Effective Date: April 05, 2025
This Data Processing Agreement (“Agreement”) is made between:
LegiTee (the “Data Controller”)
and
[Insert Name of Data Processor] (the “Processor”)
This Agreement governs the processing of personal data by the Processor on behalf of the Controller in accordance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and any other applicable data protection laws. The Processor agrees to process personal data solely for the purposes defined by the Controller.
– “Personal Data”: Any information relating to an identified or identifiable natural person.
– “Processing”: Any operation performed on personal data, including collection, use, disclosure, or deletion.
– “Data Controller”: The entity determining the purposes and means of data processing.
– “Data Processor”: The entity processing data on behalf of the Controller.
– “Sub-Processor”: A third party engaged by the Processor to process personal data.
The Controller is responsible for the lawfulness of the data processing instructions. The Processor shall:
– Only process personal data on documented instructions from the Controller.
– Not use personal data for its own purposes.
– Ensure that persons authorized to process the data are bound by confidentiality.
The Processor may process the following types of personal data:
– Contact information (e.g., name, address, phone number, email)
– Transactional data (e.g., orders, payment history)
– Technical data (e.g., IP address, browser type)
– Behavioral data (e.g., website usage, interaction with emails)
The personal data processed concerns the following categories of data subjects:
– Customers and potential customers
– Website users and visitors
– Newsletter subscribers
The Processor shall only process personal data for the following purposes:
– Order fulfillment and customer support
– Payment processing
– Marketing communications (when permitted)
– Hosting, maintenance, and infrastructure support
The Processor shall assist the Controller in fulfilling obligations related to data subject rights including:
– Right of access, rectification, and erasure
– Right to restriction and objection
– Right to data portability
– Right not to be subject to automated decision-making
The Processor shall not engage any Sub-Processor without prior written authorization from the Controller. The Processor shall ensure any Sub-Processor is contractually bound to equivalent data protection obligations.
The Processor shall implement appropriate safeguards including:
– Encryption of data in transit and at rest
– Multi-factor authentication and access controls
– Regular vulnerability scans and risk assessments
– Secure data backups and incident response protocols
In the event of a personal data breach, the Processor shall notify the Controller without undue delay and include:
– The nature of the breach
– Categories and number of data subjects affected
– Probable consequences and remedial actions taken
Where personal data is transferred outside the EEA or UK, the Processor shall ensure adequate protection using:
– Standard Contractual Clauses (SCCs)
– Binding Corporate Rules (BCRs)
– Approved certification mechanisms
Upon request or contract termination, the Processor shall:
– Return all personal data to the Controller, or
– Delete all personal data, unless retention is legally required
The Processor shall confirm deletion in writing upon request.
The Processor shall ensure confidentiality of personal data by all persons authorized to process the data, and maintain these obligations after the termination of this Agreement.
The Controller may audit the Processor’s compliance with this Agreement with at least 10 business days’ notice. The Processor shall provide reasonable access and documentation. Audits shall not unreasonably interfere with normal operations.
The Processor shall be liable for damages caused by its own data processing breaches. Each party agrees to indemnify the other for losses resulting from its violation of applicable data protection laws.
This Agreement is effective as of the date stated above and shall continue as long as the Processor processes personal data on behalf of the Controller. Either party may terminate this Agreement with written notice.
This Agreement shall be governed by and interpreted in accordance with the laws of Texas, United States. Any disputes shall be resolved exclusively in the courts of Travis County, Texas.
This Agreement constitutes the entire agreement between the parties concerning the processing of personal data and supersedes any prior agreements or understandings.
IN WITNESS WHEREOF, the parties have executed this Data Processing Agreement as of the Effective Date: