Global HandsAttestyx™by Global Hands, Inc.
Sign inGet started
How It WorksFor GrantorsFor GranteesTransparencyRegistry
Sign inGet started
SAMPLE - DRAFT FOR COUNSEL REVIEW. Not yet executed by Global Hands, Inc. (Operator) or JIL Sovereign Technologies, Inc. (Licensor); not binding on any party.
For Grantors

Data Processing Addendum (DPA)

GDPR Article 28 compliant processor terms; sub-processor list incorporated.

Effective: 2026-05-04Last updated: 2026-05-04Version 1.0 (sample)

1. Subject Matter and Duration

This Data Processing Addendum (“DPA”) supplements the Master Services Agreement and applies to Operator's processing of Personal Data on behalf of Foundation. The DPA is effective concurrent with the MSA and continues for the duration of the MSA plus any post-termination period required for data return or deletion.

2. Definitions

Capitalized terms not defined in this DPA have the meanings in the MSA or, where not defined, in GDPR Article 4. For the purposes of this DPA, Foundation is the “Controller” and Operator is the “Processor”.

3. Processing Instructions

Operator will process Personal Data only on documented instructions from Foundation. The MSA, this DPA, the applicable Order Form, and Foundation's configuration of the Platform constitute the documented instructions. Operator will inform Foundation if it believes that Foundation's instructions infringe applicable data protection law.

4. Confidentiality and Personnel

Operator ensures that personnel authorized to process Personal Data are subject to confidentiality obligations and receive appropriate data-protection training.

5. Security Measures

Operator implements appropriate technical and organizational measures to protect Personal Data, including: AES-256 encryption at rest; TLS 1.3 in transit; Argon2id password hashing; multi-factor authentication; least-privilege role- based access control; quarterly access reviews; annual third-party penetration testing; incident response procedures; SOC 2 Type II audit (planned Q4 2027). Specific measures are described in the Information Security Policy.

6. Sub-Processors

Foundation provides general written authorization for Operator to engage Sub-Processors listed in the Sub-Processor List. Operator will give Foundation 30 days' written notice of any new Sub-Processor or change in Sub-Processor; Foundation may object on reasonable grounds within that period. If the parties cannot resolve the objection, Foundation may terminate the MSA without penalty for service incompatibility.

7. Data Subject Rights

Operator will, taking into account the nature of the processing, assist Foundation with appropriate technical and organizational measures to fulfill Foundation's obligation to respond to Data Subject requests under GDPR Articles 15-22.

8. Personal Data Breach Notification

Operator will notify Foundation without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Foundation Personal Data, providing the information required by GDPR Article 33(3).

9. DPIAs and Prior Consultation

Operator will assist Foundation, where reasonably required, in carrying out Data Protection Impact Assessments (GDPR Art. 35) and in prior consultations with supervisory authorities (GDPR Art. 36).

10. Return or Deletion

On termination of the MSA, Operator will, at Foundation's election, return or delete Personal Data, except where retention is required by applicable law or to comply with audit, recovery, or sanctions obligations. Backup copies are deleted in accordance with Operator's normal backup-rotation schedule.

11. Audits

Foundation may, no more than once per calendar year and on at least 60 days' written notice, engage an independent third-party auditor to verify Operator's compliance with this DPA. Audits are conducted during business hours, do not unreasonably disrupt Operator's operations, and are subject to confidentiality. Operator may make available SOC 2 Type II reports (when published) in lieu of on-site audit.

12. International Transfers

Where Personal Data is transferred outside the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with comparable adequacy requirements, the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) Module 2 (controller-to-processor) are incorporated by reference, with the Foundation as data exporter and Operator as data importer. Annexes I, II, and III are populated by reference to this DPA, the Information Security Policy, and the Sub-Processor List.

13. Liability

The liability provisions of the MSA apply to claims arising under this DPA.