Data Processing Agreement

Last updated: [CUSTOMIZE: Effective date]

1. Definitions

"Controller" means the customer who determines the purposes and means of processing. "Processor" means [CUSTOMIZE: Company legal name]. "Personal Data", "Processing", "Data Subject", and "Sub-processor" have the meanings given in the GDPR.

2. Roles

The customer is the Controller of Personal Data processed via the Service. [CUSTOMIZE: Company name] acts as Processor on behalf of the Controller.

3. Processing Details

Subject matter: Provision of the Dual Canvas service.

Duration:For the term of the customer's subscription.

Nature and purpose: Hosting, storage, and processing of customer data to deliver the Service.

Types of data: [CUSTOMIZE: e.g. Names, emails, user content, usage data.]

Categories of data subjects:[CUSTOMIZE: e.g. Customer's employees, end users.]

4. Processor Obligations

The Processor shall: (a) process Personal Data only on documented instructions from the Controller; (b) ensure personnel with access are bound by confidentiality; (c) implement appropriate technical and organizational measures; (d) assist the Controller with data subject requests, impact assessments, and regulatory inquiries; (e) delete or return Personal Data upon request at end of the agreement.

5. Sub-processors

[CUSTOMIZE: List or link to sub-processor list. E.g. We use sub-processors for hosting (e.g. Vercel, [provider]), database (Postgres), and payment (Stripe). We will notify you of changes and you may object within 30 days.]

6. International Transfers

[CUSTOMIZE: If data may be transferred outside the EEA, describe transfer mechanisms (SCCs, adequacy decisions, etc.).]

7. Security Incidents

The Processor will notify the Controller without undue delay of any Personal Data breach and provide information to assist the Controller in meeting its breach notification obligations.

8. Audits

[CUSTOMIZE: Describe audit rights. E.g. Controller may request information to verify compliance. Processor will provide SOC 2 or equivalent if available.]

9. Contact

Processor contact for DPA matters: [CUSTOMIZE: DPO/legal email].