Below is a template Data‑Processing Agreement (DPA) that you can adapt for Pocket Computer Networks (the “Processor”) and any of its customers (the “Controller”).
The language follows the EU General Data‑Protection Regulation (GDPR) but can be trimmed or expanded to fit other jurisdictions (CCPA, LGPD, etc.).
NOTE: This is a template only. Before using it you should have it reviewed by legal counsel familiar with the specific jurisdictions and the exact services you provide.
DATA‑PROCESSING AGREEMENT
(Between Pocket Computer Networks (“Processor”) and ______________________ (“Controller”))
1. DEFINITIONS
| Term | Meaning |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR. |
| Processing | Any operation performed on Personal Data, whether or not by automated means (e.g., collection, storage, retrieval, alteration, disclosure, erasure). |
| Data Subject | The natural person to whom the Personal Data relates. |
| Sub‑processor | Any third‑party engaged by the Processor to carry out part of the Processing on behalf of the Controller. |
| Relevant Laws | All applicable data‑protection and privacy legislation (e.g., GDPR, UK‑GDPR, CCPA, LGPD, etc.). |
| Security Incident | Any breach of confidentiality, integrity or availability of Personal Data. |
| Services | The services described in the underlying Service Agreement (e.g., hosting, cloud storage, SaaS, managed IT, etc.). |
2. SUBJECT‑MATTER AND DURATION
2.1 Subject‑Matter – The Processor shall process Personal Data on behalf of the Controller solely for the purpose of providing the Services.
2.2 Duration – This DPA remains in effect for the duration of the Service Agreement. Upon termination of the Services, the Processor shall, at the Controller’s election, either (a) return all Personal Data to the Controller or (b) securely destroy it, unless retention is required by law.
3. PROCESSOR’S OBLIGATIONS
3.1 Instructions
The Processor shall process Personal Data only on documented instructions from the Controller, including any instructions concerning transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law. In such a case, the Processor shall inform the Controller of that legal requirement before compliance, unless prohibited.
3.2 Confidentiality
All personnel authorized to process Personal Data shall be bound by a duty of confidentiality (contractual or statutory) and shall only access Personal Data to the extent necessary for the Services.
3.3 Security Measures
The Processor shall implement appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk, taking into account:
- the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the likelihood and severity of risks to the rights and freedoms of Data Subjects;
- at minimum, the measures listed in Annex A – Security Controls (encryption, access controls, logging, vulnerability management, incident response, etc.).
3.4 Sub‑processors
The Processor may engage Sub‑processors only after obtaining the Controller’s prior written authorization. The Processor shall enter into a written agreement with each Sub‑processor imposing the same data‑protection obligations as set out in this DPA. The Processor shall provide the Controller with an up‑to‑date list of Sub‑processors upon request.
3.5 International Transfers
If Personal Data is transferred outside the European Economic Area (EEA) or any jurisdiction providing an adequacy decision, the Processor shall ensure an adequate safeguard (e.g., Standard Contractual Clauses, Binding Corporate Rules, or an approved certification mechanism). The Processor shall make available to the Controller any relevant documentation (e.g., SCCs) upon request.
3.6 Data Subject Rights
Taking into account the nature of the processing, the Processor shall assist the Controller by:
- Providing the Controller with any information necessary to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection).
- Facilitating the execution of such requests without undue delay, provided the Controller supplies a verified request and any required instructions.
The Processor shall not act on a Data Subject request unless instructed by the Controller, except where required by law.
3.7 Notification of Security Incidents
The Processor shall notify the Controller without undue delay and, where feasible, within 24 hours after becoming aware of a Security Incident affecting Personal Data. The notification shall include:
- a description of the incident,
- categories and approximate number of Data Subjects affected,
- likely consequences,
- measures taken or proposed to mitigate the impact, and
- contact details of the person responsible for the incident response.
3.8 Audit & Inspection
The Controller (or an auditor mandated by the Controller) may, upon reasonable notice and during normal business hours, audit the Processor’s compliance with this DPA. The Processor shall provide all relevant documentation, including logs, security policies, and Sub‑processor agreements, and shall cooperate fully with any audit. Audits shall be conducted at the Controller’s expense unless significant non‑compliance is discovered, in which case the Processor shall bear the reasonable costs of a remedial audit.
4. CONTROLLER’S OBLIGATIONS
- Ensure that its instructions to the Processor comply with Applicable Law.
- Obtain any necessary consents or legal bases for the Processing.
- Provide the Processor with a record of Processing Activities (ROPA) insofar as it affects the Services.
- Promptly inform the Processor of any changes to the scope of Processing, the categories of Personal Data, or the Data Subject categories.
5. PERSONAL DATA BREACH RESPONSE
- The Processor shall follow its documented Incident Response Plan (see Annex B).
- The Processor shall cooperate with the Controller to fulfill any notification obligations to supervisory authorities and Data Subjects, providing all required information in a timely manner.
6. RETURN OR DESTRUCTION OF PERSONAL DATA
Upon termination of the Services, at the Controller’s election, the Processor shall:
- Return all Personal Data to the Controller in a structured, commonly used electronic format, or
- Permanently delete all Personal Data, providing a written certification of destruction, unless retention is required by law (e.g., tax, accounting).
The Processor shall retain only anonymised or aggregated data that cannot be linked back to a Data Subject, if such retention is necessary for legitimate business purposes and the Controller has consented.
7. LIABILITY
- Each party shall be liable for damages caused by its breach of this DPA in accordance with the underlying Service Agreement and Applicable Law.
- Neither party shall be liable for indirect, consequential, or punitive damages unless arising from intentional misconduct or gross negligence.
8. GOVERNING LAW & JURISDICTION
This DPA shall be governed by the law of [Insert Governing Jurisdiction]. Any disputes shall be resolved in the courts of [Insert Venue], unless the parties agree otherwise in writing.
9. MISCELLANEOUS
- Severability – If any provision is found invalid, the remaining provisions continue in full force.
- Amendments – Any amendment must be in writing and signed by authorized representatives of both parties.
- Entire Agreement – This DPA, together with the Service Agreement, constitutes the entire agreement regarding data protection between the parties.
ANNEX A – MINIMUM SECURITY CONTROLS
| Category | Control | Description |
|---|---|---|
| Access Control | Role‑Based Access (RBAC) | Only authorized personnel may access Personal Data; least‑privilege principle enforced. |
| Encryption | Data‑at‑Rest | AES‑256 encryption for all stored Personal Data. |
| Data‑in‑Transit | TLS 1.2+ (preferably TLS 1.3) for all network communications. | |
| Logging & Monitoring | Audit Trails | Immutable logs of access, modifications, and deletions retained ≥ 180 days. |
| Intrusion Detection | IDS/IPS with real‑time alerts for anomalous activity. | |
| Vulnerability Management | Patch Management | Critical security patches applied within 48 hours of release. |
| Penetration Testing | Annual external pentest and quarterly internal scans. | |
| Backup & Recovery | Encrypted Backups | Daily encrypted backups stored in a geographically separate location within the EEA. |
| Disaster Recovery | RTO ≤ 4 hours, RPO ≤ 30 minutes for critical Personal Data. | |
| Physical Security | Data‑Centre Certifications | ISO 27001, SOC 2 Type II, and local Icelandic data‑centre compliance. |
| Incident Response | Playbooks | Documented procedures for containment, eradication, recovery, and post‑mortem. |
ANNEX B – INCIDENT RESPONSE PLAN (SUMMARY)
- Detection – Automated alerts from SIEM, IDS, or manual reporting.
- Containment – Isolate affected systems, revoke compromised credentials.
- Eradication – Remove malicious code, patch vulnerabilities.
- Recovery – Restore from clean backups, verify integrity, resume normal operations.
- Notification – Notify Controller (as per § 3.7) and, where required, supervisory authorities within 72 hours.
- Post‑Incident Review – Root‑cause analysis, update controls, document lessons learned.
How to Use This Template
- Insert the Parties’ Names & Addresses at the top of the agreement.
- Specify the Governing Law & Venue in Section 8.
- Tailor the Services Description (Section 1) to reflect the exact Pocket Computer Networks offering (e.g., “Managed VPS hosting”, “SaaS CRM”, etc.).
- Adjust Security Controls in Annex A to match the actual technical environment you operate (e.g., if you already use BitLocker instead of AES‑256, note that).
- Add any Additional Clauses required by local law (e.g., specific CCPA “right to opt‑out of sale” language if you serve California residents).
Once completed, have both parties sign (physically or electronically) and keep a copy attached to the main Service Agreement.