Data Processing Agreement — template for client review

1. Definitions

In this Data Processing Agreement ("DPA"), unless the context otherwise requires:

• "Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data — in this DPA, the Client.
• "Processor" means the natural or legal person which Processes Personal Data on behalf of the Controller — in this DPA, RG INSYS LLP.
• "Sub-processor" means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.
• "Personal Data" has the meaning given in Article 4(1) of the GDPR / UK GDPR and includes any equivalent definition under applicable Data Protection Laws.
• "Processing" has the meaning given in Article 4(2) of the GDPR / UK GDPR.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
• "Standard Contractual Clauses" or "SCCs" means the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914), as applicable to international transfers from the EEA.
• "IDTA" means the International Data Transfer Agreement issued by the UK Information Commissioner, as applicable to international transfers from the United Kingdom.
• "MSA" means the Master Services Agreement entered into between the Controller and the Processor, of which this DPA forms part.

2. Scope and subject matter

This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the services provided under the MSA (the "Services"). The subject matter of the Processing is the provision of those Services. This DPA forms an integral part of the MSA. In the event of any conflict between this DPA and the MSA in relation to the Processing of Personal Data, this DPA shall prevail.

3. Duration

This DPA is coterminous with the MSA. It enters into force on the same date as the MSA and remains in force for as long as the Processor Processes Personal Data on behalf of the Controller under the MSA, plus any applicable retention period required for the Processor to comply with its obligations on termination (see Section 12).

4. Nature and purpose of processing

The Processor Processes Personal Data solely for the purpose of providing the Services described in the MSA. Typical processing activities include: software development, hosting and infrastructure support, maintenance, debugging, technical support, and the operation of any application built or operated by the Processor on behalf of the Controller. The Processor will not Process Personal Data for any other purpose, including any of its own purposes, without prior written instructions from the Controller.

5. Categories of data subjects

The categories of Data Subjects whose Personal Data may be Processed under this DPA include, as applicable to the Services and the Controller's business:

• The Controller's customers, end users, and members of the public who interact with the Controller's applications;
• The Controller's employees, contractors, and prospective employees, where the Services involve internal systems;
• The Controller's suppliers, partners, and counterparties, where the Services involve relationship-management systems;
• Any other category of Data Subject specified in Annex 1.

6. Categories of personal data

The categories of Personal Data Processed under this DPA will be limited to what is necessary for the Services and will typically include:

• Identifiers: name, email address, telephone number, account username, user ID;
• Contact and account metadata: company, role, address, account creation date, last login;
• Technical identifiers: IP address, device identifiers, browser metadata, session tokens;
• Usage data: logs of actions taken in the Controller's application, audit trails;
• Any further category of Personal Data specified in Annex 1.

Special categories of Personal Data (Article 9 GDPR) and Personal Data relating to criminal convictions and offences (Article 10 GDPR) will only be Processed where this is necessary for the Services and where the Controller has given prior written instructions identifying the category and the appropriate safeguards.

7. Processor obligations

The Processor shall:

• (a) Process only on documented instructions. Process Personal Data only on the Controller's documented instructions, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by EU, UK, or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
• (b) Confidentiality. Ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• (c) Security measures. Take all measures required pursuant to Article 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. A current description of these technical and organisational measures is set out in Annex 2 and on our Security page.
• (d) Sub-processor authorisation. Comply with the conditions for engaging another Processor set out in Section 8.
• (e) Assistance with Data Subject rights. Taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR / UK GDPR (DSARs, right to rectification, erasure, restriction, portability, objection).
• (f) Assistance with security, breach, and DPIA obligations. Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR / UK GDPR, taking into account the nature of the Processing and the information available to the Processor. The Processor shall notify the Controller without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach affecting the Controller's Personal Data, providing at minimum the information required by Article 33(3) GDPR / UK GDPR.
• (g) Deletion or return. At the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to Processing, and delete existing copies unless EU, UK, or Member State law requires storage of the Personal Data.
• (h) Information and audits. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR / UK GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to Section 10.

8. Sub-processors

The Controller grants the Processor general written authorisation to engage Sub-processors for the provision of the Services, subject to this Section 8. The current list of authorised Sub-processors is published on our Security page and is incorporated into this DPA as Annex 3.

The Processor shall:

• Impose on each Sub-processor, by way of a written contract, data protection obligations that are no less onerous than those set out in this DPA and that meet the requirements of Article 28(4) GDPR / UK GDPR;
• Remain fully liable to the Controller for the performance of each Sub-processor's obligations;
• Give the Controller at least 30 days' prior written notice (typically by email to the contact on the MSA and by an update to the Security page) of any intended addition or replacement of a Sub-processor;
• Grant the Controller the right to object to such an addition or replacement on reasonable data-protection grounds during that 30-day notice period. If the parties cannot reach agreement, the Controller may terminate the affected Services on written notice without penalty.

9. International transfers

The Processor is established in India. The Controller acknowledges that the provision of the Services will involve transfers of Personal Data to India and may involve transfers to Sub-processors located outside the European Economic Area, the United Kingdom, and other jurisdictions with applicable Data Protection Laws.

