Attestyxby JIL Sovereign
Sign inSign up free
How it worksTiersPricingAPIGrantsProofMandate
Sign inSign up free
SAMPLE - DRAFT FOR COUNSEL REVIEW. Not yet executed by JIL Sovereign Technologies, Inc. or binding on any party.
For Grantors

Data Processing Addendum (DPA)

GDPR Article 28 compliant processor terms; sub-processor list incorporated.

Effective: 2026-05-04Last updated: 2026-05-04Version 1.0 (sample)

1. Subject Matter and Duration

This Data Processing Addendum (“DPA”) supplements the Master Services Agreement and applies to Operating Co's processing of Personal Data on behalf of Foundation. The DPA is effective concurrent with the MSA and continues for the duration of the MSA plus any post-termination period required for data return or deletion.

2. Definitions

Capitalized terms not defined in this DPA have the meanings in the MSA or, where not defined, in GDPR Article 4. For the purposes of this DPA, Foundation is the “Controller” and Operating Co is the “Processor”.

3. Processing Instructions

Operating Co will process Personal Data only on documented instructions from Foundation. The MSA, this DPA, the applicable Order Form, and Foundation's configuration of the Platform constitute the documented instructions. Operating Co will inform Foundation if it believes that Foundation's instructions infringe applicable data protection law.

4. Confidentiality and Personnel

Operating Co ensures that personnel authorized to process Personal Data are subject to confidentiality obligations and receive appropriate data-protection training.

5. Security Measures

Operating Co implements appropriate technical and organizational measures to protect Personal Data, including: AES-256 encryption at rest; TLS 1.3 in transit; Argon2id password hashing; multi-factor authentication; least-privilege role- based access control; quarterly access reviews; annual third-party penetration testing; incident response procedures; SOC 2 Type II audit (planned Q4 2027). Specific measures are described in the Information Security Policy.

6. Sub-Processors

Foundation provides general written authorization for Operating Co to engage Sub-Processors listed in the Sub-Processor List. Operating Co will give Foundation 30 days' written notice of any new Sub-Processor or change in Sub-Processor; Foundation may object on reasonable grounds within that period. If the parties cannot resolve the objection, Foundation may terminate the MSA without penalty for service incompatibility.

7. Data Subject Rights

Operating Co will, taking into account the nature of the processing, assist Foundation with appropriate technical and organizational measures to fulfill Foundation's obligation to respond to Data Subject requests under GDPR Articles 15-22.

8. Personal Data Breach Notification

Operating Co will notify Foundation without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Foundation Personal Data, providing the information required by GDPR Article 33(3).

9. DPIAs and Prior Consultation

Operating Co will assist Foundation, where reasonably required, in carrying out Data Protection Impact Assessments (GDPR Art. 35) and in prior consultations with supervisory authorities (GDPR Art. 36).

10. Return or Deletion

On termination of the MSA, Operating Co will, at Foundation's election, return or delete Personal Data, except where retention is required by applicable law or to comply with audit, recovery, or sanctions obligations. Backup copies are deleted in accordance with Operating Co's normal backup-rotation schedule.

11. Audits

Foundation may, no more than once per calendar year and on at least 60 days' written notice, engage an independent third-party auditor to verify Operating Co's compliance with this DPA. Audits are conducted during business hours, do not unreasonably disrupt Operating Co's operations, and are subject to confidentiality. Operating Co may make available SOC 2 Type II reports (when published) in lieu of on-site audit.

12. International Transfers

Where Personal Data is transferred outside the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with comparable adequacy requirements, the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) Module 2 (controller-to-processor) are incorporated by reference, with the Foundation as data exporter and Operating Co as data importer. Annexes I, II, and III are populated by reference to this DPA, the Information Security Policy, and the Sub-Processor List.

13. Liability

The liability provisions of the MSA apply to claims arising under this DPA.