Data Processing Agreement (DPA) Template — Ireland

DATA PROCESSING AGREEMENT

Article 28 GDPR Controller-processor Contract — Ireland

Terms used in this DPA without definition shall have the meanings given in the GDPR. In particular: "personal data", "processing", "controller", "processor", "sub-processor", "data subject", "data breach", "supervisory authority" and "international transfer" have the meanings given in Art 4 GDPR. "DPC" means the Irish Data Protection Commission. "SCCs" means the Standard Contractual Clauses adopted by EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021. "DPF" means the EU-US Data Protection Framework approved by Commission Implementing Decision (EU) 2023/1795 of 10 July 2023.

Subject matter: Hosting, storage and processing of customer health and wellness records on the Processor's SaaS platform, including appointment scheduling, clinical notes, payments and outcome tracking..
Duration: this DPA is coterminous with the underlying Master Services Agreement / principal services contract between the parties.
Nature and purpose: The nature of processing is automated SaaS hosting, storage, indexing, backup and analytics on personal data. The purpose is the delivery of the Controller's customer-facing health and wellness service..

Categories of personal data: Identification data (name, address, email, telephone), authentication data, payment data (last 4 digits + token), special-category health data (Art 9 — clinical notes, diagnoses, treatment plans), customer feedback and outcomes ratings..
Categories of data subjects: Controller's customers (adults aged 18+); occasional Controller customers under 18 with verified parental/guardian consent; Controller staff and contractors with access to the platform..

The Processor shall process personal data only on the documented instructions of the Controller, including with regard to international transfers, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data-protection provisions.

The Processor shall ensure that all persons authorised by it to process personal data are bound by enforceable confidentiality obligations (whether by contractual or statutory duty) and have undertaken not to disclose any personal data outside the scope of those obligations.

The Processor shall implement and maintain the technical and organisational measures set out in Annex II to this DPA, including: Encryption at rest: AES-256 on all persistent storage, with keys managed in HSM-backed key store and rotated annually.. Encryption in transit: TLS 1.3 for all external endpoints; TLS 1.2 minimum on internal service-to-service.. Access control: Role-based access control with least-privilege provisioning; SSO + MFA on all administrative interfaces; quarterly access reviews; audit log retained 12 months.. Backup: Daily incremental + weekly full backups, retained 35 days, encrypted at rest; quarterly restore tests.. Certifications: ISO/IEC 27001:2022 (certificate ABC-12345); SOC 2 Type II (annual); Cyber Essentials Plus.. The Processor shall maintain these measures throughout the term and shall keep evidence of their effective operation available to the Controller on request.

The Controller grants the Processor general written authorisation to engage sub-processors, subject to the change-notice procedure below. Where general authorisation applies, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, giving the Controller the opportunity to object to such changes. Approved sub-processors: Microsoft Azure (Ireland) — primary hosting; Stripe Payments Europe (Ireland) — payment processing; SendGrid (Twilio Ireland) — transactional email; Datadog Inc. (DPF-certified) — observability and logging.. Objection period: the Controller may object within 30 days of notice, and if such objection cannot be resolved within a further 30 days the Controller may terminate the affected service without penalty. Flow-down (Art 28(4)): The Processor shall impose on each sub-processor, by written contract, data-protection obligations equivalent to those imposed on the Processor under this DPA, in particular providing sufficient guarantees that the sub-processor will implement appropriate technical and organisational measures. Where the Processor engages a sub-processor, the same data-protection obligations as set out in this DPA shall be imposed on that sub-processor by way of written contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations.

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data-subject rights under Chapter III GDPR (Arts 12-22), including the right of access, rectification, erasure, restriction, portability, objection and rights related to automated decision-making.

The Processor shall assist the Controller in ensuring compliance with the obligations under Articles 32 (security), 33-34 (data breach notification), 35 (data protection impact assessment) and 36 (prior consultation) GDPR, taking into account the nature of processing and the information available to the Processor.

The Processor shall notify the Controller of any personal data breach without undue delay and in any event within 48 hours of the Processor becoming aware of the breach. Notification shall be sent to security-breach@riverstone.ie + +353 1 555 9999 (24/7 IR line) and shall include, at minimum: (a) Nature of breach including categories and approximate number of data subjects and records; (b) likely consequences; (c) measures taken or proposed; (d) name and contact of DPO; (e) Processor incident reference number..
The Processor shall cooperate with the Controller in completing any notification required to the Data Protection Commission under Art 33 GDPR and any communication to affected data subjects required under Art 34 GDPR.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR. The Controller may carry out audits annually on 30 days written notice. The Controller may use any independent third-party auditor of national standing. The Processor's annual SOC 2 Type II report shall be accepted as a substitute for routine audits. Each party bears its own costs of routine audits; on-cause audits resulting in identified breaches are at the Processor's cost.

Where personal data is transferred from the EEA to a third country not benefiting from an adequacy decision, the parties incorporate by reference the EU Commission Standard Contractual Clauses (Implementing Decision (EU) 2021/914 of 4 June 2021), Module 2 — controller-to-processor. Transfers to the United States are made to recipients certified under the EU-US Data Protection Framework. Where DPF certification is not available, the parties incorporate the SCCs Module 2 and have completed a Transfer Impact Assessment annexed to this DPA.

On termination or expiry of this DPA, the Processor shall, within 30 days, at the Controller's option, either return the personal data in a structured, commonly-used and machine-readable format or delete all copies and certify deletion in writing. Copies retained beyond this period are permitted only where required by Union or Member State law, and only for so long as necessary for that purpose, subject to ongoing confidentiality and security obligations. On request by the Controller, the Processor shall provide written certification of completion of return or deletion.

Each party's aggregate liability under this DPA, including in respect of any DPC fines, data-subject claims and breach notification costs, is capped at the greater of (a) the fees payable under the Principal Contract during the 12 months preceding the claim, or (b) €1,000,000.
Carve-outs: The liability cap does NOT apply to: (a) fines and penalties imposed by a supervisory authority where the breach is attributable to the party's wilful misconduct; (b) indemnification for third-party data-subject claims where the breach is attributable to the party; (c) fraud or wilful concealment.

Each party shall maintain a written record of all processing activities falling within the scope of this DPA, in accordance with Article 30 GDPR, and shall make such records available to the supervisory authority on request.

Order of precedence: in the event of any conflict between this DPA and the Principal Contract, this DPA shall prevail on matters of data protection.
Survival: obligations of confidentiality, audit (for the duration of any applicable limitation period), and return / deletion shall survive termination.
Severability: the invalidity of any provision does not affect the remaining provisions.
Variation: any variation of this DPA shall be in writing and signed by both parties (or executed electronically with cryptographic proof of authorisation).

This DPA is governed by the laws of Ireland. The courts of Ireland have exclusive jurisdiction over any dispute arising from or connected with this DPA, save that either party may seek injunctive relief in any court of competent jurisdiction where required to protect data subjects' rights.

IN WITNESS WHEREOF, the parties have executed this Agreement as of the date indicated.