Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between [Client / Controller Name] (“Controller”) and [Service Provider / Processor Name] (“Processor”) effective as of [Effective Date]. It governs the processing of personal and confidential information in connection with the services described in the underlying agreement between the parties (the “Services Agreement”).

1. Scope & Roles

Processor will process Controller's data solely on documented instructions from Controller and only to the extent necessary to perform the Services. Controller remains the data controller and retains sole ownership of all Controller data.

2. Data Ownership

All data provided by Controller, generated on Controller's behalf, or derived from Controller's data is and remains the exclusive property of Controller. Processor obtains no rights, license, or interest in such data beyond what is strictly necessary to deliver the Services.

3. Confidentiality

• Processor will treat all Controller data as strictly confidential.
• Access to Controller data will be limited to personnel with a documented need to know, and only after such personnel are bound by written confidentiality obligations.
• Processor will not disclose Controller data to any third party except as expressly authorized in writing by Controller or required by law.

4. Sub-Processors & AI Services

Processor will not engage sub-processors (including third-party AI/ML services) without Controller's prior written consent. Where AI services are used, Processor warrants that:

• The service is contracted under enterprise / commercial terms (not consumer terms).
• Controller data will not be used to train, fine-tune, or improve AI models.
• Data retention is limited to [30 days / specify] for operational purposes only.
• A Data Processing Addendum is in place between Processor and the AI provider.

5. Security Measures

Processor will implement and maintain appropriate technical and organizational measures, including:

• Encryption of data in transit (TLS) and at rest.
• Role-based access controls and multi-factor authentication for administrative access.
• Regular security patching, vulnerability scanning, and backup procedures.
• Documented incident response and breach notification procedures.

6. Data Retention & Deletion

Controller data will be retained only for the duration necessary to provide the Services or as required by law. Upon termination of the Services Agreement, or upon written request from Controller, Processor will return or securely delete all Controller data within [30 / 60 / 90] days and certify the deletion in writing.

7. Breach Notification

Processor will notify Controller without undue delay, and in any event within [24 / 48 / 72] hours, of becoming aware of any actual or suspected unauthorized access, disclosure, loss, or destruction of Controller data. Notice will include the nature of the incident, the data affected, and the steps taken to contain and remediate it.

8. Audit Rights

Controller (or an independent auditor acting on its behalf) may, on reasonable notice and no more than once per year, audit Processor's compliance with this DPA. Processor will provide reasonable cooperation, including access to relevant records, policies, and personnel.

9. Liability & Indemnification

Each party will be liable for damages arising from its breach of this DPA in accordance with the limitations set forth in the Services Agreement. Processor will indemnify Controller against third-party claims arising from Processor's failure to comply with the obligations in this DPA.

10. Governing Law

This DPA is governed by the laws of [Jurisdiction] without regard to its conflict-of-laws principles.