Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

This Agreement is entered into between: Staynium.com, incorporated in India ("Processor"), and [Customer Name], the entity subscribing to the Processor’s services ("Controller").

1. Definitions

  • Data Subject: An individual whose data is processed (e.g., end-users of Controller).
  • Personal Data: Any data relating to an identifiable person (per GDPR Article 4).
  • Subprocessor: Third parties assisting in processing (e.g., AWS, Stripe).

2. Scope & Purpose

  • Processor shall process Personal Data only to provide the SaaS services outlined in the Master Service Agreement (MSA).
  • Processing shall be as instructed by Controller in writing.

3. Processor Obligations

  • Compliance: Follow GDPR, CCPA, and other applicable laws.
  • Security Measures:
    • Encryption (AES-256 for data at rest, TLS 1.2+ for transit).
    • Access controls (role-based permissions, MFA).
    • Annual penetration testing.
  • Breach Notification: Inform Controller within 72 hours of discovering a breach.

4. Controller Obligations

  • Lawful Basis: Ensure data collection complies with GDPR (e.g., consent or legitimate interest).
  • Instructions: Provide clear, lawful processing instructions.

5. Subprocessors

  • Approval: Controller agrees to Processor’s Subprocessors (see Appendix A).
  • Changes: Processor must notify Controller 30 days in advance of new Subprocessors.

6. International Transfers

If data is transferred outside the EU/EEA, Processor shall use Standard Contractual Clauses (SCCs) or Adequacy Decisions.

7. Data Subject Rights

Processor shall assist Controller in fulfilling access, rectification, and deletion requests (GDPR Articles 15–20).

8. Audit Rights

Controller may audit Processor’s compliance once per year, with 30 days’ notice.

9. Termination & Data Return

  • Upon termination, Processor shall delete or return all Personal Data (Controller’s choice).
  • Provide written confirmation of deletion.

10. Governing Law

This DPA is governed by the laws of [Jurisdiction, e.g., Ireland for EU].

Appendix A: Subprocessor List

SubprocessorPurposeLocation
AWSCloud hostingUSA (SCCs)
StripePaymentsUSA (SCCs)
SendGridTransactional emailsUSA (SCCs)

Appendix B: Security Measures

  • Technical: Firewalls, intrusion detection, DDoS protection.
  • Organizational: Employee training, confidentiality agreements.