Data Processing Agreement

This Data Processing Agreement (this "DPA") is entered into as of effective_date (the "Effective Date") by and between:

controller_name (the "Controller"); and

processor_name (the "Processor").

Controller and Processor are each referred to herein as a "Party" and collectively as the "Parties."

This DPA supplements the underlying service agreement between the Parties (the "Principal Agreement") and is entered into in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 (the "GDPR") and other Applicable Data Protection Laws.

1. Definitions

In this DPA, the following terms shall have the meanings set forth below. Capitalized terms not defined herein shall have the meanings given in the GDPR or the Principal Agreement, as applicable.

"Applicable Data Protection Laws" means the GDPR, the ePrivacy Directive (2002/58/EC), and any other applicable data protection and privacy legislation in governing_jurisdiction, including national implementing legislation, as amended, replaced, or superseded from time to time.

"Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"Personal Data" means any information relating to a Data Subject that is processed by Processor on behalf of Controller under the Principal Agreement.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

"Processing" (and "process") means any operation or set of operations which is performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.

"Sub-processor" means any third-party processor engaged by Processor to process Personal Data on behalf of Controller.

"Supervisory Authority" means an independent public authority established by an EU/EEA Member State pursuant to Article 51 of the GDPR.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission, as may be amended or replaced from time to time.

2. Scope and Purpose of Processing

2.1 Purpose

Processor shall process Personal Data on behalf of Controller solely for the purpose of: processing_purpose, and as further described in Annex 1 to this DPA. Processor shall not process Personal Data for any other purpose, including for its own purposes or the purposes of any third party, unless expressly instructed by Controller in writing.

2.2 Categories of Data Subjects

The Personal Data processed under this DPA relates to the following categories of Data Subjects: data_subjects.

2.3 Types of Personal Data

The following types of Personal Data will be processed: data_types.

2.4 Special Categories of Data

Unless expressly agreed in writing, Processor shall not process any special categories of personal data as defined in Article 9 of the GDPR (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation).

2.5 Duration of Processing

Processing shall commence on the Effective Date and shall continue for the duration of the Principal Agreement, unless earlier terminated in accordance with this DPA or instructed otherwise by Controller.

3. Obligations of the Controller

Controller shall:

(a) Ensure that it has a valid legal basis for the processing of Personal Data under Applicable Data Protection Laws, including obtaining all necessary consents from Data Subjects where required;

(b) Provide documented instructions to Processor for the processing of Personal Data, and ensure that such instructions comply with Applicable Data Protection Laws;

(c) Ensure that Personal Data provided to Processor is accurate, complete, and up to date;

(d) Inform Processor without undue delay of any changes in the processing that may affect Processor's obligations under this DPA;

(e) Maintain appropriate records of processing activities as required by Article 30 of the GDPR; and

(f) Cooperate with Processor in responding to Data Subject requests, Supervisory Authority inquiries, and Personal Data Breach incidents.

4. Obligations of the Processor

4.1 Processing Instructions

Processor shall process Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless Processor is required to do so by applicable law. In such a case, Processor shall inform Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

4.2 Confidentiality

Processor shall ensure that all persons authorized to process Personal Data (including employees, contractors, and agents) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Processor shall ensure that access to Personal Data is limited to those persons who need access to perform their duties under the Principal Agreement.

4.3 Security Measures

Processor shall implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of Data Subjects. Such measures shall include, as appropriate:

(a) The pseudonymization and encryption of Personal Data;

(b) The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

(c) The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

(d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing;

(e) Access controls, including multi-factor authentication and role-based access;

(f) Network security measures, including firewalls, intrusion detection systems, and network segmentation;

(g) Regular security assessments, penetration testing, and vulnerability scans;

(h) Secure disposal or deletion of Personal Data when no longer required; and

(i) Employee security training and awareness programs.

4.4 Data Subject Rights

Processor shall promptly assist Controller, by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Controller's obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including rights of access, rectification, erasure, restriction, portability, and objection. If Processor receives a request directly from a Data Subject, Processor shall promptly forward the request to Controller and shall not respond to the Data Subject directly unless instructed to do so by Controller.

4.5 Assistance with Compliance

Taking into account the nature of the processing and the information available to Processor, Processor shall assist Controller in ensuring compliance with Controller's obligations under Articles 32 through 36 of the GDPR, including:

(a) Security of processing (Article 32);

(b) Notification of Personal Data Breaches to the Supervisory Authority (Article 33);

(c) Communication of Personal Data Breaches to Data Subjects (Article 34);

(d) Data protection impact assessments (Article 35); and

(e) Prior consultation with the Supervisory Authority (Article 36).

4.6 Record Keeping

Processor shall maintain all records required by Article 30(2) of the GDPR and make such records available to Controller and the Supervisory Authority upon request.

5. Sub-processors

5.1 General Authorization

Controller grants Processor general written authorization to engage Sub-processors to perform specific processing activities on behalf of Controller, subject to the conditions set forth in this Section 5.

