All Legal Documents

Data Processing Agreement

Last updated:

February 9, 2026

Important notice

This Data Processing Agreement serves as a placeholder for this website template. It is not legal advice and may not reflect your specific product, infrastructure, subprocessors, or legal obligations. Before using this agreement for a real service, you should review and revise it with qualified legal counsel.

1. Parties and scope

This DPA is entered into by:

Customer the organization or person that subscribes to or uses the service
Service Provider the entity that provides the service and processes personal data on behalf of the customer

This DPA applies to processing of personal data by the service provider as a processor or service provider acting on behalf of the customer as controller or business, as those terms are defined under applicable data protection laws.

If there is a conflict between this DPA and the main agreement, this DPA will control with respect to processing of personal data.

2. Definitions

Terms such as “personal data,” “processing,” “controller,” “processor,” “subprocessor,” and “supervisory authority” have the meanings given in applicable data protection laws.

For clarity:

Customer Data means personal data submitted to or processed through the service on behalf of the customer
Authorized Users means individuals authorized by the customer to use the service
Data Subject Request means a request by an individual to exercise privacy rights under applicable law

3. Roles of the parties

The customer determines the purposes and means of processing of customer data. The service provider processes customer data only on documented instructions from the customer, including as necessary to provide and secure the service, maintain functionality, and support the customer.

The customer is responsible for ensuring it has a lawful basis to collect and provide customer data to the service provider and for providing any required notices to data subjects.

4. Details of processing

4.1 Subject matter

The subject matter of processing is the provision of the service, including hosting, storage, workflows, collaboration features, support, and related functionality.

4.2 Duration

Processing will continue for the term of the customer’s use of the service, including any period during which the service provider retains customer data as described in the main agreement or as required by law.

4.3 Nature and purpose

Processing may include collection, storage, organization, access, use, transmission, and deletion of customer data as needed to provide the service, maintain security, prevent abuse, provide support, and meet legal obligations.

4.4 Categories of data subjects

Data subjects may include:

customer employees and contractors
customer end users
customer clients or contacts
other individuals whose personal data is included in customer data

4.5 Categories of personal data

Customer data may include:

identifiers such as name, email, account IDs
contact information and profile data
usage and activity data within the service
communications and support content
other personal data submitted by the customer or users

Special categories of data should not be submitted unless the parties have agreed in writing and appropriate safeguards are in place.

5. Customer instructions

The service provider will process customer data only on documented instructions from the customer. Instructions are typically provided through configuration of the service, use of product features, and written requests submitted through support channels.

If the service provider believes an instruction violates applicable law, it will inform the customer unless prohibited by law.

6. Confidentiality

The service provider will ensure that personnel authorized to process customer data are subject to confidentiality obligations and receive appropriate training regarding data protection and information security.

7. Security measures

The service provider will implement reasonable technical and organizational measures designed to protect customer data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Security measures may include, as appropriate:

encryption in transit and at rest
access controls and least privilege policies
logging and monitoring of systems
vulnerability management and patching
backups and resilience practices

The customer acknowledges that security is not absolute and that no method of transmission or storage can be guaranteed secure.

8. Subprocessors

The customer authorizes the service provider to engage subprocessors to assist in providing the service. Subprocessors may include hosting providers, analytics providers, support tooling, communication providers, and payment processors.

The service provider will:

impose data protection obligations on subprocessors consistent with this DPA
remain responsible for subprocessors’ performance of their obligations
make information about subprocessors available, where required by law

The service provider may update its subprocessors list from time to time.

9. International transfers

If customer data is transferred to or accessed from locations outside the customer’s jurisdiction, the service provider will use appropriate safeguards where required, such as standard contractual clauses or other lawful transfer mechanisms.

Transfer mechanisms and locations may depend on infrastructure and subprocessors.

10. Assistance with data requests

Taking into account the nature of processing, the service provider will provide reasonable assistance to help the customer respond to data subject requests, to the extent required by law and technically feasible.

If the service provider receives a data subject request directly, it will direct the request to the customer unless legally prohibited.

11. Assistance with security requests

The service provider will provide reasonable assistance to the customer in connection with:

security incidents affecting customer data
regulatory inquiries related to processing under this DPA
data protection impact assessments where required by law

Assistance may be provided through documentation, audit reports where available, and support responses.

12. Personal data breach notification

The service provider will notify the customer without undue delay after becoming aware of a personal data breach affecting customer data, and will provide information reasonably necessary to help the customer meet its notification obligations.

The customer is responsible for notifying supervisory authorities and affected individuals where required.

13. Deletion and return of data

Upon termination of the service, the service provider will delete or return customer data within a reasonable period, subject to the customer’s configuration and applicable law.

The service provider may retain limited customer data as required by law or for legitimate business purposes such as enforcing agreements, resolving disputes, and maintaining security records.

14. Audits

Where required by law, the customer may request reasonable information to verify compliance with this DPA. Audits may be satisfied through third party audit reports, security documentation, or other information made available by the service provider.

Any audit requests must be reasonable, limited in scope, and subject to confidentiality. The service provider may charge a reasonable fee for extensive requests or on site audits, where permitted by law.