Data Processing Addendum (DPA)
Version: 1.0
Effective Date: January 1, 2025
Last Updated: August 27, 2025
This Data Processing Addendum (“DPA”) forms part of the Agreement between:
– “Controller” (Customer): [Insert legal name, address]
– Data Sleek, LLC (“Processor”), a California limited liability company, with its principal place of business at Los Angeles, CA.
Capitalised terms not defined in this DPA have the meanings set forth in the Agreement.
1. Subject Matter and Duration
1.1 This DPA governs Processor’s processing of Personal Data on behalf of Controller in connection with the Services under the Agreement.
1.2 Processing will continue for the duration of the Agreement unless otherwise required by law.
2. Definitions
– “Applicable Data Protection Laws” means all data protection and privacy laws applicable to the processing, including GDPR and CCPA/CPRA.
– “Personal Data,” “Data Subject,” “Controller,” “Processor,” “Processing,” and “Supervisory Authority” have the meanings given in GDPR.
– “Sell,” “Share,” and “Service Provider” have the meanings given in CCPA/CPRA.
3. Roles and Scope of Processing
3.1 Controller instructs Processor to process Personal Data solely to provide the Services, as further described in Annex I.
3.2 Processor shall process Personal Data only on documented instructions from Controller, including with respect to transfers, subject to Applicable Data Protection Laws.
3.3 Controller is responsible for the lawfulness of Personal Data and the means by which Controller acquired it.
4. Security
4.1 Processor shall implement appropriate technical and organisational measures to protect Personal Data, considering the state of the art, costs, and the nature, scope, context, and purposes of processing (see Annex II for a description of measures).
4.2 Processor shall ensure persons authorised to process Personal Data are bound by confidentiality obligations.
5. Subprocessing
5.1 Controller authorises Processor to engage subprocessors listed at: Subprocessors.
5.2 Processor shall impose data protection terms on subprocessors that are no less protective than those in this DPA.
5.3 Processor will notify Controller of changes to subprocessors and provide an opportunity to object where required by the Agreement.
6. International Transfers
6.1 Where Processor transfers Personal Data outside the EEA/UK to a country without an adequacy decision, Processor will ensure appropriate safeguards, such as the EU/UK Standard Contractual Clauses (“SCCs”).
6.2 Processor will provide copies of the SCCs upon request, redacted as necessary.
7. Assistance and Data Subject Requests
7.1 Processor shall assist Controller in fulfilling its obligations to respond to Data Subject requests.
7.2 Processor shall notify Controller without undue delay of any request received directly and shall not respond except on Controller’s documented instructions.
8. Audits and Compliance
8.1 Processor shall make available information necessary to demonstrate compliance with this DPA and allow for audits by Controller or a mutually agreed independent auditor, subject to reasonable notice, confidentiality, and frequency limits.
8.2 Processor may satisfy audit obligations via third‑party reports (e.g., SOC 2), security whitepapers, or questionnaire responses.
9. Incident Notification
9.1 Processor shall notify Controller without undue delay upon becoming aware of a Personal Data Breach affecting Personal Data processed on Controller’s behalf, providing information reasonably available to assist Controller in meeting any reporting obligations.
10. Return or Deletion
10.1 Upon termination or expiry of the Services, Processor shall, at Controller’s choice, delete or return Personal Data and delete existing copies, unless retention is required by law.
10.2 Deletion shall be performed within a reasonable period aligned with retention policies.
11. Liability and Indemnity
11.1 Liability under this DPA shall be governed by the limitations and exclusions of liability in the Agreement.
11.2 Nothing in this DPA limits either party’s liability for breaches of Applicable Data Protection Laws to the extent such limitation is not permitted by law.
12. CCPA/CPRA Service Provider Terms
12.1 Processor will not Sell or Share Personal Information, or combine Personal Information with other data except as permitted by law and necessary to provide the Services.
12.2 Processor shall comply with applicable obligations under CPRA and shall provide the same level of privacy protection as required by Controller.
13. Miscellaneous
13.1 In case of conflict, the terms of this DPA prevail over the Agreement with respect to data protection.
13.2 This DPA may be executed in counterparts and via electronic signatures.
————————————————————————
Annex I – Description of Processing
– Categories of Data Subjects: Controller’s customers, prospects, website visitors, personnel as applicable.
– Categories of Personal Data: Identity data, contact data, technical and usage data, and any other data supplied by Controller.
– Special Categories: Not intended, but may occur incidentally; if so, Controller ensures a lawful basis.
– Purpose of Processing: Provision of the Services, support, analytics, and security.
– Nature of Processing: Collection, storage, organisation, retrieval, use, disclosure by transmission (as configured by Controller), and erasure.
– Duration: For the term of the Agreement and as otherwise required by law.
Annex II – Technical and Organisational Measures (TOMs)
– Access control: RBAC, unique credentials, MFA where supported, periodic reviews
– Encryption: TLS 1.2+ in transit, platform-managed encryption at rest
– Logging and monitoring: Centralised logging, alerting for key events
– Vulnerability management: Regular scanning, patching cadence, change control
– Backup and recovery: Regular backups, periodic restore tests
– Development security: Code reviews, dependency scanning, SDLC practices
– Vendor management: Security due diligence, contractual protections
– Incident response: Documented plan, roles, post‑incident reviews
– Physical security: Data centre controls provided by hosting providers
Annex III – Subprocessors
See current list at: Subprocessors
Signatures
Controller: _______________________
Name/Title: _______________________
Date: _______________________
Data Sleek, LLC: _______________________
Name/Title: _______________________
Date: _______________________