Draft — pending legal review
Data Processing Addendum
- Effective:
- [EFFECTIVE_DATE]
- Last updated:
- [LAST_UPDATED_DATE]
This DPA template supplements an approved service agreement when Invex processes personal data for an enterprise.
This addendum requires execution or valid electronic acceptance where applicable. It is not effective merely because this draft page is available.
1. Roles and scope
The enterprise acts as controller or data fiduciary and Invex acts as processor or data processor for covered business data, except where each party independently determines its own processing purposes under applicable law.
2. Documented instructions and confidentiality
Invex will process covered data only on documented lawful instructions, including those necessary to provide the service, and will inform the enterprise where an instruction appears unlawful when permitted. Personnel with access must be subject to appropriate confidentiality duties.
3. Security measures
Invex will maintain proportionate technical and organisational measures addressing access control, authentication, encryption where appropriate, resilience, backup, vulnerability management, logging and secure development. Final measures are listed in Annex 2.
4. Subprocessors
The approved subprocessor list, notice process and objection mechanism are [SUBPROCESSOR_TERMS]. Invex will impose materially appropriate data-protection obligations on subprocessors.
5. Incidents and data-subject requests
Invex will notify the enterprise of a confirmed covered personal-data incident without undue delay and within [INCIDENT_NOTIFICATION_TERM], providing available information and reasonable cooperation. Invex will reasonably assist with verified data-subject requests where the enterprise cannot respond through service controls.
6. International transfers and audit information
The transfer locations and approved safeguards are [INTERNATIONAL_TRANSFER_MECHANISM]. Invex will provide information reasonably necessary to demonstrate compliance and support audits under [AUDIT_TERMS], subject to confidentiality, security and frequency limits.
7. Return and deletion
At the enterprise’s choice and subject to applicable law, covered data will be returned or deleted after service termination according to [RETURN_AND_DELETION_PERIOD], including the applicable backup-deletion cycle.
8. Annex 1 — Processing details
- Subject matter and duration: [PROCESSING_SUBJECT_AND_DURATION]
- Nature and purposes: [PROCESSING_NATURE_AND_PURPOSES]
- Data subjects: [DATA_SUBJECT_CATEGORIES]
- Personal-data categories: [PERSONAL_DATA_CATEGORIES]
- Special data and restrictions: [SPECIAL_DATA_DETAILS]
9. Annex 2 — Security measures
- [ACCESS_CONTROL_MEASURES]
- [ENCRYPTION_MEASURES]
- [RESILIENCE_AND_BACKUP_MEASURES]
- [SECURE_DEVELOPMENT_AND_TESTING_MEASURES]
- [INCIDENT_RESPONSE_MEASURES]