5.2 List of Sub-processors

Processor shall maintain a current list of all Sub-processors, including the name, location, and description of processing activities of each Sub-processor. This list shall be made available to Controller upon request and shall be updated whenever changes occur.

5.3 Notification of Changes

Processor shall notify Controller in writing at least thirty (30) days prior to engaging any new Sub-processor or replacing an existing Sub-processor. The notification shall include the identity, location, and scope of processing activities of the proposed Sub-processor.

5.4 Right to Object

Controller shall have the right to object to the appointment or replacement of a Sub-processor within fifteen (15) days of receiving notification, provided that such objection is based on reasonable grounds relating to data protection. If Controller objects, the Parties shall discuss the objection in good faith with a view to resolving the issue. If no resolution can be reached, Controller may terminate the affected services under the Principal Agreement without penalty.

5.5 Sub-processor Agreements

Processor shall impose the same data protection obligations as set forth in this DPA on each Sub-processor by way of a written agreement. In particular, Processor shall ensure that each Sub-processor provides sufficient guarantees to implement appropriate technical and organizational measures such that the processing meets the requirements of the GDPR.

5.6 Liability for Sub-processors

Processor shall remain fully liable to Controller for the performance of each Sub-processor's obligations. Where a Sub-processor fails to fulfil its data protection obligations, Processor shall be liable to Controller for the acts and omissions of the Sub-processor as if they were the acts and omissions of Processor itself.

6. Data Subject Rights

Processor shall:

(a) Promptly notify Controller if Processor receives a request from a Data Subject to exercise any of their rights under Applicable Data Protection Laws;

(b) Not respond directly to any Data Subject request unless expressly authorized by Controller in writing;

(c) Provide Controller with all information and assistance reasonably necessary to enable Controller to respond to Data Subject requests within the timeframes required by Applicable Data Protection Laws;

(d) Implement technical measures to enable Controller to efficiently fulfill Data Subject requests, including the ability to search, retrieve, correct, delete, restrict, and export Personal Data; and

(e) Maintain records of all Data Subject requests received and actions taken in response.

7. Security Measures

Without limiting the obligations set forth in Section 4.3, Processor shall implement and maintain the security measures described in Annex 2 to this DPA. Processor shall regularly review and update its security measures to address evolving threats and vulnerabilities. Processor shall not materially decrease the overall level of security provided during the term of this DPA without Controller's prior written consent.

8. Personal Data Breach Notification

8.1 Notification to Controller

Processor shall notify Controller without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Personal Data Breach. The initial notification shall include, to the extent available:

(a) A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data records affected;

(b) The name and contact details of Processor's data protection officer or other contact point where more information can be obtained;

(c) A description of the likely consequences of the Personal Data Breach; and

(d) A description of the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

8.2 Ongoing Cooperation

Where it is not possible to provide all information at the time of the initial notification, Processor shall provide the information in phases without further undue delay. Processor shall cooperate with Controller and take all reasonable steps to assist Controller in investigating, mitigating, and remediating the Personal Data Breach, including:

(a) Preserving all evidence related to the breach;

(b) Conducting a thorough investigation and providing Controller with regular updates;

(c) Taking immediate steps to contain and minimize the impact of the breach;

(d) Assisting Controller in notifying affected Data Subjects and Supervisory Authorities as required; and

(e) Implementing measures to prevent future similar breaches.

8.3 No Unauthorized Notification

Processor shall not notify any Data Subject, Supervisory Authority, or third party of a Personal Data Breach without Controller's prior written authorization, unless required to do so by applicable law.

9. Audit Rights

9.1 Information Access

Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations set forth in Article 28 of the GDPR and this DPA.

9.2 Audit and Inspections

Processor shall allow Controller (or an independent third-party auditor mandated by Controller) to conduct audits and inspections to verify Processor's compliance with this DPA. Such audits may include on-site inspections, review of records and documentation, interviews with relevant personnel, and technical assessments of systems and processes.

9.3 Audit Procedures

Audits shall be conducted: (a) upon at least thirty (30) days advance written notice from Controller; (b) during normal business hours; (c) in a manner that does not unreasonably disrupt Processor's operations; and (d) no more than once per calendar year, unless a Personal Data Breach has occurred or Controller has reasonable grounds to believe that Processor is not in compliance with this DPA.

9.4 Costs

Controller shall bear the costs of any audit, unless the audit reveals a material breach by Processor, in which case Processor shall bear the costs of the audit and any necessary remediation.

9.5 Third-Party Certifications

Processor may satisfy its audit obligations in part by providing Controller with copies of relevant third-party audit reports, certifications, or attestations (such as SOC 2 Type II or ISO 27001), provided that such reports are current and cover the relevant processing activities.

10. International Data Transfers

10.1 Restrictions on Transfers

Processor shall not transfer Personal Data outside the European Economic Area ("EEA") or to any country that has not been deemed to provide an adequate level of data protection by the European Commission, unless one of the following conditions is met:

(a) The transfer is to a country, territory, or specified sector that has been deemed adequate by the European Commission pursuant to Article 45 of the GDPR;

(b) Appropriate safeguards are in place pursuant to Article 46 of the GDPR, such as Standard Contractual Clauses (SCCs) approved by the European Commission, binding corporate rules, or an approved code of conduct;

(c) A valid derogation applies under Article 49 of the GDPR; or

(d) Such other lawful transfer mechanism as may be recognized under Applicable Data Protection Laws.

