Below is a sample Data Processing Agreement (DPA) template that can be used by companies that process personal data on behalf of their customers.

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) is entered into by and between:

  • Controller: The customer (“Controller”), who determines the purposes and means of processing Personal Data.
  • Processor: Truelist.io (“Processor”), which processes Personal Data on behalf of the Controller.

Effective Date: [Insert Effective Date]

1. Definitions

  • “Personal Data”: Any information relating to an identified or identifiable natural person processed under this DPA.
  • “Processing”: Any operation or set of operations performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
  • “Data Controller”: The entity that determines the purposes and means of the processing of Personal Data.
  • “Data Processor”: The entity that processes Personal Data on behalf of the Data Controller.
  • “Subprocessor”: Any third party engaged by the Processor to process Personal Data.

2. Scope and Roles

The parties acknowledge that, in relation to the Processing of Personal Data, the Controller acts as the Data Controller and the Processor acts as the Data Processor. This DPA applies when the Processor processes Personal Data on behalf of the Controller in connection with services provided by Truelist.io.

3. Processing Instructions

  • The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by law.
  • The types of Personal Data processed may include: email addresses and any other personal data explicitly provided by the Controller’s users for validation purposes.
  • The purpose of Processing: To validate email addresses for accuracy and deliverability.

4. Data Security

  • The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
    • Encryption of data in transit and at rest.
    • Access controls and authentication mechanisms.
    • Regular security assessments and audits.
    • Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems.

5. Subprocessors

  • The Controller authorizes the Processor to engage Subprocessors necessary for the provision of the service, including but not limited to: AWS, SendGrid.
  • The Processor shall maintain an updated list of Subprocessors upon request and ensure that each Subprocessor is bound by data protection obligations consistent with this DPA.

6. Data Subject Rights

  • The Processor shall assist the Controller in responding to requests from Data Subjects concerning their rights to access, rectify, or erase Personal Data, restrict or object to processing, and data portability.

7. Data Transfers

  • The Processor shall ensure that, when Personal Data is transferred outside the European Economic Area (“EEA”), appropriate safeguards are implemented as required by applicable law.

8. Duration and Termination

  • This DPA shall remain in effect as long as the Processor processes Personal Data on behalf of the Controller.
  • Upon termination of the agreement, the Processor shall delete or return all Personal Data to the Controller as requested unless otherwise required by law.
  • All Personal Data processed by the Processor will be deleted within 30 days of processing completion unless otherwise agreed upon.

9. Liability and Indemnity

  • The Processor’s liability under this DPA shall be limited to direct damages resulting from its breach of the DPA, unless otherwise agreed.
  • The Controller shall indemnify and hold harmless the Processor against any claims resulting from the Controller’s breach of applicable data protection laws.

10. Miscellaneous

  • Governing Law: This DPA shall be governed by the laws of the United States.
  • Amendments: This DPA may be amended only by a written agreement between the parties.
  • Entire Agreement: This DPA constitutes the entire agreement between the parties with respect to the processing of Personal Data.