Data Processing Agreement (Template)

Please note: A signed copy of this DPA template can be genrated in your account's organization settings page. You can download, review, and execute this Data Processing Agreement as needed for your organization's compliance requirements.

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between SimpleSoftware365 - Alexander Duggleby (“Processor”) and the entity agreeing to these terms (“Controller”) for the provision of SimpleBusiness365 services (“Services”).

1. Definitions

In this DPA:

  • Personal Data” means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller through the Services
  • Data Protection Laws” means all applicable data protection and privacy laws including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), California Consumer Privacy Act (“CCPA”), and any other applicable laws
  • Sub-processor” means any third party engaged by Processor to process Personal Data
  • Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data

2. Scope and Roles

2.1 Relationship

The parties acknowledge that:

  • Controller is the data controller of Personal Data
  • Processor is the data processor acting on Controller’s behalf
  • This DPA applies to all Personal Data processed by Processor for Controller

2.2 Controller Obligations

Controller warrants that:

  • It has all necessary rights to provide Personal Data to Processor
  • It has obtained all necessary consents and provided all required notices
  • Its instructions comply with Data Protection Laws

3. Processing Details

3.1 Subject Matter

Processing of Personal Data as necessary to provide the Services pursuant to the Agreement.

3.2 Duration

For the term of the Agreement plus the period until deletion of all Personal Data as described in Section 9.

3.3 Nature and Purpose

To provide productivity tools, email management, CRM, newsletters, websites, blogs, short links, and knowledge base services integrated with Microsoft 365.

3.4 Categories of Personal Data

  • Contact information (names, email addresses)
  • Company information
  • User-generated content within the Services
  • Usage data and analytics
  • Microsoft 365 profile information

3.5 Categories of Data Subjects

  • Controller’s employees and staff
  • Controller’s customers and contacts
  • Other individuals whose data Controller processes using the Services

4. Processor Obligations

4.1 Compliance

Processor shall:

  • Process Personal Data only on documented instructions from Controller
  • Ensure persons authorized to process Personal Data are subject to confidentiality
  • Implement appropriate technical and organizational measures (see Section 5)
  • Not engage Sub-processors without compliance with Section 6
  • Assist Controller with data subject requests (see Section 7)
  • Assist Controller with security, breach notifications, DPIAs, and consultations
  • Delete or return Personal Data as required (see Section 9)
  • Make available information necessary to demonstrate compliance

4.2 Instructions

Processor shall process Personal Data only as necessary to provide the Services unless required by law. If legally required to process beyond Controller’s instructions, Processor shall inform Controller unless prohibited by law.

4.3 Data Protection Officer

Processor’s data protection contact is available at: [email protected]

5. Security Measures

5.1 Technical and Organizational Measures

Processor implements and maintains the following security measures:

Technical Measures:

  • Encryption of data at rest using AES-256
  • Encryption of data in transit using TLS 1.2 minimum
  • Firewalls and network segmentation
  • Web Application Firewall (Azure Front Door)
  • Access controls and authentication via Microsoft SSO
  • Regular security updates and patch management
  • Secure key management using Azure Key Vault

Organizational Measures:

  • Limited access to production systems (CTO and Managing Director only)
  • Confidentiality agreements with all personnel
  • Security training for staff with data access
  • Secure development practices following OWASP guidelines
  • Change management and code review processes
  • Incident response procedures

5.2 Updates

Processor may update security measures provided they do not materially decrease overall security.

