Data Processing Agreement
Last updated: [DATE]
PLACEHOLDER: A DPA is a binding contract — have counsel draft yours for the data protection regimes your customers operate under (GDPR, UK GDPR, CCPA, etc.). This skeleton lists the sections customers expect to find.
1. Parties and roles
Define who is the controller (your customer) and who is the processor (you), and how this DPA relates to your Terms of Service.
2. Subject matter and duration
Describe the processing the service performs, the categories of data subjects and personal data involved, and how long processing lasts.
3. Processor obligations
Commit to processing only on documented instructions, confidentiality for personnel, and assistance with data subject requests.
4. Security measures
Reference your technical and organizational measures: encryption, access control, tenant isolation, backups, and incident response.
5. Sub-processing
Authorize the sub-processors listed at /legal/sub-processors and describe how customers are notified of changes.
6. International transfers
Identify transfer mechanisms (adequacy decisions, SCCs) for any cross-border processing.
7. Breach notification
Commit to notifying customers of personal data breaches without undue delay, with the details they need for their own obligations.
8. Deletion and return
Explain what happens to customer data at termination: export options, deletion timelines, and backup expiry.
9. Audit rights
Describe the audit information you make available and the process for customer audits where required by law.
Contact
To execute a DPA: legal@mcp.agentic-accounting.com