| # DPA |
|
|
| ## Context |
| - Party position: balanced |
| - Deal context: GDPR DPA for SaaS provider processing EU personal data. |
| - Company: CloudProvider | Counterparty: EU Controller |
|
|
| ## Clauses |
|
|
| ### Definitions |
| DEFINITIONS. "Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data. "Data Subject" means the identified or identifiable natural person. "Sub-processor" means any third party engaged by CloudProvider to process Personal Data on behalf of EU Controller. "Applicable Law" means the GDPR and any applicable national data protection legislation. |
|
|
| ### Roles Of Parties |
| ROLES OF PARTIES. EU Controller acts as the data controller and CloudProvider acts as the data processor. CloudProvider shall process Personal Data only on documented instructions from EU Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. |
|
|
| ### Processing Instructions |
| PROCESSING INSTRUCTIONS. CloudProvider shall process Personal Data only for the purposes set out in the Agreement and this DPA. CloudProvider shall not process Personal Data for any other purpose unless instructed by EU Controller in writing. |
|
|
| ### Subprocessors |
| SUBPROCESSORS. CloudProvider may engage sub-processors provided that: (a) CloudProvider provides EU Controller with at least thirty (30) days prior written notice of any intended addition or replacement of a sub-processor; (b) EU Controller has the right to object to such changes; (c) CloudProvider imposes data protection obligations no less protective than those in this DPA on each sub-processor. A current list of sub-processors is maintained at [sub-processor list URL]. |
|
|
| ### Data Subject Rights |
| DATA SUBJECT RIGHTS. CloudProvider shall assist EU Controller in responding to data subject access requests, rectification requests, erasure requests, and all other rights under the GDPR. CloudProvider shall promptly notify EU Controller of any data subject request received directly. |
|
|
| ### Security Measures |
| SECURITY MEASURES. CloudProvider shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: (a) encryption of Personal Data in transit and at rest; (b) access controls and authentication; (c) regular security assessments; (d) business continuity and backup procedures; (e) SOC 2 Type II and ISO 27001 compliance. |
|
|
| ### Audit Rights |
| AUDIT RIGHTS. EU Controller or its designated auditor shall have the right to conduct audits, including inspections, to verify CloudProvider's compliance with this DPA. CloudProvider shall cooperate with and provide reasonable assistance for such audits. CloudProvider shall make available all information reasonably necessary to demonstrate compliance. |
|
|
| ### Data Return And Deletion |
| DATA RETURN AND DELETION. Upon termination of the Agreement or at EU Controller's request, CloudProvider shall: (a) return all Personal Data to EU Controller in a structured, commonly used, machine-readable format; or (b) delete all Personal Data and certify such deletion in writing, unless applicable law requires further storage. |
|
|
| ### Liability |
| LIABILITY. Each party's liability under this DPA shall be subject to the limitations set forth in the Agreement, except where GDPR provides for higher or unlimited liability. |
|
|
| ### Governing Law |
| GOVERNING LAW. This DPA shall be governed by the laws of Ireland, without regard to conflict of laws principles. |
|
|
| ### Term And Termination |
| TERM AND TERMINATION. This DPA shall remain in force for the duration of the Agreement. Upon termination, CloudProvider shall return or delete all Personal Data in accordance with the Data Return and Deletion clause. |
|
|
| ## Risk Flags |
| None detected. |
|
|
| ## Verifier Notes |
| - PASS: Limitation and indemnification both present. |
|
|