Data Processing Addendum
Last updated: September 2, 2025
This DPA forms part of the Terms when DevCraft Agency processes personal data on behalf of Client under applicable data protection laws.
1. Roles
Client is the Controller. DevCraft Agency is the Processor.
2. Subject Matter & Duration
Processing personal data to deliver the services described in the SOW/Quote for the term of the agreement and any legally required retention.
3. Nature & Purpose
Hosting, development, testing, support, observability, and security activities required to provide the services.
4. Categories of Data & Data Subjects
Data subjects may include Client's users, customers, employees, and contractors. Personal data may include identifiers, contact details, usage data, logs, and content stored in systems we access on Client's instructions. Sensitive data should not be provided unless explicitly agreed in writing.
5. Processor Obligations
- Process personal data only on documented instructions from Client.
- Ensure personnel are bound by confidentiality.
- Implement appropriate technical and organizational measures (Annex II).
- Assist Client with data subject requests and impact assessments.
- Delete or return personal data at the end of the engagement per Client instructions.
- Maintain records of processing as required by law.
6. Sub-processors
Client authorizes the use of sub-processors listed in Annex III and any replacements upon notice. We remain responsible for sub-processors' performance.
7. Security
We maintain the security measures in Annex II and the Security section. We will not materially decrease security during the term.
8. Personal Data Breach
We will notify Client without undue delay after becoming aware of a personal data breach affecting Client data and will provide information to support Client's notifications.
9. International Transfers
Where required, we will use appropriate safeguards (e.g., Standard Contractual Clauses). Additional terms in Annexes may apply.
10. Audits
Upon reasonable notice, Client may audit our compliance once per year (or more after a material incident). Audits must protect confidentiality and avoid undue disruption.
11. Deletion & Return
Upon termination or upon written request, we will delete or return personal data within 30 days, subject to legal retention and backup cycles. We will certify deletion upon request.
12. Liability & Order of Precedence
Liability is governed by the Terms. In case of conflict, this DPA controls regarding data protection obligations.
Annex I — Processing Details: see project SOW for specific systems, data types, and retention.
Annex II — Security Measures: below.
Annex III — Sub-processors: template list below.
Need help with your project?
Our team of experts is ready to assist you with any questions or requirements.