Data Processing Agreement (DPA)

Last updated: 2/5/2026

1. Definitions

"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data and privacy that may exist in any relevant jurisdiction, including, without limitation, the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"), the Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; the California Consumer Privacy Act ("CCPA"); and any legislation or regulation implementing or made pursuant to such laws.

"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is processed by Processor on behalf of Controller in connection with the Services.

"Sub-processor" means any third party appointed by or on behalf of Processor to process Personal Data in connection with the Services.

2. Details of Processing

• Subject Matter: The subject matter of the data processing under this DPA is the Customer Data.
• Duration: As between XYZGent and Customer, the duration of the data processing under this DPA is determined by the Agreement.
• Nature and Purpose: Assisting Customer with the organization and management of its workflows and business processes through the XYZGent platform.
• Categories of Data Subjects: Customer's employees, contractors, end-users, or other individuals whose data is submitted to the Service.
• Types of Personal Data: Name, email address, contact information, IP address, and any other Personal Data provided by Customer.

3. Processing of Personal Data

3.1. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and XYZGent is the Processor.

3.2. Controller Instructions. Processor shall process Personal Data only in accordance with Controller's documented instructions, including as set forth in this DPA and the Agreement, unless required to do so by applicable law.

3.3. Confidentiality. Processor shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data and have received appropriate training on their responsibilities.

4. Security Measures

Processor shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected.

Security Controls Include:

• Encryption of data in transit and at rest.
• Role-based access control (RBAC) and strong authentication mechanisms.
• Regular vulnerability scanning and penetration testing.
• Business continuity and disaster recovery planning.
• Physical security measures for data centers (provided by AWS/GCP).

5. Sub-processors

5.1. Authorization. Controller generally authorizes Processor to engage Sub-processors to process Personal Data on Controller's behalf.

5.2. List of Sub-processors. Processor manages a list of current Sub-processors. Processor shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to process Personal Data in connection with the Services.

5.3. Liability. Processor shall be liable for the acts and omissions of its Sub-processors to the same extent Processor would be liable if performing the services of each Sub-processor directly under the terms of this DPA.

6. Data Subject Rights

Taking into account the nature of the processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to a request from a Data Subject to exercise their rights under Data Protection Laws.

7. Personal Data Breaches

Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach. Processor shall make reasonable efforts to identify the cause of such Personal Data Breach and take those steps as Processor deems necessary and reasonable in order to remediate the cause of such a Personal Data Breach to the extent the remediation is within Processor's reasonable control.

8. Deletion or Return of Data

Upon termination or expiration of the Agreement, Processor shall (at Controller's election) delete or return all Personal Data to Controller, except to the extent that Processor is required by applicable law to retain some or all of the Personal Data.

9. International Transfers

To the extent that Personal Data is transferred from the EEA, UK, or Switzerland to countries that do not ensure an adequate level of data protection within the meaning of Data Protection Laws, the parties agree that the Standard Contractual Clauses (SCCs) will apply.

10. Contact

For any inquiries regarding this Data Processing Agreement, please contact our Data Protection Officer at: