Data Processing Agreement
GDPR Article 28 compliant Data Processing Agreement for organizations subject to EU, UK, South African, and Ghanaian data protection regulations.
Important: This is a template DPA. It must be reviewed by your legal counsel and executed by authorized representatives of both parties. This DPA is designed to satisfy GDPR Article 28, UK GDPR, POPIA, and the Ghana Data Protection Act. Contact [email protected] to initiate execution.
Preamble
This Data Processing Agreement ("DPA") is entered into by and between the organization identified in the applicable Order Form ("Controller") and EvanstonTEC LLC, doing business as LIAM Platform ("Processor"), effective as of the date of the last signature below.
This DPA supplements the Terms of Service and any applicable Order Form between the parties. It sets out the terms under which the Processor processes Personal Data on behalf of the Controller in connection with the LIAM platform services.
1. Definitions
"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including: the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"); the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"); the South African Protection of Personal Information Act 4 of 2013 ("POPIA"); the Ghana Data Protection Act, 2012 (Act 843); and any other applicable data protection legislation in the jurisdictions where the Controller operates.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Services.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission Decision 2021/914.
2. Scope and Purpose of Processing
2.1 Subject Matter
The Processor processes Personal Data on behalf of the Controller to provide cybersecurity monitoring, threat detection, vulnerability management, compliance assessment, and, where applicable, remote patient monitoring services through the LIAM platform.
2.2 Categories of Data Subjects
Data Subjects may include: employees, contractors, and agents of the Controller; users of the Controller's IT systems and networks; individuals whose data appears in security logs and threat intelligence; and, for healthcare deployments, patients and healthcare providers.
2.3 Types of Personal Data
Personal Data processed may include: names, email addresses, and job titles of platform users; IP addresses, device identifiers, and network metadata from security monitoring; authentication credentials and access logs; compliance assessment responses and documentation; and, for healthcare deployments, health data as defined in GDPR Article 9 (special category data).
2.4 Duration
Processing shall continue for the duration of the service agreement. Upon termination, Personal Data shall be returned or deleted in accordance with Section 9 of this DPA.
3. Obligations of the Processor
The Processor shall: (a) process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law; (b) ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (c) implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex II; (d) respect the conditions for engaging Sub-processors as set out in Section 5; (e) assist the Controller in responding to requests from Data Subjects exercising their rights; (f) assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation; (g) at the choice of the Controller, delete or return all Personal Data upon termination of services; and (h) make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits.
4. Security Measures
The Processor implements and maintains the following technical and organizational measures:
Encryption: AES-256 encryption at rest for all databases and file storage; TLS 1.2+ for all data in transit; tenant-specific encryption key management.
Access Control: Role-based access control (RBAC) with super_admin, client_admin, and client_user roles; principle of least privilege; multi-factor authentication; SSO/SAML integration for enterprise identity providers.
Audit Logging: Comprehensive logging of all data access, modifications, and administrative actions; tamper-evident log storage; minimum seven (7) year retention for compliance logs.
Data Isolation: Multi-tenant architecture with organization-scoped database queries; Cross-Tenant Isolation Proof system providing cryptographic verification of data boundary integrity; logical separation of all tenant data.
Incident Response: Automated threat detection and response; 24-hour breach notification to Controller; documented incident response procedures; regular security drills.
Business Continuity: Automated database backups; disaster recovery procedures; geographic redundancy for critical services.
Personnel: Background checks for all personnel with access to Personal Data; mandatory security awareness training; confidentiality agreements.
5. Sub-processors
The Controller provides general written authorization for the Processor to engage Sub-processors. The Processor shall: (a) maintain a current list of Sub-processors, available at the LIAM platform's trust page or upon request; (b) notify the Controller of any intended changes to Sub-processors at least thirty (30) days in advance; (c) impose data protection obligations on Sub-processors that are no less protective than those in this DPA; and (d) remain fully liable to the Controller for the performance of Sub-processor obligations.
If the Controller objects to a new Sub-processor on reasonable data protection grounds, the parties shall discuss the concern in good faith. If the concern cannot be resolved, the Controller may terminate the affected services without penalty.
Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Simnet.ca | Cloud hosting and PaaS infrastructure | Canada |
| Amazon Web Services | S3 object storage for file and document storage | United States |
| TiDB Cloud | Managed database service | United States |
| SendGrid (Twilio) | Transactional email delivery | United States |
| Sentry | Error monitoring and performance tracking | United States |
| VirusTotal (Google) | Malware and threat intelligence analysis | United States |
6. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including requests for access, rectification, erasure, restriction of processing, data portability, and objection. The Processor shall respond to Controller instructions regarding Data Subject requests within ten (10) business days. If a Data Subject contacts the Processor directly, the Processor shall promptly redirect the request to the Controller.
7. International Data Transfers
Where Personal Data is transferred from the EU/EEA/UK to a country that has not received an adequacy decision from the European Commission, the parties agree that the Standard Contractual Clauses (Module Two: Controller to Processor) shall apply. The SCCs are incorporated by reference into this DPA.
For transfers from South Africa, the Processor ensures compliance with POPIA Section 72 by maintaining adequate safeguards, including binding corporate rules or contractual obligations that provide an adequate level of protection.
For transfers from Ghana, the Processor ensures compliance with the Ghana Data Protection Act by obtaining appropriate consent or ensuring adequate safeguards are in place.
8. Data Protection Impact Assessments
The Processor shall provide reasonable assistance to the Controller in conducting data protection impact assessments and prior consultations with supervisory authorities, where required under Applicable Data Protection Law. Such assistance shall be provided at the Controller's expense, except where the assessment is necessitated by the Processor's actions.
9. Data Return and Deletion
Upon termination of the service agreement, the Processor shall, at the Controller's election: (a) return all Personal Data to the Controller in a structured, commonly used, and machine-readable format (JSON or CSV) within thirty (30) days; or (b) securely delete all Personal Data within ninety (90) days and certify such deletion in writing. The Processor may retain Personal Data to the extent required by applicable law, provided that such retention is limited to the minimum necessary and the Personal Data remains subject to the protections of this DPA.
10. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA. Audits may be conducted by the Controller or an independent third-party auditor appointed by the Controller, subject to reasonable confidentiality obligations. The Processor shall provide reasonable cooperation and access to relevant facilities, systems, and personnel. Audits shall be conducted during normal business hours with at least thirty (30) days' prior written notice, and no more than once per year unless a Breach has occurred or a supervisory authority requires an audit.
11. Breach Notification
The Processor shall notify the Controller of any Personal Data Breach without undue delay and in any event within twenty-four (24) hours of becoming aware of the Breach. This notification timeline exceeds the requirements of GDPR (72 hours) and POPIA (as soon as reasonably possible) to provide the Controller with maximum response time. The notification shall include: the nature of the Breach, including the categories and approximate number of Data Subjects and records concerned; the likely consequences of the Breach; the measures taken or proposed to address the Breach; and the contact details of the Processor's data protection point of contact.
12. Governing Law
This DPA shall be governed by the laws of the State of Illinois, United States, except where Applicable Data Protection Law requires otherwise. For EU/EEA Data Subjects, the GDPR and applicable member state law shall apply to data protection matters. For UK Data Subjects, the UK GDPR shall apply. For South African Data Subjects, POPIA shall apply. For Ghanaian Data Subjects, the Ghana Data Protection Act shall apply.
13. Contact and Execution
To execute this DPA or for data protection inquiries, please contact:
EvanstonTEC LLC — Data Protection
1452 East 53rd Street, 2nd Floor
Chicago, IL 60615
Email: [email protected]
All subscription plans include DPA execution at no additional cost.