This DPA governs how GDPR Compliance Hub processes personal data on your behalf as your Data Processor, as required by EU Regulation 2016/679.
| Role | Party | Legal basis |
|---|---|---|
| Data Controller | The subscribing organisation (Customer) as identified in the account registration | GDPR Art. 4(7) — determines purposes & means |
| Data Processor |
[YOUR LEGAL COMPANY NAME] W.L.L. [Office Address, Area], Manama, Kingdom of Bahrain CR No. [BAHRAIN CR NUMBER] Trading as: GDPR Compliance Hub |
GDPR Art. 4(8) — processes on Controller's behalf |
| EU Representative (Art. 27) |
[EU REPRESENTATIVE NAME] [EU Rep Address, Country] eu-rep@gdprcompliancehub.com |
GDPR Art. 27 — designated representative for EU/EEA data subjects |
This DPA forms part of the Master Services Agreement / Terms of Service between the parties and supersedes any prior data processing terms relating to the Service.
"Agreement" means these terms together with the Terms of Service and any applicable Order Form.
"Personal Data" means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller under this DPA.
"Processing" has the meaning given in GDPR Article 4(2), including collection, storage, retrieval, use, disclosure, alteration, and deletion.
"GDPR" means EU Regulation 2016/679 and any applicable national implementing legislation, including the UK GDPR where relevant.
"Service" means the GDPR Compliance Hub SaaS platform, including all modules: DSAR workbench, consent management, breach register, data inventory, risk register, audit programme, policy library, and associated features.
"Sub-processor" means any third party engaged by Processor to process Personal Data in connection with the Service.
"Data Subject" means the natural person to whom Personal Data relates.
Processor provides a cloud-based GDPR compliance management platform. Controller uses the Service to manage its own compliance obligations, including processing personal data relating to its own customers, employees, and website visitors.
This DPA remains in force for the duration of the Agreement and until all Personal Data is returned or deleted in accordance with Section 10 below.
| Module | Personal data processed |
|---|---|
| DSAR Workbench | Name, email, address, ID documents, free-text request content, response correspondence |
| Consent Records | IP address (pseudonymised), consent choice, timestamp, browser user-agent, cookie identifiers, page URL |
| Breach Register | Categories of affected data subjects, approximate numbers, nature of data, breach description |
| Data Inventory / ROPA | Employee names, roles, data categories, processing purposes, third-party processor details |
| Risk & DPIA Register | Data flow descriptions, risk owner names, assessment narrative |
| Audit Programme | Auditor names, findings, action owner names, evidence files |
| User / Seat Management | Work email, full name, job title, department, role assignments |
Controller may upload special-category data (Article 9 GDPR) as part of breach records or DSAR responses. Processor does not intentionally seek or use special-category data for any purpose other than storing and displaying it to Controller's authorised users. Controller is responsible for ensuring a valid Article 9 legal basis before entering such data.
Processor shall process Personal Data only on documented instructions from Controller. The instructions are set out in this DPA and in Controller's use of the Service features. Processor shall immediately inform Controller if an instruction infringes applicable data protection law.
Processor shall ensure that all personnel authorised to process Personal Data are subject to appropriate confidentiality obligations.
Processor shall implement technical and organisational measures appropriate to the risk, as detailed in Section 8 of this DPA and in the Security Measures section of the Privacy Notice.
Processor shall only engage Sub-processors as listed in Section 7 of this DPA, and shall impose equivalent data protection obligations on each Sub-processor.
Processor shall assist Controller, by appropriate technical and organisational measures, in fulfilling Controller's obligation to respond to Data Subject requests. The platform provides built-in tools for DSAR export, consent withdrawal, and data deletion.
Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller in ensuring compliance with security, breach notification, DPIA, and consultation obligations under Articles 32–36 GDPR.
At Controller's choice, Processor shall delete or return all Personal Data at the end of the Agreement as set out in Section 10.
Processor shall make available all information necessary to demonstrate compliance with GDPR Article 28, and shall allow for and contribute to audits and inspections conducted by Controller or a mandated auditor, as set out in Section 9.
Controller shall:
All Personal Data is stored and processed on servers located within the European Economic Area (EEA) by default. Processor does not transfer Personal Data to Bahrain-based infrastructure for primary storage.