6. Sub-processors

6.1 Authorized Sub-processors

Controller consents to Processor’s use of the following Sub-processors:

Sub-processorPurposeLocation
Microsoft AzureInfrastructure hostingController’s selected region
CloudflareWebsite protectionGlobal
ResendEmail deliveryUnited States
Paddle Payments Ltd.Payment processingUnited States/United Kingdom

6.2 New Sub-processors

  • Processor shall notify Controller of intended additions or replacements
  • Controller has 14 days to object to new Sub-processors
  • If Controller reasonably objects, parties shall work to resolve concerns
  • If unresolved, Controller may terminate affected Services

6.3 Sub-processor Requirements

Processor shall:

  • Enter written agreements with Sub-processors imposing equivalent obligations
  • Remain fully liable for Sub-processor performance
  • Ensure appropriate safeguards for international transfers

7. Data Subject Rights

7.1 Assistance

Processor shall assist Controller in responding to data subject requests for:

  • Access to Personal Data
  • Rectification or erasure
  • Data portability
  • Restriction or objection to processing

7.2 Process

  • Processor shall promptly notify Controller of any requests received directly
  • Controller may access and export data through Service functionality
  • Additional assistance available at Controller’s reasonable expense

8. Security Incidents

8.1 Notification

Processor shall notify Controller without undue delay after becoming aware of a Security Incident, providing:

  • Nature of the incident
  • Categories and approximate number of affected records/individuals
  • Likely consequences
  • Measures taken or proposed

8.2 Cooperation

Processor shall:

  • Investigate and remediate Security Incidents
  • Provide reasonable assistance to Controller
  • Maintain records of all Security Incidents

9. Data Deletion and Return

9.1 During Service Term

Controller may delete data through Service functionality at any time.

9.2 Upon Termination

  • Organization deleted within 30 days of termination
  • All Personal Data permanently deleted within additional 30 days (60 days total)
  • Backups purged according to retention schedule
  • Certification of deletion available upon request

9.3 Exceptions

Processor may retain Personal Data as required by law, provided it maintains confidentiality and processes only as legally required.

10. Data Locations and Transfers

10.1 Data Regions

Controller selects data storage region during account creation:

  • North America
  • West Europe
  • Asia Pacific

10.2 International Transfers

For transfers outside the EEA:

  • Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated
  • Additional safeguards implemented as required

10.3 No Unauthorized Movement

Personal Data shall not be moved from selected region without Controller’s consent.

11. Audits and Compliance

11.1 Information

Processor shall make available information necessary to demonstrate compliance with this DPA.

11.2 Audits

  • Controller may conduct audits no more than once annually
  • 30 days written notice required
  • Audits conducted during business hours with minimal disruption
  • Controller bears audit costs unless material non-compliance found

11.3 Third-Party Certifications

Processor may provide third-party audit reports or certifications to satisfy audit requirements.

12. Liability and Indemnification

12.1 Liability Cap

Each party’s liability under this DPA is subject to the limitations in the Agreement.

12.2 Indemnification

Each party shall indemnify the other against regulatory fines or third-party claims resulting from its breach of this DPA.

13. General Provisions

13.1 Governing Law

This DPA is governed by Austrian law.

13.2 Order of Precedence

In case of conflict between this DPA and the Agreement, this DPA prevails for data protection matters.

13.3 Modification

This DPA may only be modified by written agreement of both parties.

13.4 Severability

If any provision is invalid or unenforceable, remaining provisions continue in full effect.

APPENDIX 1: Standard Contractual Clauses

The Standard Contractual Clauses (Module 2: Controller to Processor) pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 are hereby incorporated where required for transfers to third countries without an adequacy decision.

Clause 7 - Docking clause: Not applied
Clause 9 - Use of sub-processors: Option 2 (General written authorization)
Clause 11 - Redress: Option not specified
Clause 17 - Governing law: Austrian law
Clause 18 - Choice of forum: Austrian courts

Annex I - Details of Processing:

  • As specified in Section 3 of this DPA
  • Competent supervisory authority: Austrian Data Protection Authority

Annex II - Technical and Organizational Measures:

  • As specified in Section 5 of this DPA

Contact for data protection matters:
SimpleSoftware365 - Alexander Duggleby
Beatrixgasse 27/1/25
1030 Vienna, Austria
Email: [email protected]