Data Processing Agreement

Version 1.0 — Effective Date: [DATE] — Last Updated: [DATE]

Need a signed copy? Download the PDF version for execution.

Download PDF

This Data Processing Agreement ("DPA") forms part of the agreement for services ("Principal Agreement") between:

Controller The entity identified in the Principal Agreement that determines the purposes and means of processing Personal Data ("Customer" or "Controller")
Processor Daom Limited, trading as Communi (NZBN: [NZBN]), a company registered in New Zealand ("Communi" or "Processor")

Together referred to as the "Parties" and each a "Party".

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and, where applicable, the UK GDPR and the New Zealand Privacy Act 2020. It applies to the Processor's processing of Personal Data on behalf of the Controller under the Principal Agreement.

1. Definitions

In this DPA, unless the context requires otherwise:

  1. "Applicable Data Protection Law" means the GDPR, the UK GDPR (as retained by the Data Protection Act 2018), the New Zealand Privacy Act 2020, and any other data protection legislation applicable to the processing of Personal Data under this DPA.
  2. "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
  3. "Personal Data" means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller under the Principal Agreement.
  4. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
  5. "Processing" (and its derivatives) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  6. "Sub-processor" means any third party appointed by the Processor (or by any Sub-processor of the Processor) to process Personal Data on behalf of the Controller.
  7. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission Decision (EU) 2021/914, as may be amended or replaced.
  8. "Technical and Organisational Measures" or "TOMs" means the security measures described in Annex 2 to this DPA.

Terms not defined in this DPA have the meanings given to them in Applicable Data Protection Law or the Principal Agreement.

2. Scope and Details of Processing

2.1 Details of Processing

The details of the processing carried out under this DPA are set out in Annex 1 and include:

  1. the subject matter and duration of processing;
  2. the nature and purpose of processing;
  3. the types of Personal Data processed; and
  4. the categories of Data Subjects.

2.2 Roles

The Customer is the Controller. Communi is the Processor. Each Party shall comply with its obligations under Applicable Data Protection Law in respect of its role.

3. Controller's Instructions

  1. The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by applicable law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.
  2. The Controller's initial instructions are set out in the Principal Agreement and this DPA. The Controller may issue additional or amended instructions in writing, provided such instructions are consistent with the terms of the Principal Agreement.
  3. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law. The Processor shall not be required to assess the legality of instructions but shall raise any evident concerns.

4. Confidentiality

  1. The Processor shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  2. The Processor shall not disclose Personal Data to any third party except as required by the Controller's instructions, this DPA, or applicable law.

5. Security — Technical and Organisational Measures

  1. The Processor shall implement and maintain the Technical and Organisational Measures described in Annex 2, taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of Data Subjects.
  2. The Processor shall regularly assess the adequacy of its TOMs and update them as necessary to maintain an appropriate level of security.
  3. The Controller acknowledges that the TOMs are subject to technical progress and development, and that the Processor may update or modify them from time to time, provided that such updates do not materially decrease the overall level of protection.

6. Sub-processors

  1. The Controller provides general written authorisation for the Processor to engage Sub-processors, subject to the conditions in this Section 6.
  2. The current list of Sub-processors is set out in Annex 3. The Processor shall make the current list available to the Controller upon request.
  3. Notification of changes. The Processor shall notify the Controller of any intended addition or replacement of a Sub-processor at least 30 days in advance, providing the Controller with an opportunity to object.
  4. Right to object. If the Controller objects to a new or replacement Sub-processor on reasonable data protection grounds, the Parties shall discuss the concern in good faith. If the Parties cannot reach resolution within 30 days of the objection, the Controller may terminate the affected portion of the Principal Agreement without penalty.
  5. Flow-down obligations. The Processor shall impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of its Sub-processors' obligations.

7. Assistance with Data Subject Rights

  1. Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).
  2. If the Processor receives a request from a Data Subject directly, the Processor shall promptly notify the Controller and shall not respond to the request itself unless authorised to do so by the Controller.

8. Personal Data Breach Notification

  1. The Processor shall notify the Controller without undue delay and in any event within 48 hours after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.
  2. The notification shall include, to the extent available:
    1. a description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected;
    2. the likely consequences of the breach;
    3. the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects; and
    4. the name and contact details of the Processor's point of contact for further information.
  3. The Processor shall cooperate with and assist the Controller in complying with its breach notification obligations under Articles 33 and 34 of the GDPR.

9. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities (Articles 35 and 36 of the GDPR), taking into account the nature of the processing and the information available to the Processor.

10. International Data Transfers

  1. The Processor shall not transfer Personal Data to a country outside the European Economic Area ("EEA") or the United Kingdom unless:
    1. the transfer is to a country that has been determined by the European Commission (or the UK Secretary of State, as applicable) to provide an adequate level of data protection;
    2. appropriate safeguards have been implemented in accordance with Article 46 of the GDPR, including the Standard Contractual Clauses; or
    3. a derogation under Article 49 of the GDPR applies.
  2. Where the Standard Contractual Clauses are relied upon, the Parties agree that the SCCs approved by Commission Implementing Decision (EU) 2021/914 are incorporated by reference into this DPA, with the Controller as "data exporter" and the Processor as "data importer" (Module Two: Controller to Processor).
  3. The Processor shall inform the Controller of the location(s) where Personal Data is processed and stored, and of any changes to those locations.

