Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Agreement for services between Chikoh ("Data Processor") and the customer ("Data Controller") collectively referred to as the "Parties".

This DPA reflects the Parties' agreement with respect to the Processing of Personal Data in accordance with the requirements of Data Protection Laws.

2. Definitions

In this DPA, the following terms shall have the meanings set out below:

• "Data Protection Laws" means all applicable laws relating to data protection and privacy, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR").
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Data Processor as part of the Services.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, or destruction.
• "Sub-processor" means any third party appointed by the Data Processor to process Personal Data on behalf of the Data Controller.

3. Processing of Personal Data

3.1 Scope of Processing

The Data Processor shall process Personal Data only for the purpose of providing the Services as specified in the Agreement and in accordance with the documented instructions from the Data Controller.

3.2 Data Controller Instructions

The Data Processor shall process Personal Data only on documented instructions from the Data Controller, unless required to do so by applicable law.

3.3 Categories of Data

The types of Personal Data processed under this DPA may include:

• Contact information (names, email addresses, phone numbers)
• User account information
• Usage data and analytics
• Business information
• Communications data

4. Security Measures

The Data Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.

These measures include but are not limited to:

• Encryption of Personal Data in transit and at rest
• Access controls and authentication mechanisms
• Regular security assessments and audits
• Employee training on data protection
• Incident response procedures
• Regular backups and disaster recovery plans

5. Sub-processors

5.1 Authorized Sub-processors

The Data Controller consents to the Data Processor appointing Sub-processors to process Personal Data, provided that:

• The Data Processor provides notice of any intended changes concerning Sub-processors
• The Data Controller has the opportunity to object to such changes
• The Data Processor ensures Sub-processors are bound by data protection obligations

5.2 List of Sub-processors

Current authorized Sub-processors include:

• Amazon Web Services (Cloud Infrastructure)
• Google Cloud Platform (Data Analytics)
• Stripe (Payment Processing)
• SendGrid (Email Services)

6. Data Subject Rights

The Data Processor shall assist the Data Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including:

• Right of access to Personal Data
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object

7. Personal Data Breach

The Data Processor shall notify the Data Controller without undue delay after becoming aware of a Personal Data breach affecting Personal Data processed under this DPA.

Such notification shall include:

• Nature of the breach
• Categories and approximate number of Data Subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

8. Data Transfers

The Data Processor shall not transfer Personal Data outside the European Economic Area without the prior written consent of the Data Controller and appropriate safeguards in place, such as:

• Standard Contractual Clauses
• Adequacy decisions
• Binding Corporate Rules
• Other legally approved transfer mechanisms

9. Audit Rights

The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Data Controller or an auditor mandated by the Data Controller.

10. Return and Deletion of Data

Upon termination of the Agreement, the Data Processor shall, at the choice of the Data Controller, delete or return all Personal Data to the Data Controller and delete existing copies unless applicable law requires storage of the Personal Data.

11. Liability and Indemnification

Each Party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Agreement. Each Party shall indemnify the other against damages arising from its breach of this DPA.

12. Duration and Termination

This DPA shall remain in effect for the duration of the Agreement. The obligations of the Parties under this DPA shall survive termination to the extent necessary to fulfill the purposes of this DPA.

Contact Information

For questions about this Data Processing Agreement or data protection matters, please contact our Data Protection Officer: