Data Processing Agreement

(Last updated: October 2023)


  1. Data Processor: The entity processing data on behalf of the Data Controller.
  2. Data Controller: The entity responsible for the data being processed.

Software & Security:

  • The Data Processor’s software is covered by a separate license agreement.
  • Data security within the Data Controller’s environment is the Controller’s responsibility.

Customer Responsibility:

  • The Data Controller (customer) is responsible for ensuring that any data inputted into the service is compliant with all applicable laws and regulations.

Information Exchange:

  • The Data Processor must inform the Data Controller of any data breaches or if any action violates GDPR or other applicable laws.


  • The Data Processor can request additional fees for special compliance requirements like external audits.


  • Data is processed using Microsoft SaaS, PaaS and IaaS.
    • Any other sub-processors must be approved by the Data Controller.

Compliance & Audits:

  • The Data Processor must allow for audits by the Data Controller or relevant authorities.

Term and Termination:

  • The agreement stands if the Data Processor is handling data, even if the main contract has expired.
  • Upon termination, all personal data must either be returned to the Data Controller or deleted, unless legally required to be stored.

Other Provisions:

  • The Data Processor is bound to fulfill the agreement even if circumstances make it more difficult.
  • Changes can be made to the agreement to stay compliant with applicable laws.


  • If any term is unenforceable, the rest of the agreement remains in effect.