Data Processing Addendum (DPA)

1. Definitions

For purposes of this DPA, "Controller", "Processor", "Personal Data", and other terms have the meanings given by applicable data protection law.

2. Roles

Where Driftspan processes personal data on behalf of a customer, the customer is the Controller and Driftspan is the Processor.

3. Subject matter and duration

The subject matter, duration, nature and purpose of processing, types of personal data and categories of data subjects are as set out in the underlying customer agreement and this DPA.

4. Instructions and purpose limitation

Driftspan will process personal data only on documented instructions from the Controller, including regarding transfers and subprocessors.

5. Security

Driftspan will implement appropriate technical and organisational measures to protect personal data. Details available on request.

6. Subprocessors

Driftspan may engage subprocessors to provide services. Driftspan will ensure subprocessors are bound by obligations no less protective than this DPA.

7. International transfers

Transfers of personal data outside the UK/EU will be subject to appropriate safeguards (SCCs, adequacy, or equivalent).

8. Data subject requests

Driftspan will assist Controllers in responding to data subject requests to the extent required by law and the agreement.

9. Audit and compliance

Driftspan will make available information necessary to demonstrate compliance and allow audits where appropriate and agreed.

10. Liability

Liability allocation between parties is governed by the underlying customer agreement. Nothing in this DPA reduces mandatory legal rights under applicable law.

Contact

To request the full DPA or discuss subprocessors, contact info@driftspan.co.uk.