Home Legal Data Processing

Data Processing Agreement

Last updated: March 20, 2026

1. Introduction

This Data Processing Agreement ("DPA") governs the processing of personal data by Global Services ("Processor") on behalf of our clients ("Controller") in connection with the provision of IT services.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data, including collection, storage, modification, retrieval, use, disclosure, or deletion
  • Controller: The client who determines the purposes and means of processing personal data
  • Processor: Global Services, which processes personal data on behalf of the Controller
  • Sub-processor: A third party engaged by the Processor to process personal data

3. Scope of Processing

The Processor shall process personal data only:

  • As necessary to provide the contracted services
  • In accordance with the Controller's documented instructions
  • In compliance with applicable data protection laws

4. Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit (TLS/SSL) and at rest (AES-256)
  • Access controls and authentication mechanisms
  • Regular security assessments and vulnerability management
  • Automated backup systems with tested restore procedures
  • Incident detection and response capabilities
  • Staff training on data protection and security

5. Sub-processors

Current sub-processors include:

  • Amazon Web Services (AWS): Cloud storage (S3), compute (EC2), email (SES) — EU and Asia-Pacific regions
  • OVH: Virtual private server hosting — EU data centers
  • OpenAI: AI processing services — where applicable per service agreement

The Processor shall inform the Controller before adding or replacing sub-processors, providing the Controller an opportunity to object.

6. Data Subject Rights

The Processor shall assist the Controller in responding to data subject requests, including requests for access, rectification, deletion, portability, and restriction of processing.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach. Notification shall include:

  • Nature of the breach, including categories and approximate number of data subjects affected
  • Contact information for further inquiries
  • Description of likely consequences
  • Description of measures taken or proposed to address the breach

8. Data Deletion

Upon termination of services, the Processor shall, at the Controller's choice, delete or return all personal data processed on behalf of the Controller, and delete existing copies unless retention is required by law.

9. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits and inspections conducted by the Controller or an authorized auditor.

10. Contact

For questions about this DPA or to exercise any rights, please contact us.