1. Purpose
This Data Processing Addendum ("DPA") forms part of the Master Services Agreement between SoftGrid (Processor) and the Customer (Controller) and governs processing of personal data under GDPR.
2. Scope of processing
- Subject matter: services described in the SOW.
- Duration: term of the MSA.
- Nature & purpose: software development, hosting, support.
- Data subjects: Customer's end users and employees.
- Categories: identifiers, contact data, application telemetry as configured by Customer.
3. Processor obligations
- Process personal data only on documented Customer instructions.
- Ensure personnel are bound by confidentiality.
- Implement appropriate technical and organizational measures (Annex II).
- Assist Controller with data-subject requests, DPIAs, and breach notifications.
4. Subprocessors
Customer authorizes SoftGrid to engage subprocessors listed at request. SoftGrid will notify 30 days before adding a new subprocessor; Customer may object on reasonable grounds.
5. International transfers
Transfers outside the EEA are made under EU SCCs (Commission Decision 2021/914) with supplementary measures where required.
6. Audit
SoftGrid will make available information necessary to demonstrate compliance and allow audits once per year on reasonable notice.
7. Return or deletion
On termination, SoftGrid will return or delete all personal data within 60 days, unless retention is required by law.
8. Contact
Data Protection Officer: dpo@softgrid.example.com