Last Updated: [Date]
IMPORTANT: This is a template Data Processing Agreement for B2B customers. Please review with legal counsel and customize based on your specific services, jurisdiction, and requirements.
This Data Processing Agreement ("DPA") forms part of the Terms of Service or Master Services Agreement (the "Agreement") between:
Data Controller: [Customer Name] ("Controller" or "Customer")
Data Processor: Hopwhistle, Inc. ("Processor" or "Company")
Effective Date: [Date]
1.1. "Agreement" means the Terms of Service or Master Services Agreement between Controller and Processor.
1.2. "Controller" means the entity that determines the purposes and means of processing Personal Data.
1.3. "Processor" means the entity that processes Personal Data on behalf of the Controller.
1.4. "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Processor on behalf of Controller pursuant to or in connection with the Agreement.
1.5. "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
1.6. "Data Subject" means the natural person to whom Personal Data relates.
1.7. "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation).
1.8. "CCPA" means the California Consumer Privacy Act of 2018.
1.9. "Sub-processor" means any third party appointed by Processor to process Personal Data on behalf of Controller.
1.10. "Security Incident" means any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2.1. This DPA applies to all Processing of Personal Data carried out by Processor on behalf of Controller in connection with the Services provided under the Agreement.
2.2. This DPA supplements the Agreement. In case of conflict, this DPA shall prevail with respect to data protection matters.
2.3. The parties acknowledge that Controller is the Controller of Personal Data and Processor is the Processor of such Personal Data.
3.1. Processing Instructions
Processor shall:
Process Personal Data only on documented instructions from Controller
Not process Personal Data for any purpose other than those set forth in the Agreement
Immediately inform Controller if Processor believes any instruction violates applicable data protection laws
3.2. Purpose and Duration
Processor processes Personal Data for the following purposes:
Duration: For the term of the Agreement and as necessary to comply with legal obligations.
3.3. Types of Personal Data
The following categories of Personal Data may be processed:
Contact information (names, phone numbers, email addresses)
Call recordings and transcripts
Call metadata (timestamps, duration, routing information)
Billing and payment information
Account and user credentials
Technical data (IP addresses, device information)
3.4. Categories of Data Subjects
Controller's customers and end users
Controller's employees and contractors
Other individuals whose Personal Data is processed through the Services
4.1. Compliance
Processor shall:
Comply with applicable data protection laws
Implement appropriate technical and organizational measures
Assist Controller in ensuring compliance with Controller's obligations
4.2. Security Measures
Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data, including:
Encryption of data in transit and at rest
Access controls and authentication
Regular security assessments
Incident response procedures
Employee training on data protection
Secure data centers and infrastructure
4.3. Confidentiality
Processor shall ensure that persons authorized to process Personal Data:
Are bound by confidentiality obligations
Process Personal Data only as instructed
Receive appropriate training on data protection
4.4. Assistance to Controller
Processor shall, taking into account the nature of processing:
5.1. Authorization
Controller generally authorizes Processor to engage Sub-processors, provided that:
Processor maintains a list of Sub-processors
Processor provides notice of changes to Sub-processors
Controller has the right to object to new Sub-processors
5.2. Sub-processor Obligations
Processor shall:
Ensure Sub-processors are bound by data protection obligations
Remain fully liable for Sub-processor compliance
Enter into written agreements with Sub-processors
5.3. Current Sub-processors
Processor currently engages the following Sub-processors:
Telephony Infrastructure: SignalWire, Telnyx, Bandwidth
Cloud Hosting: [Cloud Provider]
Payment Processing: [Payment Processor]
Analytics: [Analytics Provider]
Customer Support: [Support Provider]
5.4. Changes to Sub-processors
Processor will notify Controller of any intended changes to Sub-processors. Controller may object within 30 days. If Controller objects and parties cannot resolve, Controller may terminate the Agreement.
6.1. Assistance
Processor shall assist Controller in responding to Data Subject requests, including:
Access requests
Rectification requests
Erasure requests
Portability requests
Objection requests
Restriction requests
6.2. Response Time
Processor shall respond to Controller's requests for assistance within reasonable timeframes, not to exceed 30 days unless otherwise required by law.
7.1. Notification
Processor shall notify Controller without undue delay after becoming aware of a Security Incident affecting Personal Data.
7.2. Incident Details
Notification shall include:
Nature of the Security Incident
Categories and approximate number of Data Subjects affected
Categories and approximate number of Personal Data records affected
Likely consequences of the Security Incident
Measures taken or proposed to address the Security Incident
7.3. Assistance
Processor shall provide reasonable assistance to Controller in:
8.1. International Transfers
If Processor transfers Personal Data outside the European Economic Area (EEA) or other jurisdictions with data protection laws, Processor shall ensure appropriate safeguards are in place, including:
Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions
Other approved transfer mechanisms
8.2. Transfer Documentation
Processor shall provide Controller with documentation of transfer mechanisms upon request.
9.1. Audit Rights
Controller may:
Request information necessary to demonstrate Processor's compliance
Conduct audits (with reasonable notice and during business hours)
Request third-party audit reports (where available)
9.2. Cooperation
Processor shall cooperate with Controller's audits and provide reasonable assistance.
9.3. Confidentiality
Audit activities shall be conducted in a manner that:
10.1. Retention
Processor shall retain Personal Data only:
For the duration specified in the Agreement
As necessary to provide the Services
As required by applicable law
10.2. Deletion
Upon termination of the Agreement or upon Controller's request, Processor shall:
Delete or return all Personal Data
Delete existing copies unless storage is required by law
Provide written confirmation of deletion
10.3. Retention Exceptions
Processor may retain Personal Data if required by law, provided that:
11.1. Liability
Each party's liability under this DPA shall be subject to the limitations and exclusions set forth in the Agreement.
11.2. Indemnification
Processor shall indemnify Controller against claims, damages, and expenses arising from Processor's breach of this DPA, except to the extent such claims arise from Controller's instructions or Controller's breach of this DPA.
12.1. Term
This DPA shall remain in effect for as long as Processor processes Personal Data on behalf of Controller.
12.2. Termination
This DPA may be terminated:
Upon termination of the Agreement
By either party with 30 days' written notice
Immediately upon material breach
12.3. Survival
Sections 8 (Data Transfers), 9 (Audit), 10 (Data Retention), and 11 (Liability) shall survive termination of this DPA.
13.1. Governing Law
This DPA shall be governed by [Jurisdiction] law, without regard to conflict of law principles.
13.2. Dispute Resolution
Disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions of the Agreement.
13.3. Modifications
This DPA may only be modified by written agreement signed by both parties.
13.4. Severability
If any provision of this DPA is found to be unenforceable, the remaining provisions shall remain in full force and effect.
13.5. Entire Agreement
This DPA, together with the Agreement, constitutes the entire agreement between the parties regarding data processing.
CONTROLLER:
By: ****_****
Name: ****_****
Title: ****_****
Date: ****_****
PROCESSOR:
By: ****_****
Name: ****_****
Title: ****_****
Date: ****_****
APPENDIX A: DETAILED PROCESSING INFORMATION
A.1. Nature and Purpose of Processing
A.2. Duration of Processing
A.3. Categories of Data Subjects
A.4. Types of Personal Data
A.5. Security Measures
Note: This is a template document. Please consult with legal counsel to ensure compliance with all applicable laws and regulations, including GDPR, CCPA, and other relevant data protection laws.