This Data Processing Agreement (DPA) governs how we process personal data on behalf of our clients, ensuring compliance with applicable data protection laws.
This Data Processing Agreement ("DPA") forms part of the service agreement between Capisso Business Services ("Processor," "we," "us," or "our") and the client ("Controller," "you," or "your") for the provision of bookkeeping and software development services.
This DPA governs the processing of personal data by Capisso on behalf of the Controller in accordance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR) and other relevant privacy legislation.
For the purposes of this DPA, the following definitions apply:
The client who determines the purposes and means of processing personal data.
Capisso Business Services, which processes personal data on behalf of the Controller.
Any information relating to an identified or identifiable natural person.
Any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, or destruction.
An identified or identifiable natural person.
Any third party engaged by the Processor to process personal data on behalf of the Controller.
The processing of personal data is necessary for the provision of bookkeeping and software development services as outlined in the main service agreement.
Processing will continue for the duration of the service agreement and any applicable retention periods as specified in our Privacy Policy or as required by law.
We will process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to third countries or international organizations.
We ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
We may engage sub-processors with the Controller's prior written consent. We maintain a list of authorized sub-processors and will notify the Controller of any intended changes to this list.
We will assist the Controller in fulfilling data subject rights requests, including:
We will respond to data subject requests forwarded by the Controller within a reasonable timeframe and provide necessary technical and organizational assistance.
Personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including India where our primary operations are located.
For transfers to countries without an adequacy decision, we implement appropriate safeguards:
We conduct transfer impact assessments to ensure that the level of protection of personal data is not undermined by the transfer.
We will notify the Controller without undue delay after becoming aware of a personal data breach, and in any case within 72 hours of discovery.
The notification will include:
We will provide reasonable assistance to the Controller in notifying supervisory authorities and data subjects as required by applicable law.
The Controller has the right to conduct audits and inspections to verify compliance with this DPA and applicable data protection laws.
The Controller will bear the costs of audits unless the audit reveals material non-compliance with this DPA.
We will provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) when required by applicable law, including:
Upon termination of the service agreement, we will, at the Controller's choice, return or securely delete all personal data and any copies thereof.
We may retain personal data to the extent required by applicable law, provided that we ensure the confidentiality of such data and process it only for the purposes specified by law.
Upon request, we will provide written certification that personal data has been returned or securely deleted in accordance with this DPA.
Each party's liability under this DPA is subject to the limitation of liability provisions in the main service agreement.
In case of regulatory fines or penalties imposed due to non-compliance with this DPA, liability will be allocated based on the respective party's degree of responsibility for the non-compliance.
This DPA is governed by the same law as the main service agreement. Any disputes arising from this DPA will be resolved through the dispute resolution mechanisms specified in the main service agreement.
Nothing in this DPA reduces the Controller's or data subjects' rights under applicable data protection laws.
For any questions or concerns regarding this DPA or our data processing activities, please contact:
Data Protection Officer
Capisso Business Services
Address: Opp Civil Station, Mahe, Puducherry, India
Email: dpo@capisso.in
Phone: +91 XXX XXX XXXX
Website: capisso.in
This DPA may be amended only by written agreement between the parties. We may update this DPA to reflect changes in applicable data protection laws, provided that such updates do not reduce the level of protection afforded to personal data.