Our standard DPA - clear, fair, ready to sign.

A Data Processing Agreement (DPA) is required whenever Deburise processes personal data on behalf of a client. It defines our respective roles, the scope of processing, the security measures we apply, and the rights both parties have.

Our standard DPA is designed to satisfy the requirements of GDPR Article 28, the UK Data Protection Act, India's DPDP Act, Brazil's LGPD, and analogous laws in other jurisdictions. Where international data transfers are involved, the DPA incorporates the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum as applicable.

Under the DPA, the roles are typically:

• Client (Controller): Determines the purposes and means of processing. Decides what personal data is provided to Deburise, the purposes it's used for, and how long it's retained. Responsible for the lawful basis of the underlying processing.
• Deburise (Processor): Processes personal data only on the controller's documented instructions, as set out in the SOW and DPA. Applies the security measures described, assists with data subject rights requests, and maintains processing records.

For situations where Deburise determines purposes (e.g. our own marketing operations on our prospect lists), we act as a controller and our standard Privacy Policy governs.

The Annex of each DPA specifies, for the particular engagement:

• Subject matter of the processing (e.g. building an AI customer support agent).
• Duration of the processing (typically the term of the SOW plus any agreed retention period).
• Nature and purpose of the processing (e.g. classification, summarisation, response drafting).
• Categories of personal data (e.g. customer names, email addresses, order history).
• Categories of data subjects (e.g. controller's customers or employees).
• Any special-category data involved, with corresponding extra safeguards.

Deburise relies on a small list of trusted sub-processors (cloud infrastructure, AI model providers, communications platforms). The DPA includes:

• The current list of sub-processors, with their purpose and location.
• Our commitment to flow down equivalent data-protection obligations to every sub-processor.
• 30-day advance notice before adding a new sub-processor, with your right to object on reasonable grounds.
• Liability for sub-processor acts and omissions remains with Deburise.

The DPA references our detailed Security Practices page, which describes the technical and organisational measures we apply. Where your engagement requires additional or sector-specific measures (e.g. HIPAA, PCI-DSS scope), we document those in the DPA Annex.

When the DPA involves a transfer of personal data from the EEA, UK, or other jurisdictions with cross-border restrictions to a country without an adequacy decision:

• The DPA incorporates the European Commission's Standard Contractual Clauses (SCCs), Module Two (controller-to-processor), with the relevant docking clauses.
• For UK transfers, the UK International Data Transfer Addendum (IDTA) supplements the SCCs.
• We complete a Transfer Impact Assessment (TIA) for each transfer destination and apply supplementary measures (e.g. additional encryption, jurisdictional access controls) where the TIA indicates risk.

When a data subject exercises rights (access, deletion, rectification, etc.) against you as controller, we assist as required by law. The DPA specifies:

• Our commitment to provide reasonable assistance within agreed timeframes.
• The format and channels through which you can request our assistance.
• The cost (typically free for standard requests; cost-recovery for unreasonably burdensome ones).
• Our right to refuse requests that conflict with applicable law or court order.

We notify you of any personal data breach affecting your data without undue delay and in any case within 24 hours of becoming aware. The notification includes:

• Nature and likely categories of the breach.
• Categories and approximate number of data subjects and records affected.
• Likely consequences and the measures we've taken or will take.
• Name and contact details of our DPO for follow-up.

We support you in fulfilling your own regulatory notification obligations (e.g. 72-hour notice to supervisory authorities under GDPR).

On termination of the engagement, or earlier on your written request, Deburise will (at your choice):

• Return all personal data to you in an agreed format, and/or
• Delete all copies of personal data from our production systems and backups within 30 days, with written confirmation on completion.

We may retain limited data where required by law (e.g. tax records), with the retention period, scope, and protective measures documented and the data isolated from active use.

The DPA grants you the right to audit Deburise's compliance with the agreement, exercised through any of:

• Completion of standard security questionnaires (e.g. SIG, CAIQ).
• Provision of available third-party audit reports (e.g. SOC 2, penetration test summaries) under NDA.
• On-site or remote audit of our facilities and systems, with reasonable advance notice (typically 30 days), at your cost.

We agree to provide all information reasonably necessary to demonstrate compliance and to contribute to audits or inspections.

To execute our DPA for your engagement:

1. Email legal@deburise.com with your engagement details - we'll send the latest pre-signed version within one business day.
2. Complete the Annex with engagement-specific details (data categories, purposes, sub-processor approval, etc.).
3. Sign electronically. We accept DocuSign, Adobe Sign, and equivalents.

Custom redlines welcome - we'll respond promptly to reasonable changes. For clients with their own DPA template, we'll review it against our requirements and align on a mutually acceptable version.