal data only to the extent necessary to provide the Services described in the Agreement.
2.2 The Controller determines the purposes and means of processing. The Processor processes strictly on documented instructions from the Controller.
3. Processor Obligations (Art. 28(3) GDPR)¶
The Processor agrees to:
(a) Process personal data only on documented instructions from the Controller;
(b) Ensure that authorized personnel are subject to appropriate confidentiality obligations;
(c) Implement appropriate technical and organizational security measures (see Section 6);
(d) Engage sub-processors only with the Controller's prior written consent (general consent given in Section 5);
(e) Assist the Controller in responding to data subject requests (see Section 4);
(f) Assist the Controller in fulfilling its obligations under Articles 32–36 (security, breach notification, DPIA);
(g) Delete or return all personal data upon termination of the Agreement;
(h) Provide all information necessary to demonstrate compliance with Article 28 obligations and permit audits.
4. Data Subject Requests¶
4.1 The Processor will notify the Controller of any data subject requests received directly within 5 business days.
4.2 The Processor will assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability, objection) within 10 business days of receiving instructions.
5. Sub-processors¶
5.1 The Controller grants general authorization for the Processor to engage
sub-processors. The current sub-processor list is available at:
https://legal.yourdomain.com/shared/sub-processors/
5.2 The Processor will provide 30 days' notice before engaging a new sub-processor. The Controller may object within this period.
5.3 All sub-processors are bound by data processing agreements equivalent to the obligations in this DPA.
Current Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure | United States / Global |
| Stripe | Payment processing | United States |
| SendGrid | Transactional email | United States |
6. Security Measures (Art. 32 GDPR)¶
The Processor implements and maintains the following measures:
Encryption - All data in transit: TLS 1.2 or higher - All data at rest: AES-256 encryption
Access Controls - Role-based access control (RBAC) - Multi-factor authentication for all privileged access - Regular access reviews and revocation of unused privileges
Monitoring & Incident Response - 24/7 security monitoring - Incident response plan with defined escalation procedures - Security information and event management (SIEM)
Physical Security - Data hosted in AWS certified data centers (ISO 27001, SOC 2 Type II)
7. Personal Data Breach Notification (Art. 33 GDPR)¶
7.1 The Processor will notify the Controller of any personal data breach without undue delay and within 72 hours of becoming aware.
7.2 Notification will include, where available: - Nature of the breach and categories of data affected - Approximate number of data subjects affected - Likely consequences of the breach - Measures taken or proposed to address the breach
8. Data Transfers¶
8.1 The Processor transfers personal data outside the EEA only using appropriate safeguards:
- EU Standard Contractual Clauses (2021/914/EU)
- Adequacy decisions where applicable
9. Audits¶
9.1 The Processor will make available all information necessary to demonstrate compliance with this DPA.
9.2 The Controller may audit the Processor's processing activities upon 30 days' notice, no more than once per year, at the Controller's expense.
10. Termination¶
10.1 Upon termination of the Agreement, the Processor will, at the Controller's choice, delete or return all personal data within 30 days.
10.2 The Processor will delete any remaining copies unless storage is required by applicable law.