Data Processing Addendum (DPA)

This DPA forms part of the applicable customer agreement for Decalyst services when we process personal data on behalf of a customer.

If there is a conflict between this DPA and the main agreement, this DPA controls for data protection matters.

Customer is the controller (or business) and [legal-entity-name] is the processor (or service provider), except where [legal-entity-name] acts as an independent controller for account, billing, security, or legal-compliance operations.

Processing subject matter, duration, categories of data, and data subjects are described in [dpa-appendix-a-link].

We process personal data only on documented instructions from the customer unless required by law.

Customer authorizes use of subprocessors listed at /legal/subprocessors.

We provide notice of material subprocessor changes at least [subprocessor-notice-days] days before onboarding where required by contract.

We implement technical and organizational measures appropriate to risk, as described at [security-measures-reference].

Taking into account the nature of processing, we assist customers in responding to data subject requests using available technical and organizational measures.

We notify customers of confirmed personal data breaches without undue delay, and provide available information needed for legal notification duties.

Where required, transfers rely on SCCs or equivalent legal mechanisms defined at [transfer-mechanism-reference].

Audit rights, frequency limits, confidentiality terms, and cost allocation are governed by [audit-rights-reference].

At termination, data return and deletion follow the agreement, customer instructions, and legal retention obligations.