Data Processing Agreement

1. Definitions

For the purposes of this Agreement:

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data
• "Data Controller" means the entity determining the purposes and means of Processing
• "Data Processor" means the entity Processing Personal Data on behalf of the Controller
• "Data Subject" means the individual to whom Personal Data relates
• "Subprocessor" means any third party engaged by the Processor for Processing
• "GDPR" means Regulation (EU) 2016/679

2. Purpose and Scope of Processing

The Processor shall Process Personal Data only for the following purposes:

1. Conducting cybersecurity awareness training and phishing simulations
2. Analyzing training effectiveness and generating reports
3. Maintaining platform security and preventing unauthorized access
4. Complying with legal obligations and regulatory requirements
5. Improving service quality and user experience

The Processor shall not Process Personal Data for any other purpose without the Controller's prior written consent.

3. Categories of Personal Data

The Processor may Process the following categories of Personal Data:

3.1 Employee Data

• Name, email address, phone number
• Job title, department, location
• Training participation history
• Performance metrics (anonymized)

3.2 Technical Data

• IP addresses and device information
• Login timestamps and session data
• Campaign interaction data
• System logs and error reports

3.3 Sensitive Data

The Processor shall not Process special categories of Personal Data (Article 9) without explicit consent and appropriate safeguards.

4. Data Subject Rights

The Processor shall assist the Controller in fulfilling Data Subject rights under GDPR Articles 15-22:

• Right of Access: Provide information about Processing activities
• Right to Rectification: Correct inaccurate Personal Data
• Right to Erasure: Delete Personal Data when required
• Right to Restrict Processing: Limit Processing in certain circumstances
• Right to Data Portability: Provide data in machine-readable format
• Right to Object: Object to Processing based on legitimate interests

The Processor shall respond to Data Subject requests within the timeframes specified by GDPR.

5. Processor Obligations

The Processor undertakes to:

1. Process Personal Data only on documented instructions from the Controller
2. Ensure that persons authorized to Process Personal Data are committed to confidentiality
3. Implement appropriate technical and organizational measures for data protection
4. Assist the Controller in ensuring compliance with GDPR obligations
5. Immediately inform the Controller of any breaches or security incidents
6. Delete or return Personal Data at the end of the service relationship
7. Maintain records of Processing activities

6. Security Measures

The Processor shall implement and maintain appropriate technical and organizational security measures:

6.1 Technical Measures

• Encryption of data in transit and at rest
• Access controls and authentication mechanisms
• Regular security updates and patch management
• Intrusion detection and prevention systems
• Regular backups and disaster recovery procedures

6.2 Organizational Measures

• Staff training on data protection and security
• Access restriction policies
• Incident response procedures
• Regular security audits and assessments
• Physical security controls for data centers

7. Subprocessing

The Processor may engage Subprocessors with the Controller's prior written consent. The Processor shall:

1. Maintain an up-to-date list of Subprocessors
2. Provide the Controller with opportunity to object to new Subprocessors
3. Impose data protection obligations on Subprocessors equivalent to this Agreement
4. Remain liable for Subprocessor compliance

7.1 Authorized Subprocessors

8. International Data Transfers

When transferring Personal Data outside the EEA, the Processor shall ensure:

• Adequacy decisions by the European Commission
• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules (BCRs)
• Other appropriate safeguards approved by supervisory authorities

The Processor shall provide copies of transfer mechanisms upon Controller's request.

9. Data Breach Notification

Upon becoming aware of a Personal Data breach, the Processor shall:

1. Notify the Controller without undue delay (within 24 hours)
2. Provide detailed information about the breach
3. Take appropriate measures to mitigate the breach
4. Cooperate with the Controller in notifying supervisory authorities if required
5. Document all breaches and response measures

Notification shall include: nature of breach, categories of data affected, likely consequences, and mitigation measures.

10. Audits and Inspections

The Controller shall have the right to audit the Processor's compliance with this Agreement:

• Upon reasonable notice and during normal business hours
• At the Controller's expense (unless breach is identified)
• Subject to confidentiality obligations
• Limited to data protection and security matters

The Processor shall provide audit reports and certifications annually.

11. Termination

Upon termination of the main service agreement:

1. The Processor shall cease Processing Personal Data
2. Delete or return all Personal Data within 30 days
3. Provide written confirmation of data deletion
4. Delete all copies unless retention is required by law

The Processor may retain data only if required for legal compliance or dispute resolution.

12. Liability and Indemnification

Each party shall be liable for damages caused by their breach of this Agreement. The Processor's liability shall not exceed the fees paid under the main agreement in the preceding 12 months.

The Processor shall indemnify the Controller for breaches caused by the Processor's negligence or willful misconduct.

13. Governing Law

This Agreement shall be governed by the laws of [Jurisdiction], without regard to conflict of law principles. Any disputes shall be resolved in the courts of [Jurisdiction].

14. Amendments

This Agreement may be amended by mutual written consent. The Processor may update security measures or Subprocessor lists with 30 days notice, provided the changes do not materially reduce protection levels.