Data Processing Agreement template

# Data Processing Agreement

Between:
- **Controller**: {{CUSTOMER}}
- **Processor**: {{YOUR COMPANY}}

## 1. Subject

This DPA governs {{YOUR COMPANY}}'s processing of personal data on behalf of {{CUSTOMER}} under the Terms of Service.

## 2. Scope of processing

- **Categories of data**: email, name, usage data, support metadata
- **Categories of data subjects**: {{CUSTOMER}}'s end users
- **Purpose**: delivery of the {{PRODUCT}} service
- **Duration**: term of the Terms of Service + 90 days for backup retention

## 3. Obligations

{{YOUR COMPANY}} will:
- Process data only on {{CUSTOMER}}'s documented instructions
- Ensure personnel are bound by confidentiality
- Implement technical + organizational measures per Article 32
- Notify {{CUSTOMER}} of data breaches without undue delay (within 72 hours)
- Assist {{CUSTOMER}} with data-subject requests
- Delete or return data at the end of the service

## 4. Sub-processors

{{YOUR COMPANY}} uses the sub-processors listed at {{DOMAIN}}/sub-processors. {{YOUR COMPANY}} will notify {{CUSTOMER}} of additions with 30 days' notice.

## 5. International transfers

Where data is transferred out of the EEA, {{YOUR COMPANY}} relies on Standard Contractual Clauses (EU Commission Decision 2021/914) + a Transfer Impact Assessment.

## 6. Audit

Upon 30 days' notice, {{CUSTOMER}} may request reasonable audit evidence (SOC 2, ISO 27001 reports) or conduct an audit at {{CUSTOMER}}'s cost.

## 7. Liability

Per the Terms of Service liability caps.

## 8. Governing law

{{JURISDICTION}}.

*This template is not legal advice. Have counsel review before using.*