DATA PROCESSING AGREEMENT (DPA)

GDPR Article 28 | Data Controller/Processor | Standard Contractual Clauses (SCC)

PREAMBLE

This Data Processing Agreement ("DPA"), dated [Date], is entered into between [Data Controller Name/Company] ("Controller") and [Data Processor Name/Company] ("Processor"), pursuant to GDPR Article 28 (Processor obligations) and GDPR Article 4(8) (Definition of Processor).

Purpose: To establish terms governing Processor's processing of personal data on Controller's behalf in connection with the Service Agreement dated [Date] ("Principal Agreement").

1. DEFINITIONS & ROLES

1.1 Data Controller: [Company Name] - Entity determining purposes/means of personal data processing. Processor processes data ONLY per Controller's documented instructions.

1.2 Data Processor: [Service Provider Name] - Entity processing personal data on Controller's behalf, under Controller's authority.

1.3 Processing Scope: Processor shall process [types of personal data, e.g., customer email, usage analytics, support tickets] for purposes of [service delivery, analytics, customer support].

2. PROCESSOR OBLIGATIONS (GDPR ARTICLE 28)

2.1 Processing Per Instructions: Per GDPR Art. 28(3)(a), Processor shall:

(a) Process personal data only on documented instructions from Controller
(b) Not process for own purposes unless authorized in writing
(c) Inform Controller immediately if instruction violates GDPR or local data protection law

2.2 Confidentiality & Access Control (GDPR Art. 28(3)(b)):

(a) Ensure staff with access to personal data are bound by confidentiality (in writing or by law)
(b) Limit access to employees with legitimate need-to-know
(c) Maintain written records of staff with access; update annually

2.3 Technical & Organizational Security Measures (GDPR Art. 28(3)(c) & Art. 32):

(a) Implement encryption (TLS 1.2+ in transit, AES-256 at rest)
(b) Multi-factor authentication for administrative access
(c) Regular security audits/penetration testing (minimum annually)
(d) Incident response plan; notify Controller within 24 hours of suspected breach (per Art. 33)
(e) Data backup with documented recovery testing (minimum quarterly)

2.4 Sub-Processor Authorization (GDPR Art. 28(2)-(4)):

(a) Processor shall NOT engage sub-processors without Controller's prior written authorization
(b) Processor shall provide 30-day notice of new sub-processor; Controller may object
(c) If Controller objects, parties shall negotiate in good faith; if unresolved, Controller may terminate
(d) Processor remains liable to Controller for sub-processor performance

2.5 Sub-Processors Currently Authorized:

- [Hosting provider, e.g., AWS, Google Cloud] - Location: [EU / US with SCC]
- [Analytics provider, e.g., Matomo] - Data retention: [X months]
- [Email service, e.g., Mailgun] - Encryption: End-to-end

3. DATA SUBJECT RIGHTS (GDPR ARTICLES 15-22)

3.1 Cooperation Obligation: Per GDPR Art. 28(3)(e), Processor shall:

(a) Assist Controller in responding to data subject requests (access, rectification, erasure, portability) within [X business days]
(b) Provide Controller with list of personal data processed upon request
(c) Erase personal data upon Controller instruction (except if legally required to retain)

3.2 Automated Decision-Making (GDPR Art. 22): Processor shall NOT make automated decisions with legal/significant effects on data subjects; must notify Controller if processing involves such decisions.

4. INTERNATIONAL DATA TRANSFERS (GDPR ARTICLES 44-50)

4.1 Transfer Mechanisms: If Processor transfers personal data outside EU/EEA, Processor shall ensure adequate safeguards:

(a) EU Adequacy Decision (if applicable country, e.g., Switzerland per Commission Decision 2000/518)
(b) Standard Contractual Clauses (SCC) per EU Decision 2021/914 (mandatory if US/non-adequate country)
(c) Binding Corporate Rules (BCRs) if multi-subsidiary transfer
(d) Schrems II Compliance: Ensure US government surveillance measures do not render transfer inadequate

4.2 Transfers by Processor: Processor shall NOT transfer personal data to third countries without Controller's explicit written authorization and documented SCC compliance.

