Data Processing Addendum (DPA)

DATA PROCESSING ADDENDUM

This DPA supplements the [Agreement] dated [DATE] between [CONTROLLER] ("Controller") and [PROCESSOR] ("Processor").

1. ROLES. Controller determines the purposes of processing; Processor processes Personal Data only on Controller's documented instructions.

2. SCOPE. Processing covers [categories of data subjects and data], for the purpose of providing the Services.

3. CONFIDENTIALITY. Processor ensures persons authorized to process Personal Data are bound by confidentiality.

4. SECURITY. Processor implements appropriate technical and organizational measures, including encryption in transit and at rest and access controls.

5. SUBPROCESSORS. Processor may engage subprocessors under written terms no less protective than this DPA and will notify Controller of changes.

6. DATA SUBJECT RIGHTS. Processor will assist Controller in responding to data-subject requests (access, deletion, portability).

7. BREACH NOTICE. Processor notifies Controller without undue delay (and within [72] hours) after becoming aware of a Personal Data breach.

8. DELETION. On termination, Processor deletes or returns Personal Data, subject to legal retention requirements.

9. AUDIT. Controller may audit compliance once per year on reasonable notice.

CONTROLLER: __________________  DATE: __________
PROCESSOR: ___________________  DATE: __________

---
This free template is provided by ClauseAudit for general informational purposes and is not legal advice. Have it reviewed before use. Replace all [BRACKETED] placeholders.