This Data Processing Addendum ("DPA") forms part of the Terms of Service between the customer ("Controller") and [App Owner] ("Processor") governing the processing of personal data by the Processor on behalf of the Controller.
1. Definitions
Capitalised terms have the meanings given in the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and, where applicable, the UK GDPR.
2. Scope, roles and duration
The Processor processes Personal Data on behalf of the Controller strictly for the purpose of delivering the Service described in the Terms, for as long as the subscription is active plus the retention period defined therein.
3. Nature and purpose of processing
- Subject matter: support case handling, AI-assisted drafting, KB deflection, incident intelligence, analytics.
- Categories of data subjects: Controller's end customers and Controller's authorised users.
- Categories of personal data: identifiers, contact details, case content, usage logs.
4. Processor obligations
- Process Personal Data only on documented Controller instructions.
- Ensure personnel are bound by confidentiality.
- Implement technical and organisational measures as set out in Annex II.
- Assist the Controller with data subject requests, DPIAs and breach notification.
- Notify the Controller without undue delay and no later than 72 hours after becoming aware of a Personal Data Breach.
5. Subprocessors
The Controller authorises the Processor to engage the subprocessors listed on the Privacy Policy. The Processor will give at least [15] days' notice of any intended change and offer the Controller a right to object.
6. International transfers
Transfers of Personal Data outside the EEA/UK rely on the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module 2 — Controller to Processor) and, for UK data, the UK International Data Transfer Addendum, incorporated by reference.
7. Return or deletion
On termination the Processor will, at the Controller's choice, return or delete all Personal Data within [30] days, unless retention is required by law.
8. Audit
The Controller may audit the Processor's compliance once per year, on 30 days' notice, during business hours, subject to reasonable confidentiality and security controls.
Annex II — Technical and organisational measures
- Row-level tenant isolation enforced at the database layer.
- TLS 1.2+ for data in transit; encryption at rest for primary storage.
- Role-based access with least privilege; MFA available for all users.
- Structured audit logging of authentication, role changes and privileged actions.
- Automated backups and documented restore procedures.
- Security scanning and dependency vulnerability review.
This DPA is a template. A signed counterpart is available on request from legal@[your-domain].