This Data Processing Addendum (“DPA”) forms part of the agreement between the customer (“Controller”) and the software provider (“Processor”) and governs the processing of personal data in connection with the use of the software and related services.
This DPA applies where personal data is processed in the context of customer-controlled deployments and is intended to ensure compliance with applicable data protection and privacy laws.
For the purposes of this DPA:
The customer acts as the Controller and determines the purposes, scope, and lawful basis of personal data processing.
The software provider acts as a Processor only to the extent that personal data is processed for license management, authentication, support, or secure operation of the software.
The software is deployed under a Self-Hosted / On-Premise model. All operational data, logs, monitoring records, and user activity data remain within the customer’s own infrastructure.
Processing activities are limited to what is strictly necessary to provide the licensed software functionality, including:
The Processor does not independently determine how personal data is used and does not process data for its own purposes.
The Processor shall process personal data only on documented instructions from the Controller, unless otherwise required by applicable law.
The Controller is responsible for ensuring that its instructions comply with data protection laws and that appropriate legal bases for processing exist.
Appropriate technical and organizational measures are implemented to protect personal data against unauthorized access, loss, alteration, or disclosure.
Actual security effectiveness depends on customer-defined configurations, network security, access controls, and internal policies.
Persons authorized to process personal data are subject to confidentiality obligations and are permitted to process data only as necessary to perform their duties.
The Processor does not engage sub-processors for customer operational data stored within customer environments.
Where third-party services are used for support or infrastructure purposes, such services are limited in scope and subject to appropriate contractual safeguards.
The Processor does not independently respond to data subject requests.
The Controller is responsible for handling requests related to access, rectification, erasure, restriction, or objection. The Processor shall provide reasonable assistance where required by law.
The Processor does not actively monitor customer-controlled environments and may not be able to detect security incidents within customer systems.
Where a personal data breach affecting Processor-controlled data is identified, the Processor shall notify the Controller without undue delay.
Personal data is retained only for as long as necessary to fulfill the purposes described in this DPA.
Upon termination of the agreement, personal data processed by the Processor shall be deleted or anonymized, unless retention is required by law.
The Controller may conduct audits to verify compliance with this DPA, provided such audits do not compromise security or confidentiality and are subject to reasonable notice.
Audit activities relate only to Processor-controlled processing and do not extend to customer environments.
The Processor does not transfer customer operational data to external systems as part of normal operation.
Any international data transfers initiated by the Controller remain the responsibility of the Controller.
Each party shall be liable for damages arising from its own breach of this DPA or applicable data protection laws.
This DPA remains in effect for the duration of the underlying agreement and automatically terminates upon its expiration or termination.
In the event of a conflict between this DPA and other agreements, this DPA shall prevail with respect to personal data processing.
This DPA is provided for informational purposes and does not constitute legal advice.