1. Scope and Purpose

This Data Processing Agreement ("DPA") forms part of the agreement between the Company ("Processor") and the customer ("Controller") for the provision of services. This DPA sets out the terms under which the Processor processes personal data on behalf of the Controller.

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person
• Processing: Any operation performed on personal data, including collection, storage, use, and deletion
• Data Subject: The individual to whom the personal data relates
• Sub-processor: A third party engaged by the Processor to process personal data

3. Obligations of the Processor

The Processor shall:

• Process personal data only on documented instructions from the Controller
• Ensure that persons authorized to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to data subject requests
• Delete or return all personal data upon termination of services
• Make available all information necessary to demonstrate compliance

4. Security Measures

The Processor implements the following security measures:

• Encryption of personal data in transit and at rest
• Regular testing and evaluation of security measures
• Access controls and authentication mechanisms
• Incident detection and response procedures
• Regular backups and disaster recovery capabilities
• Employee security awareness training

5. Sub-processing

The Processor shall not engage a sub-processor without prior written authorization from the Controller. When a sub-processor is engaged:

• The Processor shall impose equivalent data protection obligations
• The Processor remains fully liable for the sub-processor's performance
• The Controller shall be informed of any intended changes to sub-processors

6. Data Transfers

Any transfer of personal data to a country outside the European Economic Area shall be subject to appropriate safeguards, including:

• Standard contractual clauses
• Binding corporate rules
• Adequacy decisions by relevant authorities

7. Data Breach Notification

The Processor shall notify the Controller without undue delay (and no later than 48 hours) upon becoming aware of a personal data breach. The notification shall include:

• The nature of the breach
• Categories and approximate number of affected data subjects
• Likely consequences of the breach
• Measures taken or proposed to address the breach

8. Audit Rights

The Controller has the right to conduct audits and inspections to verify the Processor's compliance with this DPA. The Processor shall cooperate fully and provide access to all relevant facilities, equipment, and records.

9. Duration and Termination

This DPA shall remain in effect for the duration of the service agreement. Upon termination, the Processor shall, at the Controller's choice, delete or return all personal data and certify that it has done so.

10. Liability

Each party's liability under this DPA is subject to the limitations set out in the main service agreement. Nothing in this DPA limits either party's liability for breaches of data protection law.