Skip to legal content
Invex
Back to home

Draft — pending legal review

Data Processing Addendum

Effective:
[EFFECTIVE_DATE]
Last updated:
[LAST_UPDATED_DATE]

This DPA template supplements an approved service agreement when Invex processes personal data for an enterprise.

This addendum requires execution or valid electronic acceptance where applicable. It is not effective merely because this draft page is available.

1. Roles and scope

The enterprise acts as controller or data fiduciary and Invex acts as processor or data processor for covered business data, except where each party independently determines its own processing purposes under applicable law.

2. Documented instructions and confidentiality

Invex will process covered data only on documented lawful instructions, including those necessary to provide the service, and will inform the enterprise where an instruction appears unlawful when permitted. Personnel with access must be subject to appropriate confidentiality duties.

3. Security measures

Invex will maintain proportionate technical and organisational measures addressing access control, authentication, encryption where appropriate, resilience, backup, vulnerability management, logging and secure development. Final measures are listed in Annex 2.

4. Subprocessors

The approved subprocessor list, notice process and objection mechanism are [SUBPROCESSOR_TERMS]. Invex will impose materially appropriate data-protection obligations on subprocessors.

5. Incidents and data-subject requests

Invex will notify the enterprise of a confirmed covered personal-data incident without undue delay and within [INCIDENT_NOTIFICATION_TERM], providing available information and reasonable cooperation. Invex will reasonably assist with verified data-subject requests where the enterprise cannot respond through service controls.

6. International transfers and audit information

The transfer locations and approved safeguards are [INTERNATIONAL_TRANSFER_MECHANISM]. Invex will provide information reasonably necessary to demonstrate compliance and support audits under [AUDIT_TERMS], subject to confidentiality, security and frequency limits.

7. Return and deletion

At the enterprise’s choice and subject to applicable law, covered data will be returned or deleted after service termination according to [RETURN_AND_DELETION_PERIOD], including the applicable backup-deletion cycle.

8. Annex 1 — Processing details

  • Subject matter and duration: [PROCESSING_SUBJECT_AND_DURATION]
  • Nature and purposes: [PROCESSING_NATURE_AND_PURPOSES]
  • Data subjects: [DATA_SUBJECT_CATEGORIES]
  • Personal-data categories: [PERSONAL_DATA_CATEGORIES]
  • Special data and restrictions: [SPECIAL_DATA_DETAILS]

9. Annex 2 — Security measures

  • [ACCESS_CONTROL_MEASURES]
  • [ENCRYPTION_MEASURES]
  • [RESILIENCE_AND_BACKUP_MEASURES]
  • [SECURE_DEVELOPMENT_AND_TESTING_MEASURES]
  • [INCIDENT_RESPONSE_MEASURES]