DPA Template

Parties

1. Subject Matter, Duration, Nature, and Purpose

Subject matter

Processing of personal data by the Processor on behalf of the Controller in connection with the Engagement described in the signed Engagement Letter.

Duration

For the duration of the Engagement as set out in the Engagement Letter, plus any period required to fulfil legal retention obligations.

Nature of processing

[DESCRIBE NATURE - e.g. collection, storage, analysis, transmission, deletion]

Purpose of processing

[DESCRIBE PURPOSE - e.g. technical architecture review involving customer data samples; due diligence data room access]

2. Types of Personal Data and Data Subjects

Types of personal data

[PLACEHOLDER - examples: names, email addresses, financial transaction records, employee data, customer data, usage logs]

Categories of data subjects

[PLACEHOLDER - examples: Customer's employees, Customer's end-users, Customer's clients]

3. Obligations of the Processor (Art. 28(3) Checklist)

In accordance with Article 28(3) GDPR, the Processor shall:

1. Documented instructions only: Process personal data only on documented instructions from the Controller.
2. Confidentiality: Ensure authorised persons are bound by confidentiality obligations.
3. Security measures: Implement appropriate technical and organisational measures per Art. 32 GDPR.
4. Sub-processors: Not engage additional sub-processors without prior written authorisation; notify the Controller of intended changes.
5. Data subject rights: Assist the Controller in fulfilling obligations to respond to data subject rights requests.
6. Breach notification: Notify the Controller without undue delay after becoming aware of a personal data breach.
7. DPIA assistance: Assist the Controller with compliance obligations under Arts. 32-36 GDPR, including DPIAs and prior consultation.
8. Return or deletion:At the Controller's choice, delete or return all personal data upon termination of services.
9. Audit rights: Make available all information necessary to demonstrate compliance; allow audits or inspections by or on behalf of the Controller.

4. Sub-Processors

The Controller provides general written authorisation for the following sub-processors:

The Processor shall impose data protection obligations on each sub-processor equivalent to those in this DPA and remains liable for each sub-processor's compliance.

5. International Transfers

Where sub-processors are located outside the EEA, transfers shall be governed by Standard Contractual Clauses (SCCs) as adopted by the European Commission or equivalent transfer mechanisms under Chapter V GDPR. Documentation of the applicable mechanism is available on request.

6. Liability and Indemnification

Each Party shall be liable for damages caused by processing in breach of this DPA, apportioned per Art. 82 GDPR. Overall liability cap is as set in the Engagement Letter.

7. Term

This DPA is effective from the date the Engagement Letter is signed and remains in force for the duration of the Engagement. Confidentiality and deletion obligations survive termination.

Signatures