Where Personal Data is transferred from the EEA to a third country that has not been the subject of an adequacy decision under Article 45 GDPR, the parties enter into the Standard Contractual Clauses, Module Two (controller-to-processor), as adopted in Commission Decision 2021/914. The SCCs are incorporated into this DPA by reference and the choices required under Clauses 7 (docking clause), 9 (sub-processor authorisation: general), 11 (independent dispute resolution: not selected), 17 (governing law) and 18 (forum) shall be as set out in Annex 1 of this DPA.

Where Personal Data is transferred from the United Kingdom to a third country that has not been the subject of an adequacy regulation, the parties enter into the International Data Transfer Agreement (IDTA), or alternatively the EU SCCs together with the UK Addendum issued by the Information Commissioner.

The Processor implements supplementary technical and organisational measures designed to ensure a level of protection essentially equivalent to that within the EEA / UK, including end-to-end encryption in transit (TLS 1.2 or higher), encryption at rest (AES-256), strict access controls, comprehensive logging, and a published policy for responding to government access requests. These measures are described in Annex 2.

10. Audit rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and in Article 28 GDPR / UK GDPR. To facilitate this, the Processor:

• Will respond promptly to written security and privacy questionnaires from the Controller (no more than once per year unless there has been a Personal Data Breach affecting the Controller, a material change to the Sub-processor list, or a regulator request);
• Will, on reasonable written notice and no more than once per calendar year, participate in an annual desk audit conducted remotely by the Controller or its appointed third-party auditor under appropriate confidentiality obligations;
• Will permit, where reasonable and necessary (for example, in response to a Personal Data Breach or a substantiated regulator concern), an on-site audit at the Controller's cost, on at least 30 business days' prior written notice, conducted during normal business hours, subject to reasonable security and confidentiality conditions, and limited to documentation and personnel directly relevant to the Processing of the Controller's Personal Data.

11. Liability

The liability of each party arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the MSA. Nothing in this DPA limits or excludes any liability that cannot be limited or excluded under applicable law, including liability under Article 82 GDPR / UK GDPR.

12. Termination, return and deletion

On termination of the MSA for any reason, the Processor shall, at the Controller's choice:

• Return to the Controller all Personal Data Processed on its behalf, in a structured, commonly used, machine-readable format; or
• Securely delete all such Personal Data, including all copies held by the Processor and any Sub-processor.

Return or deletion shall be completed within 30 days of termination unless otherwise agreed in writing, and the Processor shall provide a written certificate of return or deletion on request. The Processor may retain Personal Data to the extent and for the period required by EU, UK, or Member State law, in which case the Processor shall ensure the continued confidentiality of the Personal Data and shall not actively Process it further.

Annex 1 — Description of processing

The specific details of the Processing under this DPA are set out in the applicable Statement of Work or order form under the MSA. By default, the description of Processing is as follows:

• Subject matter: Provision of the Services under the MSA.
• Duration: The duration of the MSA, plus any retention period required by law.
• Nature and purpose: Software development, hosting, maintenance, technical support, and the operation of the application(s) built or supported under the MSA.
• Type of personal data: As set out in Section 6 above.
• Categories of data subjects: As set out in Section 5 above.
• Frequency of transfer: Continuous, for the duration of the Services.
• Choices under the SCCs: Clause 7 (docking) — applicable; Clause 9 — general written authorisation (30 days' notice); Clause 11 — independent dispute resolution not selected; Clause 17 — governing law of England and Wales; Clause 18 — courts of England and Wales (unless otherwise specified in the MSA).

Annex 2 — Technical and organisational measures

The technical and organisational measures implemented by the Processor are described in detail on our Security page and are summarised below:

• Encryption: AES-256 at rest, TLS 1.2 or higher in transit, with HSTS and modern cipher suites.
• Access control: Role-based access control with least-privilege defaults; mandatory MFA for all engineer and admin accounts; SSO with the Controller's identity provider where supported.
• Endpoint security: Managed laptops with full-disk encryption, EDR, automatic patching, and lockout policies.
• Network security: Production environments segmented from development; VPN and bastion-host access for administrative actions; firewall rules denied by default.
• Logging and monitoring: Comprehensive audit logs of access and administrative actions, retained for a minimum of 12 months; alerting on anomalies.
• Application security: SAST (Semgrep), dependency scanning (Snyk), container scanning (Trivy), secret scanning (gitleaks) on every commit.
• Backups and recovery: Encrypted, geographically separated backups; documented recovery procedures, tested at least annually.
• Personnel: Background checks for engineering hires; mandatory annual security and privacy training; confidentiality obligations in employment contracts.
• Incident response: Documented incident-response plan; Personal Data Breach notification to the Controller within 72 hours of awareness.
• Vendor management: Sub-processors are reviewed for security and privacy posture before engagement and at least annually thereafter.

The current, authoritative description of these measures is published on our Security page and is updated as our controls evolve.

Annex 3 — Sub-processor list

The current list of authorised Sub-processors is maintained on our Security page and is updated in accordance with Section 8. Each entry on that list identifies the Sub-processor, the location of Processing, the purpose of Processing, and the safeguards in place. By signing this DPA, the Controller authorises the Sub-processors listed at the time of signature; future additions or replacements follow the 30-day notice and objection procedure described in Section 8.