Data Processing Agreement Template

GDPR-Compliant DPA for Customer and Vendor Relationships

DATA PROCESSING AGREEMENT

This Data Processing Agreement ("DPA") is entered into as of [DATE]

BETWEEN:

[CONTROLLER NAME]
Address: [ADDRESS]
("Controller" or "Customer")

AND:

SkyMirror Kft.
Registered Address: Kálmán Imre utca 1, 1054 Budapest, Hungary
("Processor" or "SkyMirror")

1. DEFINITIONS

1.1 "Data Protection Laws" means GDPR (Regulation 2016/679), and all applicable data protection and privacy laws.

1.2 "Personal Data" means any information relating to an identified or identifiable natural person processed under the Agreement.

1.3 "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.

1.4 "Data Subject" means the individual to whom Personal Data relates.

1.5 "Sub-processor" means any third party engaged by the Processor to process Personal Data.

1.6 "Agreement" means the underlying service agreement between the Parties.

2. SCOPE AND PURPOSE

2.1 Scope

This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the Agreement.

2.2 Purpose

The Processor shall Process Personal Data only for the purposes specified in Schedule 1.

2.3 Duration

This DPA shall remain in effect for the duration of the Agreement.

3. PROCESSOR OBLIGATIONS

3.1 Processing Instructions

The Processor shall:

(a) Process Personal Data only on documented instructions from the Controller
(b) Inform the Controller if an instruction infringes Data Protection Laws
(c) Not Process Personal Data for any other purpose

3.2 Confidentiality

The Processor shall:

(a) Ensure personnel are bound by confidentiality obligations
(b) Limit access to authorized personnel only
(c) Train personnel on data protection requirements

3.3 Security Measures

The Processor shall implement appropriate technical and organizational measures, including:

(a) Encryption of Personal Data in transit and at rest
(b) Access controls and authentication
(c) Regular security testing and assessments
(d) Incident response procedures
(e) Business continuity measures

Details of security measures are set forth in Schedule 2.

3.4 Sub-processors

The Processor shall:

(a) Not engage Sub-processors without Controller's authorization
(b) Ensure Sub-processors are bound by equivalent obligations
(c) Remain liable for Sub-processor compliance
(d) Maintain a list of Sub-processors (Schedule 3)

3.5 Sub-processor Changes

(a) Controller authorizes the Sub-processors listed in Schedule 3
(b) Processor shall notify Controller of new Sub-processors [30] days in advance
(c) Controller may object to new Sub-processors within [14] days
(d) If objection cannot be resolved, Controller may terminate affected services

3.6 Data Subject Rights

The Processor shall:

(a) Assist Controller in responding to Data Subject requests
(b) Notify Controller of requests received directly
(c) Not respond directly without Controller authorization

3.7 Data Protection Impact Assessments

The Processor shall assist Controller with:

(a) Data protection impact assessments
(b) Prior consultations with supervisory authorities

3.8 Audits

The Processor shall:

(a) Make available information to demonstrate compliance
(b) Allow audits by Controller or authorized auditor
(c) Provide audit reports upon request
(d) Audits require [30] days' notice and reasonable scope

4. CONTROLLER OBLIGATIONS

4.1 Lawful Processing

The Controller shall:

(a) Ensure lawful basis for Processing
(b) Provide required notices to Data Subjects
(c) Obtain necessary consents
(d) Ensure accuracy of Personal Data

4.2 Instructions

The Controller shall:

(a) Provide documented Processing instructions
(b) Ensure instructions comply with Data Protection Laws
(c) Notify Processor of changes to instructions

5. DATA BREACH NOTIFICATION

5.1 Notification

The Processor shall notify the Controller without undue delay (and within [24] hours) upon becoming aware of a Personal Data breach.

5.2 Notification Content

Notification shall include:

(a) Nature of the breach
(b) Categories and number of Data Subjects affected
(c) Categories and number of records affected
(d) Likely consequences
(e) Measures taken or proposed

5.3 Cooperation

The Processor shall:

(a) Assist Controller in investigating the breach
(b) Assist with notifications to authorities and Data Subjects
(c) Take measures to mitigate effects

6. INTERNATIONAL TRANSFERS

6.1 Transfers

Personal Data shall not be transferred outside the EEA unless:

(a) Adequate protection exists (adequacy decision)
(b) Standard Contractual Clauses are in place
(c) Other lawful transfer mechanism applies

6.2 Standard Contractual Clauses

Where required, the Parties agree to the EU Standard Contractual Clauses (Module Two: Controller to Processor) incorporated by reference.