10.2 Standard Contractual Clauses

Where Standard Contractual Clauses are relied upon as the transfer mechanism, the Parties agree to enter into and comply with the SCCs as set forth in Annex 3 to this DPA, which shall form an integral part of this DPA.

10.3 Transfer Impact Assessment

Processor shall assist Controller in conducting any necessary transfer impact assessments to evaluate whether the laws and practices of the destination country provide adequate protection for Personal Data.

11. Term and Termination

11.1 Term

This DPA shall come into effect on the Effective Date and shall remain in effect for the duration of the Principal Agreement, unless earlier terminated in accordance with this DPA or the Principal Agreement.

11.2 Effects of Termination

Upon termination or expiration of the Principal Agreement or this DPA, Processor shall, at Controller's option: (a) return all Personal Data to Controller in a commonly used, machine-readable format; or (b) securely delete and destroy all Personal Data in Processor's possession or control, including all copies, backups, and archives. Processor shall complete such return or deletion within thirty (30) days of termination and shall provide Controller with a written certification confirming that all Personal Data has been returned or deleted.

11.3 Retention Exceptions

Processor may retain Personal Data to the extent required by applicable law, provided that: (a) Processor notifies Controller of such retention requirement and the specific data to be retained; (b) the retained data is processed solely for the purpose required by law; and (c) the retained data remains subject to all confidentiality and security obligations set forth in this DPA.

11.4 Survival

The obligations set forth in this DPA relating to confidentiality, data deletion/return, audit rights, and liability shall survive the termination or expiration of this DPA.

12. Liability and Indemnification

12.1 Allocation of Liability

Each Party shall be liable for damages caused by its processing of Personal Data that infringes Applicable Data Protection Laws, in accordance with the liability provisions of Article 82 of the GDPR.

12.2 Processor Indemnification

Processor shall indemnify, defend, and hold harmless Controller and its officers, directors, employees, and agents from and against any and all claims, damages, losses, liabilities, fines, penalties, costs, and expenses (including reasonable attorneys' fees) arising out of or related to: (a) Processor's breach of this DPA; (b) Processor's violation of Applicable Data Protection Laws; (c) any Personal Data Breach attributable to Processor; or (d) the acts or omissions of Processor's Sub-processors.

12.3 Limitation of Liability

The limitations of liability set forth in the Principal Agreement shall apply to this DPA, except that neither Party's liability for violations of Applicable Data Protection Laws or for Personal Data Breaches shall be limited.

13. General Provisions

13.1 Precedence

In the event of any conflict between the terms of this DPA and the Principal Agreement, the terms of this DPA shall prevail with respect to the processing of Personal Data.

13.2 Amendments

This DPA may not be amended or modified except by a written instrument signed by both Parties. Either Party may request amendments to this DPA to reflect changes in Applicable Data Protection Laws or regulatory guidance.

13.3 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

13.4 Governing Law

This DPA shall be governed by and construed in accordance with the laws of governing_jurisdiction, without regard to conflict of law principles, and subject to the jurisdiction of the courts in governing_jurisdiction.

13.5 Entire Agreement

This DPA, together with the Principal Agreement and all Annexes hereto, constitutes the entire agreement between the Parties with respect to the processing of Personal Data and supersedes all prior or contemporaneous agreements, representations, and understandings on that subject.

13.6 Counterparts

This DPA may be executed in counterparts, each of which shall be deemed an original. Electronic signatures shall be deemed original signatures for all purposes.

IN WITNESS WHEREOF, the Parties have executed this Data Processing Agreement as of the Effective Date.

Controller

controller_name

[Electronic signature will be collected via zsign]

[Date will be recorded automatically]

Processor

processor_name

[Electronic signature will be collected via zsign]

[Date will be recorded automatically]

Annex 1: Details of Processing

Subject Matter of Processing: processing_purpose

Duration of Processing: For the duration of the Principal Agreement

Nature and Purpose of Processing: [Describe specific processing operations]

Categories of Data Subjects: data_subjects

Types of Personal Data: data_types

Annex 2: Technical and Organizational Security Measures

Processor has implemented the following categories of security measures:

1. Access Control: [Describe measures]

2. Encryption: [Describe measures]

3. Network Security: [Describe measures]

4. Physical Security: [Describe measures]

5. Incident Response: [Describe measures]

6. Business Continuity: [Describe measures]

7. Employee Training: [Describe measures]

8. Vendor Management: [Describe measures]

Annex 3: Approved Sub-processors

The following Sub-processors are approved as of the Effective Date:

1. Name: ____________________________ Location: ____________________________ Processing Activities: ____________________________

2. Name: ____________________________ Location: ____________________________ Processing Activities: ____________________________

3. Name: ____________________________ Location: ____________________________ Processing Activities: ____________________________