Data Processing Addendum
Last updated: {Effective Date}
Template — replace bracketed placeholders before publishing. Not legal advice.
1. Roles
For personal data processed on your behalf, you are the Controller (or Business under CCPA) and {Company Legal Name} is the Processor (Service Provider). This DPA is incorporated into the Terms of Service.
2. Subject matter
Nature and purpose: providing the Service.
Duration: for the term of your subscription plus the retention windows below.
Categories of data subjects: your end users and personnel.
Categories of personal data: account identifiers, email, profile fields you provide, request logs.
3. Processor obligations
- Process personal data only on documented instructions from you.
- Ensure persons authorised to process are bound by confidentiality.
- Implement appropriate technical and organisational measures (see Annex).
- Engage sub-processors only per Section 5.
- Assist you with data subject requests and DPIAs.
- Notify you of a personal data breach without undue delay and at most within
{72}hours of awareness. - Delete or return personal data at end of provision, subject to legal retention.
4. International transfers
Where personal data is transferred outside the EEA/UK/Switzerland, the parties rely on the EU Standard Contractual Clauses (Module 2) and the UK IDTA / Addendum as applicable, incorporated by reference.
5. Sub-processors
You authorise the sub-processors listed at /legal/subprocessors. We will give at least {30} days' notice before adding a sub-processor; you may object on reasonable grounds.
6. Security measures (Annex II)
- Encryption in transit (TLS 1.2+) and at rest.
- Role-based access, least privilege, MFA for administrators.
- Row-Level Security on all customer data tables.
- Secret management via managed KMS; no plaintext secrets in code.
- Logged and monitored access to production systems.
- Regular backups; documented restore procedure.
- Vendor security review before onboarding sub-processors.
7. Audit
Once per year, and on a personal-data-breach notification, you may request written responses to a security questionnaire and copies of third-party audit reports we hold. On-site audits by written agreement, at your cost.
8. Signing
To countersign, email {privacy@example.com} with your legal entity name and contact.