Data Processing Agreement (DPA)
Last updated: October 7, 2025
1. Introduction and Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between CopyPastia ("Processor") and the business customer ("Controller") and governs the processing of personal data in accordance with UK GDPR and applicable data protection laws.
This DPA applies when:
- You use CopyPastia for business purposes
- You process personal data of individuals through our service
- You are subject to UK GDPR or equivalent data protection laws
2. Definitions
| Term | Definition |
|---|---|
| Controller | The business customer who determines the purposes and means of processing personal data |
| Processor | CopyPastia, who processes personal data on behalf of the Controller |
| Personal Data | Any information relating to an identified or identifiable natural person |
| Processing | Any operation performed on personal data (collection, storage, use, disclosure, etc.) |
| Sub-processor | Third parties engaged by CopyPastia to assist in providing the service |
3. Controller and Processor Responsibilities
3.1 Controller Responsibilities
The Controller shall:
- Ensure lawful basis for processing personal data
- Provide necessary notices to data subjects
- Obtain required consents
- Ensure data is accurate and up-to-date
- Implement appropriate technical and organizational measures
- Only provide instructions that comply with applicable laws
- Conduct Data Protection Impact Assessments where required
3.2 Processor Responsibilities
CopyPastia (Processor) shall:
- Process personal data only on documented instructions from Controller
- Ensure confidentiality of personal data
- Implement appropriate security measures
- Assist with data subject rights requests
- Notify Controller of personal data breaches
- Assist with compliance obligations
- Delete or return personal data upon termination
4. Processing Details
4.1 Subject Matter and Duration
Subject Matter: Provision of cloud clipboard services
Duration: For the duration of the service agreement
4.2 Nature and Purpose of Processing
- Storage and sharing of text and file content
- User authentication and access control
- Service delivery and technical support
- Security monitoring and fraud prevention
4.3 Categories of Data Subjects
- Controller's employees, contractors, and consultants
- Controller's customers and clients
- Other individuals whose personal data is processed through the service
4.4 Categories of Personal Data
- Identification data (names, usernames, email addresses)
- Content data (text, files, documents shared through the service)
- Technical data (IP addresses, device information, usage logs)
- Communication data (support messages, notifications)
5. Sub-processing
5.1 Authorized Sub-processors
The Controller authorizes the use of the following categories of sub-processors:
- Cloud Infrastructure Providers: For hosting and data storage
- Payment Processors: For billing and subscription management
- Analytics Providers: For service performance monitoring
- Email Service Providers: For transactional communications
- Security Providers: For fraud prevention and security monitoring
5.2 Current Sub-processors
| Sub-processor | Service | Location | Purpose |
|---|---|---|---|
| PayPal | Payment Processing | USA/EU | Payment processing and billing |
| Google Analytics | Analytics | USA | Service usage analytics |
| [Cloud Provider] | Infrastructure | [Location] | Hosting and data storage |
5.3 Sub-processor Changes
CopyPastia will:
- Provide 30 days' notice of new sub-processors
- Allow Controller to object to new sub-processors
- Ensure sub-processors meet equivalent data protection obligations
- Maintain updated list of sub-processors
6. Security Measures
6.1 Technical Measures
- Encryption of data in transit and at rest
- Access controls and authentication
- Network security and firewalls
- Regular security testing and monitoring
- Secure data backup and recovery
6.2 Organizational Measures
- Staff training on data protection
- Confidentiality agreements for personnel
- Incident response procedures
- Regular security policy reviews
- Vendor management procedures
7. Data Subject Rights
CopyPastia will assist the Controller in responding to data subject rights requests:
7.1 Assistance Provided
- Identifying and retrieving personal data
- Providing data in portable formats
- Implementing corrections or deletions
- Restricting processing when required
- Technical measures for rights fulfillment
7.2 Response Timeline
CopyPastia will respond to Controller's assistance requests within 10 business days or as required to meet legal deadlines.
8. Data Breach Notification
8.1 Notification to Controller
CopyPastia will notify the Controller of personal data breaches:
- Without undue delay and within 24 hours where feasible
- Including available information about the breach
- Providing updates as more information becomes available
8.2 Breach Information
Notifications will include:
- Nature of the breach and affected data
- Number of affected data subjects
- Likely consequences of the breach
- Measures taken to address the breach
- Recommendations for Controller action
9. Data Protection Impact Assessment (DPIA)
CopyPastia will provide reasonable assistance for Controller's DPIA requirements, including:
- Information about processing operations
- Security measures implemented
- Risk assessment information
- Mitigation strategies
10. International Data Transfers
10.1 Transfer Mechanisms
Where personal data is transferred outside the UK/EEA, CopyPastia ensures adequate protection through:
- EU/UK Adequacy Decisions
- Standard Contractual Clauses (SCCs)
- Binding Corporate Rules
- Certification schemes
10.2 Transfer Records
CopyPastia maintains records of all international transfers including:
- Categories of data transferred
- Recipients and locations
- Transfer mechanisms used
- Safeguards implemented
11. Audits and Compliance
11.1 Audit Rights
The Controller may audit CopyPastia's compliance through:
- Review of compliance certifications
- Third-party audit reports
- Information requests
- On-site audits (with reasonable notice and frequency)
11.2 Audit Cooperation
CopyPastia will:
- Provide requested compliance documentation
- Allow reasonable audit access
- Cooperate with audit activities
- Address any compliance issues identified
12. Data Return and Deletion
12.1 Data Return
Upon termination, CopyPastia will:
- Return personal data in commonly used format
- Provide data within 30 days of termination
- Include all copies and backups
- Confirm completion of data return
12.2 Data Deletion
Following data return or upon Controller's instruction:
- Securely delete all personal data
- Remove data from all systems and backups
- Provide written confirmation of deletion
- Retain only data required by law
13. Liability and Indemnification
13.1 Processor Liability
CopyPastia is liable for damages caused by processing that:
- Violates UK GDPR processor obligations
- Exceeds or contradicts lawful Controller instructions
- Results from CopyPastia's negligent or intentional acts
13.2 Limitation of Liability
Total liability under this DPA is limited to the amount specified in the main service agreement, except for:
- Regulatory fines and penalties
- Willful misconduct or gross negligence
- Data breaches caused by security failures
14. Term and Termination
14.1 Term
This DPA remains in effect for the duration of the service agreement.
14.2 Survival
The following provisions survive termination:
- Data return and deletion obligations
- Confidentiality requirements
- Liability provisions
- Audit rights (for reasonable period)
15. Amendments and Updates
This DPA may be updated to reflect:
- Changes in applicable law
- Regulatory guidance
- Service modifications
- Enhanced security measures
Material changes will be communicated with 30 days' notice.
16. Governing Law and Disputes
Governing Law: This DPA is governed by the laws of England and Wales
Jurisdiction: Courts of England and Wales
Dispute Resolution: Good faith negotiation followed by binding arbitration
17. Contact Information
Data Protection Officer: [email protected]
Legal Department: [email protected]
Security Team: [email protected]
18. Signatures and Acceptance
By using CopyPastia for business purposes and processing personal data through our service, the Controller agrees to be bound by the terms of this Data Processing Agreement.