Data Processing Agreement
Last updated: [date]
This DPA supplements the Terms of Service and applies when SaaS Tracker processes personal data on behalf of a customer subject to GDPR or equivalent data protection law.
1. Definitions
[founder + counsel to fill: define Controller, Processor, Sub-processor, Data Subject, Personal Data, Processing, EEA, GDPR, Supervisory Authority — use GDPR Art. 4 definitions as baseline]
2. Scope and Nature of Processing
[founder + counsel to fill: subject matter, duration, nature and purpose of processing, type of personal data, categories of data subjects — must match Annex I per SCCs]
3. Processor Obligations
SaaS Tracker will:
- Process personal data only on documented instructions from the customer (Controller);
- Ensure persons authorized to process have committed to confidentiality;
- Implement appropriate technical and organizational security measures (Art. 32);
- Respect conditions for engaging sub-processors (Art. 28(2)(4));
- Assist the Controller in responding to data subject requests;
- Notify the Controller without undue delay of any personal data breach;
- Delete or return all personal data upon termination of services;
- Provide all information necessary to demonstrate compliance.
[founder + counsel to fill: expand each bullet with specific procedures, timeframes, and contact points]
4. Sub-processors
[founder + counsel to fill: current sub-processor list with name, country, processing activity, and legal basis for transfer for each. Describe process for customer objection to new sub-processors.]
Current sub-processors are listed at: [founder to fill: URL to sub-processor list page or inline table]
5. International Transfers
[founder + counsel to fill: mechanism for transfers to Singapore and other third countries — Standard Contractual Clauses (Module 2: Controller to Processor), adequacy decisions, supplementary measures per Schrems II]
6. Security Measures
[founder + counsel to fill: describe TOMs — encryption in transit (TLS 1.2+), encryption at rest (AES-256), access control (RBAC, MFA), vulnerability management, penetration testing schedule, SOC 2 roadmap, incident response plan]
7. Personal Data Breach Notification
[founder + counsel to fill: notification timeline (not later than 48h after becoming aware), content of notification (Art. 33(3)), contact channel for breach reports]
8. Data Subject Rights Assistance
[founder + counsel to fill: describe tooling available to controllers — data export API, deletion endpoint, rectification, restriction. Response SLA for DSR forwarding.]
9. Audits and Inspections
[founder + counsel to fill: audit rights — frequency, notice period, who bears cost, documentation alternatives (SOC 2, ISO 27001), onsite audit conditions]
10. Return and Deletion of Data
[founder + counsel to fill: data return format (CSV/JSON export), deletion timeline after account termination, certification of deletion, backup retention period]
11. Liability
[founder + counsel to fill: liability allocation between controller and processor, contribution rights, limits consistent with main Terms of Service]
12. Governing Law
[founder + counsel to fill: governing law and jurisdiction, noting that SCCs require EU member state law for clauses involving EU data]
13. Execution
[founder + counsel to fill: how this DPA is executed — click-through acceptance, countersigned PDF, or electronic signature. Relationship to main agreement.]