Draft template

Data Processing Addendum

Proposed controller/processor terms for personal data processed through CatOps.

DRAFT TEMPLATE — NOT LEGAL ADVICE. This document has not been approved by an attorney. It must be reviewed, completed, and approved by qualified counsel before CatOps or any Client signs it or relies on it.

Bracketed fields require a business decision or verified fact. Do not remove this notice or present this document as final until counsel has approved it and CatOps has verified every operational and security statement.

Parties and Scope

This Data Processing Addendum (“DPA”) forms part of the agreement between [Client legal name] (“Client”) and [CatOps legal entity name] (“CatOps”). It applies only when CatOps processes personal data on Client’s behalf as a processor or service provider. Roles and terminology must be adjusted for each applicable privacy law.

Processing Details

  • Subject matter: delivery, security, support, and administration of the subscribed CatOps service.
  • Duration: the subscription plus the approved retention and deletion period.
  • Nature and purpose: hosting, organizing, displaying, transmitting, backing up, troubleshooting, and supporting Client-directed operational data.
  • Data subjects: Client users, personnel, contractors, customers, suppliers, carriers, and other people represented in Client Data.
  • Data categories: business contact, account, authentication, activity, operational, shipping, image, document, and support information submitted by or for Client.
  • Sensitive data: not intended unless expressly agreed in writing with appropriate safeguards.

Client Instructions and Compliance

CatOps will process personal data only on documented Client instructions, including the governing agreement and use of configured features, unless law requires otherwise. Client is responsible for lawful instructions, notices, legal bases, data accuracy, and the rights necessary for CatOps to process the data.

Confidentiality and Security

CatOps will ensure that personnel authorized to process personal data are subject to confidentiality obligations and will maintain the verified safeguards in the final Security Addendum. Security obligations should account for risk, available technology, implementation cost, and the nature and context of processing.

Subprocessors

Client provides [general/specific] authorization for subprocessors listed at [URL or exhibit]. CatOps will impose appropriate data-protection obligations on subprocessors and provide [30] days’ notice of a new subprocessor, subject to a documented objection process. The final list, notice method, and remedy must be completed before execution.

Requests, Assessments, and Assistance

Taking into account the nature of processing, CatOps will reasonably assist Client with verified data-subject requests, security obligations, breach response, impact assessments, and regulator inquiries as required by applicable law. Client remains responsible for responding to requests as controller. Fees for extraordinary assistance should be addressed in the final DPA.

Incidents

CatOps will notify Client of a qualifying personal-data breach without undue delay after confirmation and provide available information reasonably needed for Client’s obligations. Notification does not admit fault or liability. Definitions and timing must align with applicable law and the final Security Addendum.

Return, Deletion, and Audit

At the end of services, CatOps will return or delete personal data as stated in the agreement and Data Retention & Deletion Policy, unless law requires retention. CatOps will make appropriate compliance information available and support a proportionate audit process subject to confidentiality, security, scope, frequency, and cost controls finalized by counsel.

International and U.S. State Terms

Any international transfer mechanism, Standard Contractual Clauses, UK addendum, data-location commitment, U.S. state service-provider restrictions, or jurisdiction-specific annex must be attached only after counsel confirms applicability. The final DPA must include a completed processing exhibit and subprocessor list.