Data Processing Agreement
The following data processing agreement (Data Processing Agreement or Agreement is entered into between you (the Controller) and COMPANY (the Processor). The Controller and the Processor are individually referred to as Party and collectively as the Parties. Key terms in this Agreement are highlighted in bold.
Section 1 - Requirements
The Processor may process Personal Data, or data relating to an identifiable natural person, on behalf of the Controller, as part of the Services, including but not limited to software-as-a-service, provided by Processor for the Controller. The Processor shall adhere to all applicable regulations including but not limited to the General Data Protection Regulation, the California Consumer Privacy Act, and the Nevada Privacy Act.
Section 2 - Scope of Personal Data
The Processor shall only use Personal Data to provide the Services to the Controller and shall not sell any of the Controller’s Personal Data to third-parties.
Section 3 - Security of Personal Data
The Processor shall use commercially reasonable efforts to maintain the security and integrity of Controller’s Personal Data. When determining the appropriate commercially reasonable efforts, the Processor shall take account of the current available technology and technological developments; the costs of implementation; the nature, scope, context and purposes of the processing; and the risks of varying likelihood and severity for rights and freedoms of natural persons.
Section 4 - Confidentiality of Personal Data
The Processor shall use commercially reasonable efforts to maintain the confidentiality of Controller’s Personal Data. The Processor shall ensure that all access to Personal Data is limited in scope to providing the Services and that each person with access to the Personal Data is informed of the confidential nature of the Personal Data and is adequately trained to handle it.
Section 4.1 - Data Deletion
The Controller shall have the right to elect that Processor shall delete all of Controller's data held on Processor servers. Processor shall have 30 business days to respond to a request.
Section 5 - Disclosure of Personal Data
The Processor may not in any way modify, amend or alter the contents of the Personal Data or disclose the Personal Data to any third party, unless explicitly provided for in this Agreement; the Controller has otherwise authorized and/or instructed the Processor in writing to do so; and/or such disclosure is required by applicable legislation, subpoena, judicial, administrative or arbitral order of a court or arbitration tribunal or an executive or administrative agency , regulatory agency, or other governmental or regulatory authority which relates to the Processing of Personal Data to which the Processor is subject.
At the Controller’s request, the Processor will provide the Controller with reasonable information in its possession that may be responsive to the Disclosure Request and any assistance reasonably required for the Controller to respond to the Disclosure Request in a timely manner.
Section 6 - Transfer of Personal Data to third countries
The Processor may process or access the Personal Data from or transfer the Personal Data to any third country to provide the Services. If Personal Data is transferred to a third country, the Processor shall ensure that the transfer is effected on a legal basis, including without limitation in accordance with the terms of the European Commission model contracts for the transfer of personal data to third countries, before such transfer is made by the Processor.
The Processor may appoint any third party to process Personal Data on behalf of the Processor (Sub-Processor) without the prior written consent of the Controller so long as that processing is narrowed in scope to providing the Services. Any Sub-Processor is bound by the same obligations as a Processor under this Agreement.
Section 7 - Assistance
The Processor shall assist the Controller in dealing with requests from Data Subjects, or the natural persons that the Personal Data is about, in connection with the Data Subject’s exercise of his/her rights under the Data Protection Legislation, including without limitation requests for access, rectification, restriction of processing, deletion or data portability.
The Processor shall, without undue delay after becoming aware thereof, notify the Controller in writing of any request from a Data Subject for the exercise of their rights received directly from the Data Subject or from a third party.
The Processor shall implement adequate technical and organizational measures to assist the Controller in the performance of its obligation to respond to such Data Subject requests. the Processor shall provide all information requested by the Controller within the reasonable time stipulated by the Controller.
The Processor shall, immediately upon becoming aware thereof, notify the Controller in writing of any suspected or confirmed (i) personal data breach; (ii) accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by the Processor under this Agreement; or (iii) any other non-compliance with the Processor’s obligations under this Agreement. the Processor shall cooperate with and provide assistance to the Controller in connection with the management of the personal data breach.
The Processor shall assist the Controller in complying with any other obligations imposed on the Controller under the Data Protection Legislation, including without limitation upon request providing the Controller with all necessary information required to make an impact assessment.
Section 8 - Controller Compliance Obligations
The Controller shall ensure that there is a legal basis for the processing of the Personal Data contained in the Controller’s instructions to the Processor.
The Controller acknowledges that the Processor is reliant on the Controller for direction as to the extent to which the Processor is entitled to use and process the Personal Data on behalf of the Controller. Consequently, the Processor will not be liable for any claim brought by a Data Subject arising from any action or omission by the Processor, to the extent that such act or omission resulted directly from performing the Services in accordance with the Controller’s instructions, and the Controller shall indemnify the Processor, its and its directors, officers, employees, agents, stockholders, affiliates, subcontractors and customers from and against all allegations, claims, actions, suits, demands, damages, liabilities, obligations, losses, settlements, judgments, costs and expenses (including without limitation attorneys’ fees and costs) which arise out of, relate to or result from any act or omission of the Controller in connection with the Controller’s handling of Personal Data of Data Subjects and, without limitation, the Controller’s failure to comply with this Agreement.
Section 9 - Compliance audits and statements
At the request of the Controller, the Processor shall, within a reasonable time, provide all information necessary for the Controller, a third party auditor mandated by the Controller, or a public authority to verify compliance with this Agreement and/or the Data Protection Legislation.
Section 10 - Term and termination
This Agreement is effective on the effective date of this Agreement or any Master Services Agreement signed between the Parties. If a Master Services Agreement is agreed to amongst the parties, those terms shall compliment, but not supersede any terms in this Agreement.
Section 11 - Limitation of Liability
Nothing in this Agreement shall limit a party’s liability for general damages; however neither party hereto shall be liable to the other for any incidental, consequential, special, or punitive damages of any kind or nature, arising out of or in connection with a breach of this Agreement or any termination of this Agreement, whether such liability is asserted on the basis of contract, tort (including negligence or strict liability), or otherwise, even if Recipient has been warned of the possibility of any such loss or damage.
Section 12 - Miscellaneous
Except to a Sub-Processor, the Processor may not assign or otherwise transfer any or all of the Processor’s rights or obligations under this Agreement to any third party (or attempt to do so) without the prior written consent of the Controller.
The Parties agree that this Agreement constitutes the entire agreement and understanding between the Parties in respect of data processing of Personal Data hereof and supersedes any previous agreement between the Parties relating to the subject matter hereof. In the event of any discrepancy between the provisions of this Agreement and the provisions of the Contract, the provisions of the Contract will prevail. Notwithstanding the above, the provisions of this Agreement will not apply where the Processor is subject to stricter obligations, e.g. when using the European Commission model contracts for the transfer of personal data to third countries.
The terms, provisions, obligations or conditions of this Agreement may not be waived or amended except by a written instrument signed by both Parties.
If any provision of this Agreement is or becomes illegal, void, invalid or unenforceable, such provision must be severed from the other terms and conditions, which will continue to be valid and enforceable to the fullest extent permitted by law.
All notices required to be given under this Agreement must be in writing and delivered to a well-defined email address. For notices to the Processor, the Controller can send an email to COMPANY_EMAIL.
This Agreement is governed by and will be construed in accordance with the law of the State of California, without regard to its conflict of laws rules.