6.3 Additional Safeguards

The Processor shall implement supplementary measures as needed to ensure adequate protection.

7. DATA RETENTION AND DELETION

7.1 Retention

The Processor shall:

(a) Retain Personal Data only as long as necessary
(b) Follow Controller's retention instructions
(c) Not retain Personal Data beyond the Agreement term

7.2 Deletion

Upon termination or request:

(a) Delete or return all Personal Data within [30] days
(b) Delete existing copies unless legally required to retain
(c) Certify deletion upon request

7.3 Exceptions

Processor may retain Personal Data if required by law, provided:

(a) Controller is notified
(b) Data is protected and not actively processed

8. LIABILITY

8.1 Allocation

Each Party is liable for damages caused by its breach of this DPA or Data Protection Laws.

8.2 Limitation

Liability under this DPA is subject to the limitations in the Agreement.

9. GENERAL PROVISIONS

9.1 Governing Law

This DPA is governed by the law specified in the Agreement.

9.2 Precedence

In case of conflict, this DPA prevails over the Agreement regarding data protection matters.

9.3 Amendments

Amendments require written agreement.

9.4 Severability

Invalid provisions shall be modified to be enforceable.

SIGNATURES

CONTROLLER

Signature: _________________________

Name: _________________________

Title: _________________________

Date: _________________________

PROCESSOR (SKYMIRROR KFT.)

Signature: _________________________

Name: _________________________

Title: _________________________

Date: _________________________

SCHEDULE 1: PROCESSING DETAILS

1. Subject Matter and Duration

Item	Description
Subject Matter	[Describe the processing activities]
Duration	Duration of the Agreement
Nature of Processing	[Collection, storage, use, etc.]
Purpose	[Describe purposes]

2. Categories of Data Subjects

Employees of Controller
Customers of Controller
End users of Controller's services
Other: [Specify]

3. Categories of Personal Data

4. Special Categories of Data

No special categories processed
Biometric data for identification
Other: [Specify]

5. Processing Operations

Operation	Description
Collection	[How data is collected]
Storage	[How data is stored]
Use	[How data is used]
Sharing	[With whom data is shared]
Deletion	[How data is deleted]

SCHEDULE 2: SECURITY MEASURES

1. Organizational Measures

Measure	Description
Security Policy	Documented information security policy
Access Control	Role-based access, least privilege
Training	Regular security awareness training
Incident Response	Documented incident response plan
Vendor Management	Security assessment of vendors

2. Technical Measures

Measure	Description
Encryption	AES-256 at rest, TLS 1.3 in transit
Authentication	Multi-factor authentication
Network Security	Firewalls, intrusion detection
Logging	Comprehensive audit logging
Backup	Regular encrypted backups
Vulnerability Management	Regular scanning and patching

3. Physical Measures

Measure	Description
Data Center	SOC 2 certified facilities
Access Control	Badge access, visitor logs
Environmental	Fire suppression, climate control

4. Certifications

Certification	Status
SOC 2 Type II	[Certified / In Progress]
ISO 27001	[Certified / In Progress]
GDPR Compliance	Compliant

SCHEDULE 3: SUB-PROCESSORS

Authorized Sub-processors

Sub-processor	Location	Purpose	Data Processed
Amazon Web Services	EU (Frankfurt)	Cloud hosting	All customer data
Google Cloud Platform	EU	Analytics	Usage data
Stripe	US (SCCs)	Payment processing	Payment data
Intercom	US (SCCs)	Customer support	Contact data
[Other]	[Location]	[Purpose]	[Data]

Sub-processor Requirements

All Sub-processors must:

(a) Be bound by written data protection obligations
(b) Implement appropriate security measures
(c) Process data only as instructed
(d) Allow audits upon request

Notification Process

Processor notifies Controller of new Sub-processor
Controller has [14] days to object
If no objection, Sub-processor is authorized
If objection, Parties discuss resolution
If unresolved, Controller may terminate affected services

SCHEDULE 4: STANDARD CONTRACTUAL CLAUSES

[Reference to EU Standard Contractual Clauses - Module Two: Controller to Processor]

The Parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) are incorporated by reference where required for international transfers.

Annex I.A: List of Parties

Data Exporter: Controller
Data Importer: Processor

Annex I.B: Description of Transfer

As described in Schedule 1

Annex I.C: Competent Supervisory Authority

[Hungarian National Authority for Data Protection and Freedom of Information]

Annex II: Technical and Organizational Measures

As described in Schedule 2

Template Version: 1.0
Last Updated: December 2024
Legal Review Required Before Use
GDPR Compliance Required