Skip to content

Data Processing Agreement (DPA) — Template

Parties. This DPA forms part of the Agreement between Customer (Controller) and Lawkraft/Sanker-Office (Processor).
Effective Date. As per the applicable Order/SOW.

1) Roles & Processing

  • Controller: Customer; Processor: Lawkraft/Sanker-Office; Sub-processors: listed in Annex III (as updated).
  • Subject Matter & Duration: provision of consulting, implementation, and API/governance services for the term of the Agreement.
  • Nature & Purpose: development, integration, testing, and operation support of governed AI and related systems.
  • Data Categories: typically business contact data; PII processing is avoided by default. Where necessary, only minimal PII required for the purpose.
  • Data Subjects: Customer personnel and end-users as applicable.

2) Processor Obligations

  • Process Personal Data only on documented instructions from Controller (including transfers).
  • Ensure personnel are under confidentiality and trained appropriately.
  • Implement the technical and organizational measures (TOMs) described in the Security Appendix.
  • Assist Controller with responses to data subject requests, DPIAs, and prior consultations.
  • Notify Controller without undue delay of a confirmed Personal Data Breach and cooperate on remediation.

3) Sub-processors

  • Processor may engage Sub-processors with appropriate contracts imposing obligations no less protective than this DPA.
  • Processor will maintain an up-to-date list of Sub-processors and notify Controller of material changes; Controller may object on reasonable grounds.

4) International Transfers

  • Where required, SCCs (EU/UK) or successor frameworks will apply (see Annex II).
  • Processor will implement supplementary measures appropriate to the transfer risk.

5) Return/Deletion

  • Upon termination or on request, Processor will delete or return Personal Data, unless retention is required by law or audit obligations.

6) Audit & Information

  • Processor will make available information necessary to demonstrate compliance and allow for audits (including by independent third parties) no more than annually, on reasonable notice, without disrupting operations.

7) Liability & Precedence

  • Liability and limitations are governed by the Agreement. In case of conflict, the SCCs (if applicable) and this DPA prevail over the Agreement, then the Order/SOW.

Annex I — Details of Processing

  • Subject Matter: As above.
  • Duration: Term of Agreement.
  • Nature & Purpose: Evaluation, integration, operation of governed AI and APIs.
  • Types of Personal Data: Minimal business contact data; optional end-user identifiers where strictly necessary.
  • Data Subjects: Customer personnel; end-users where applicable.

Annex II — Standard Contractual Clauses (SCCs)

  • SCC module(s) as applicable to Controller→Processor transfers (EU/UK).
  • Supplementary measures: encryption in transit, access controls, audit logs, data minimization, policy-gated retention.

Annex III — Authorized Sub-processors

  • (Add vendors as needed; include purpose, region, and appropriate safeguards.)

Note: Where possible, avoid PII in governed pipelines. If unavoidable, document lawful basis, retention, and data flows in the DPIA/RoPA.