← Back to Help Center

Data Processing Agreement

Legal v1.0 Effective: 2025-02-01 Updated 2025-02-01

Placeholder: A DPA is a legally significant document, especially if you operate in or serve customers in the EU/EEA (where GDPR applies). This placeholder is for structural reference only — please have a qualified attorney draft your actual DPA.

Effective Date: February 1, 2025
Version: 1.0

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between [Your Company Name] (“Processor”) and you, the customer (“Controller”), and governs the processing of personal data by us on your behalf in connection with the Service.

This DPA applies where and to the extent that [Your Company Name] processes personal data on behalf of the Controller that is subject to applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, or other applicable legislation.

2. Definitions

  • “Controller” means the entity that determines the purposes and means of processing personal data — i.e., you, the customer.
  • “Processor” means [Your Company Name], which processes personal data on behalf of the Controller.
  • “Personal Data” has the meaning given to it under applicable data protection law.
  • “Processing” includes any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

3. Subject Matter and Nature of Processing

[Your Company Name] will process personal data only to the extent necessary to provide the Service as described in the Terms of Service, and only on documented instructions from the Controller.

Categories of data subjects: End users and visitors of the Controller’s sites hosted on the Service.

Types of personal data processed: [Describe the types of data — e.g. names, email addresses, IP addresses, usage data, etc.]

Purpose of processing: Delivery of the Service, including hosting, analytics, and support.

4. Processor Obligations

[Your Company Name] agrees to:

  • Process personal data only on the Controller’s documented instructions
  • Ensure that all personnel authorised to process personal data are bound by appropriate confidentiality obligations
  • Implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage
  • Not engage sub-processors without the Controller’s prior written consent (general authorisation is granted for the sub-processors listed in Section 7)
  • Assist the Controller in fulfilling its obligations to respond to data subject requests
  • Delete or return all personal data upon termination of the Service, at the Controller’s choice
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA

5. Controller Obligations

The Controller represents and warrants that it has a lawful basis for any personal data it provides to [Your Company Name] for processing, and that it has obtained any required consents from data subjects.

6. Security

[Your Company Name] implements and maintains appropriate technical and organisational security measures, including but not limited to:

  • Encryption of data in transit (TLS) and at rest (AES-256)
  • Access controls and authentication requirements
  • Regular security assessments
  • Incident response procedures

7. Sub-Processors

[Your Company Name] uses the following categories of sub-processors to deliver the Service:

Sub-ProcessorPurposeLocation
[Cloud Provider]Infrastructure hosting[Region]
[Analytics Provider]Usage analytics[Region]
[Email Provider]Transactional email[Region]

We will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.

8. Data Transfers

Where personal data is transferred outside the EEA or UK, [Your Company Name] will ensure such transfers comply with applicable law, including by relying on Standard Contractual Clauses or other approved transfer mechanisms.

9. Data Breach Notification

[Your Company Name] will notify the Controller without undue delay (and in any event within 72 hours where feasible) upon becoming aware of a personal data breach affecting Controller data.

10. Data Retention and Deletion

Upon termination of the Service, [Your Company Name] will delete or return all personal data within 30 days, unless retention is required by applicable law. See our Cancellation Guide for data export instructions.

11. Governing Law

This DPA shall be governed by the law specified in the Terms of Service.

12. Contact

Data protection enquiries should be directed to privacy@yourapp.com.