11. Audit Rights

  1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with its obligations under Article 28 of the GDPR and this DPA.
  2. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to:
    1. reasonable advance written notice of at least 30 days (except in the case of an audit required by a supervisory authority or following a Personal Data Breach, where notice shall be given as soon as reasonably practicable);
    2. audits being conducted during normal business hours and in a manner that minimises disruption to the Processor's operations;
    3. the Controller bearing the costs of the audit, unless the audit reveals material non-compliance by the Processor; and
    4. the auditor being bound by appropriate confidentiality obligations.
  3. Where the Processor holds a valid and current certification (such as ISO 27001 or SOC 2 Type II), the Processor may offer the relevant audit reports or certifications to satisfy the Controller's audit rights. The Controller may nonetheless exercise its inspection rights where it has reasonable grounds to believe a further audit is necessary.

12. Deletion or Return of Personal Data

  1. Upon termination or expiry of the Principal Agreement, or upon the Controller's earlier written request, the Processor shall, at the Controller's election:
    1. return all Personal Data to the Controller in a commonly used, machine-readable format; or
    2. delete all Personal Data and certify such deletion in writing,
    unless applicable law requires retention of the Personal Data.
  2. The Processor shall complete the return or deletion within 30 days of the relevant request or event, unless a different period is agreed in writing.
  3. The Processor shall ensure that its Sub-processors comply with the same deletion or return obligations.

13. Liability

  1. Each Party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement, except that nothing in this DPA limits either Party's liability for breaches of Applicable Data Protection Law to Data Subjects.
  2. The Processor shall indemnify and hold harmless the Controller against all claims, damages, losses, costs, and expenses arising from the Processor's breach of this DPA or Applicable Data Protection Law, to the extent caused by the Processor's acts or omissions (including those of its Sub-processors).

14. Term and Termination

  1. This DPA commences on the date of last signature below and shall remain in force for the duration of the Principal Agreement.
  2. The obligations of the Processor under Sections 4, 5, 8, 11, and 12 shall survive termination of this DPA to the extent necessary to give effect to them.

15. General Provisions

  1. Conflict. In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the processing of Personal Data.
  2. Amendments. This DPA may only be amended in writing signed by both Parties.
  3. Governing law. This DPA shall be governed by and construed in accordance with the laws specified in the Principal Agreement, without prejudice to the mandatory provisions of Applicable Data Protection Law.
  4. Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
  5. Entire agreement. This DPA, together with the Principal Agreement and its Annexes, constitutes the entire agreement between the Parties in respect of the processing of Personal Data.

Signatures

This DPA has been executed by the duly authorised representatives of each Party.

Controller

Signature

Name

Title

Date

Processor — Daom Limited (t/a Communi)

Signature

Name

Title

Date

Annex 1 — Details of Processing

Subject matter Provision of the Communi platform and related services as described in the Principal Agreement.
Duration For the term of the Principal Agreement plus the period required for deletion or return of Personal Data under Section 12.
Nature and purpose Processing of Personal Data as necessary to provide the Communi platform, including: hosting community content; managing user accounts and authentication; delivering notifications and communications; generating analytics and reporting; processing payments; and providing customer support.
Types of Personal Data
  • Identity data (name, username, profile photo)
  • Contact data (email address, phone number)
  • Account data (login credentials, account preferences)
  • Usage data (activity logs, feature usage, IP addresses)
  • Content data (posts, comments, messages, uploaded files)
  • Payment data (billing address, transaction records — card details are processed by the payment Sub-processor and not stored by Communi)
  • Device and technical data (browser type, operating system, device identifiers)
Categories of Data Subjects
  • End users of the Controller's community on the Communi platform
  • The Controller's employees, contractors, and administrators
Special categories of data None anticipated. The Controller shall not submit special category data to the Communi platform unless expressly agreed in writing.

Annex 2 — Technical and Organisational Measures

The Processor implements and maintains the following measures to protect Personal Data. These measures are reviewed and updated periodically.

A. Encryption and Data Protection

B. Access Control

C. Infrastructure and Network Security

D. Availability and Resilience

E. Incident Response

F. Personnel Security

G. Data Minimisation and Pseudonymisation

Annex 3 — Sub-processors

The following Sub-processors are authorised by the Controller as of the Effective Date. The Processor shall update this list in accordance with Section 6.

Sub-processor Purpose Location
DigitalOcean, LLC Cloud infrastructure and data hosting United States
Stripe, Inc. Payment processing United States
PayPal Holdings, Inc. Payment processing United States
Kit (formerly ConvertKit), Inc. Email marketing and transactional email delivery United States

The Controller will be notified of any changes to this list in accordance with Section 6.3.