Processor is established in the Kingdom of Bahrain, which does not currently hold an EU adequacy decision under GDPR Article 45. Accordingly, where Processor's staff in Bahrain access EU Personal Data (e.g., for technical support or maintenance), this constitutes a restricted transfer governed by:
Processor has implemented the Bahrain PDPL (Law No. 30 of 2018, as amended 2023) as its local data protection framework, which is consistent with the obligations in these SCCs.
Where Processor engages Sub-processors located outside the EEA, Processor relies on one or more of the following safeguards under GDPR Chapter V:
Details of the safeguard applicable to each Sub-processor are listed in Section 7.
Controller provides a general written authorisation for Processor to engage the Sub-processors listed below. Processor shall notify Controller by email at least 30 days before adding or replacing any Sub-processor. Controller may object within 14 days of such notice.
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Managed PostgreSQL (EU) | Primary database — all platform data | EU (EEA) | EEA — no transfer |
| Cloudflare | DDoS protection, CDN, DNS | Global (EEA nodes) | SCCs + DPF |
| Mailgun / SMTP | Transactional & notification emails | EU region | SCCs |
| Stripe | Payment processing (billing data only) | Ireland / US | SCCs + DPF; PCI DSS L1 |
| Sentry | Error tracking & performance monitoring | US | SCCs + DPF |
| Encrypted backup provider (EU) | Encrypted off-site backups | EU (EEA) | EEA — no transfer |
SCCs = Standard Contractual Clauses (EU Decision 2021/914). DPF = EU-U.S. Data Privacy Framework.
Processor implements the following measures in accordance with GDPR Article 32:
| Measure | Implementation |
|---|---|
| Encryption at rest | AES-256 for all stored data at database and volume level |
| Encryption in transit | TLS 1.2+ enforced; HSTS applied; TLS 1.0/1.1 disabled |
| Authentication & access control | TOTP MFA for privileged accounts; RBAC with least-privilege; HMAC-signed session tokens |
| Audit logging | Tamper-evident audit log for all data access and changes; retained 12 months |
| Pseudonymisation | IP addresses hashed before long-term storage in consent logs |
| Backup & recovery | Daily encrypted backups; point-in-time restore; RTO < 4 hours; quarterly integrity test |
| Vulnerability management | Automated dependency scanning on every build; annual third-party pen test |
| Staff measures | Annual GDPR & security training; confidentiality agreements; background checks for production access |
| DPIA for new features | Data protection impact assessment conducted before processing new categories of personal data |
Processor shall notify Controller without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach affecting Controller's data.
Controller is responsible for notifying the supervisory authority within 72 hours of becoming aware of a breach (GDPR Art. 33), and for notifying affected data subjects without undue delay where required (Art. 34). Processor will cooperate fully and provide all information available to assist.
On reasonable written notice (minimum 30 days, except where a regulatory authority requires otherwise), Controller may audit Processor's compliance with this DPA no more than once per calendar year. Processor's current SOC 2 Type II report may be provided in lieu of an on-site audit.
Upon termination or expiry of the Agreement, Processor shall, at Controller's written election within 30 days of termination:
Processor may retain anonymised, aggregated statistical data that does not identify any individual. Billing records are retained for 7 years to comply with EU VAT law.
Processor shall provide written confirmation of deletion upon Controller's request.
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. Notwithstanding any limitation, Processor's liability shall not be excluded or limited for:
This DPA is governed by the laws of England and Wales (a neutral choice of law often used by non-EU businesses contracting with EU customers), without regard to its conflict of law principles.
The parties submit to the exclusive jurisdiction of the courts of England and Wales for any dispute arising out of or in connection with this DPA, except that either party may seek emergency injunctive relief in any court of competent jurisdiction.
This DPA also incorporates by reference the Standard Contractual Clauses (EU Commission Decision 2021/914), which take precedence in the event of any conflict with these governing law provisions in respect of transfers of EU Personal Data.
Complete the fields below and check all boxes to execute this DPA electronically. Your acceptance is timestamped and recorded with your account. This constitutes a legally binding agreement under eIDAS (EU) 910/2014.
Your acceptance is recorded with a timestamp, DPA version, and your IP address. A confirmation email will be sent to your registered account address. Contact our DPO if you need a countersigned PDF copy.