Data Processing Agreement

Last updated: [DATE]

PLACEHOLDER: A DPA is a binding contract — have counsel draft yours for the data protection regimes your customers operate under (GDPR, UK GDPR, CCPA, etc.). This skeleton lists the sections customers expect to find.

1. Parties and roles

Define who is the controller (your customer) and who is the processor (you), and how this DPA relates to your Terms of Service.

2. Subject matter and duration

Describe the processing the service performs, the categories of data subjects and personal data involved, and how long processing lasts.

3. Processor obligations

Commit to processing only on documented instructions, confidentiality for personnel, and assistance with data subject requests.

4. Security measures

Reference your technical and organizational measures: encryption, access control, tenant isolation, backups, and incident response.

5. Sub-processing

Authorize the sub-processors listed at /legal/sub-processors and describe how customers are notified of changes.

6. International transfers

Identify transfer mechanisms (adequacy decisions, SCCs) for any cross-border processing.

7. Breach notification

Commit to notifying customers of personal data breaches without undue delay, with the details they need for their own obligations.

8. Deletion and return

Explain what happens to customer data at termination: export options, deletion timelines, and backup expiry.

9. Audit rights

Describe the audit information you make available and the process for customer audits where required by law.

Contact

To execute a DPA: legal@mcp.agentic-accounting.com