5. AUDIT & DOCUMENTATION

5.1 Records of Processing (GDPR Art. 5(2) & 28(3)(f)): Processor shall maintain detailed records including:

(a) Types of personal data processed
(b) Categories of data subjects
(c) Processing purposes and legal basis
(d) Recipients of data
(e) Retention periods
(f) Technical/organizational security measures

5.2 Audit Rights (GDPR Art. 28(3)(h)): Controller may audit Processor's compliance:

(a) Controller (or Controller's auditor) may inspect Processor's facilities [up to 2 times annually] with reasonable notice
(b) Processor shall provide records/documentation within [30 days] of request
(c) Audit costs borne by requesting party (unless material non-compliance found, then Processor bears costs)
(d) Processor shall remediate findings within [90 days]

5.3 Compliance Certifications: Processor shall maintain certifications: [ISO 27001, SOC 2 Type II, other] and provide updated certificates annually.

6. TERMINATION & DATA RETURN

6.1 Termination Triggers: This DPA terminates upon:

(a) Expiration of Principal Agreement
(b) Either party's material breach not cured within 30 days of notice
(c) Material regulatory violation (e.g., unauthorized sub-processor, unresolved security incident)
(d) Voluntary termination by either party with [30 days] notice

6.2 Data Return/Deletion (GDPR Art. 28(3)(g)): Upon termination, Processor shall:

(a) Return or delete all personal data (per Controller's written instruction)
(b) Delete all electronic copies (with certification of deletion within 30 days)
(c) Certify deletion signed by authorized officer
(d) Exception: Retain one copy for legal compliance purposes (if required by law), under continued confidentiality

7. LIABILITY & INDEMNIFICATION

7.1 Processor Liability: Processor is liable for damages caused by processing not in compliance with GDPR or this DPA (per GDPR Art. 82).

7.2 Indemnity: Processor shall indemnify Controller for fines/penalties arising from Processor's breach of GDPR (excluding fines caused solely by Controller's instructions).

8. PROCESSOR CERTIFICATIONS & STANDARDS

8.1 Security Certifications: Processor maintains certifications:

☐ ISO 27001 (Information Security Management)
☐ SOC 2 Type II (Security & Availability)
☐ GDPR Compliance Certification
☐ Other: [______]

8.2 Proof of Compliance: Processor provides updated certifications annually per GDPR Art. 28(3)(h)

9. INCIDENT RESPONSE & BREACH NOTIFICATION

9.1 Breach Discovery: If Processor suspects data breach, Processor shall notify Controller IMMEDIATELY per GDPR Art. 33 (without undue delay, within 24 hours)

9.2 Breach Information: Notification includes: (a) Nature of breach, (b) Data categories affected, (c) Approximate number of data subjects, (d) Likely consequences, (e) Measures taken/proposed to mitigate

9.3 Investigation Cooperation: Processor fully cooperates with Controller's investigation, forensics, regulatory notifications per GDPR Art. 34 (if breach notifiable to public)

10. POST-TERMINATION OBLIGATIONS

10.1 Transition Assistance: Upon termination, Processor assists Controller in transitioning to new Processor (knowledge transfer, data export, system migration) at no additional cost per GDPR Art. 28(3)(g)

10.2 Data Archival: For [X years] post-termination, Processor maintains backup copies of personal data (encrypted, access restricted) in case legal/compliance hold required

CRITICAL COMPLIANCE: This DPA is MANDATORY if Processor handles EU personal data (GDPR Art. 28 requirement). No processing without valid DPA. GDPR violations subject to fines up to €20M or 4% annual revenue. Regular audits required.

Effective Date: [Date] | Version: 1.0 | Last Review: [Date]