Data Protection Agreement (EXAMPLE)

This Data Protection Agreement (“Agreement”) is entered into by and between:

(1) [Customer Name], with registered office at [Customer Address] (“Controller”),
and
(2) Eyre AI Limited, trading as European Compliance Suite, with registered office at 19 Lake Court, Medway Drive, Tunbridge Wells TN12FH Kent, United Kingdom (“Processor”).

Together, the “Parties”.

This Agreement forms part of the Main Service Agreement between the Parties and sets out the Parties’ obligations with respect to the processing of personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR).

1. Purpose and Scope

1.1 This DPA governs the Processor’s processing of personal data on behalf of the Controller in connection with the services provided under the Main Service Agreement.

1.2 The nature, purpose, and duration of processing, along with the types of personal data and categories of data subjects, are described in Annex I.

2. Roles and Responsibilities

2.1 The Controller determines the purposes and means of the processing of personal data.

2.2 The Processor shall only process personal data on documented instructions from the Controller, unless required to do so by EU or Member State law.

3. Obligations of the Processor

The Processor agrees to:

• Process personal data only on the Controller’s documented instructions

• Ensure confidentiality of persons authorized to process personal data

• Implement appropriate technical and organizational security measures

• Assist the Controller in fulfilling its obligations under GDPR Articles 32–36

• Notify the Controller without undue delay after becoming aware of a personal data breach

• Make available all information necessary to demonstrate compliance with this DPA

• Cooperate with audits, inspections, or assessments initiated by the Controller or its delegates

4. Security Measures

4.1 The Processor shall implement appropriate security measures as required by Article 32 of the GDPR, including:

• Encryption of data in transit and at rest

• Role-based access controls

• Logging and monitoring of data access

• Secure hosting in EU-based data centers

Details are described in Annex II.

5. Subprocessing

5.1 The Processor shall not engage any subprocessor without the prior written authorization of the Controller.

5.2 The current list of authorized subprocessors is provided in Annex III.

5.3 The Processor shall ensure that all subprocessors are contractually bound to obligations no less protective than those in this DPA.

6. International Transfers

6.1 The Processor shall not transfer personal data outside the European Economic Area (EEA) without:

• The Controller’s written consent, and

• An appropriate legal mechanism under Chapter V of the GDPR (e.g., Standard Contractual Clauses)

7. Data Subject Rights

7.1 The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests, including:

• Access

• Rectification

• Erasure

• Restriction

• Data portability

• Objection

7.2 The Processor will not respond to requests directly unless authorized by the Controller.

8. Personal Data Breach Notification

8.1 The Processor shall notify the Controller without undue delay and no later than 48 hours after becoming aware of a personal data breach.

8.2 The notification will include, at a minimum:

• Nature of the breach

• Categories and number of data subjects affected

• Likely consequences

• Mitigation steps taken or planned

9. Return or Deletion of Data

Upon termination or expiration of the Main Service Agreement, the Processor shall:

• Return all personal data to the Controller, or

• Delete all personal data securely,
  unless EU law requires continued storage.

10. Liability and Indemnity

Each Party shall be liable for its respective acts or omissions under this Agreement in accordance with applicable law and the Main Service Agreement.

11. Term and Termination

This DPA remains in effect as long as the Processor processes personal data on behalf of the Controller.

12. Governing Law and Jurisdiction

This Agreement is governed by the laws of [Insert Country].
Disputes shall be submitted to the exclusive jurisdiction of the courts of [Insert City].

13. Signatures

For the Controller
Company: ___________________________
Name: _____________________________
Title: _____________________________
Date: _____________________________
Signature: __________________________

For the Processor (European Compliance Suite)
Company: ___________________________
Name: _____________________________
Title: _____________________________
Date: _____________________________
Signature: __________________________

Annex I: Processing Details

• Purpose of Processing: Documentation, summarisation, redaction, audit logging

• Categories of Data Subjects: Employees, clients, meeting participants

• Types of Personal Data: Names, contact info, recorded speech, chat transcripts, metadata

• Special Categories: Only when explicitly provided and consented

• Retention Period: Defined by the Controller or 30 days post-termination

Annex II: Security Measures

• TLS 1.3 encryption for all data in transit

• AES-256 encryption for data at rest

• EU-based ISO 27001–certified data centers

• Immutable audit logs

• Two-factor authentication

• Principle of least privilege enforced for access

Annex III: Authorized Subprocessors

1. IONOS – EU-based cloud infrastructure provider

2. Sentry – EU-based performance monitoring

3. P-Cloud – Encrypted backups stored within the EU

A full and up-to-date list is available upon request or via our Trust Center.