Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between:

Data Controller: You (the customer)
Data Processor: SAR Portal (powered by Sekhon IT Consultants Ltd., Ireland)

1. Definitions

Terms defined in the GDPR have the same meaning in this DPA:

• "GDPR" means Regulation (EU) 2016/679
• "Personal Data" means any data uploaded to SAR Portal by the Controller
• "Data Subject" means individuals whose Personal Data is processed
• "Processing" has the meaning given in Article 4(2) GDPR
• "Sub-processor" means third parties engaged to process Personal Data

2. Scope and Purpose of Processing

Subject Matter: Provision of SAR Portal SaaS platform

Duration: For the term of the subscription

Nature and Purpose:

• Storage and retrieval of DSAR case data
• Document management and secure access
• Email notifications and communications
• AI-powered risk assessment and text assistance
• PDF text extraction and PII detection for GDPR Article 15(4) compliance
• Audit logging and compliance reporting

3. Categories of Personal Data

The Controller may upload the following types of Personal Data:

• Name, email address, phone number of Data Subjects
• Identification documents (for identity verification)
• Case notes and correspondence
• Documents uploaded by the Controller or Data Subjects
• IP addresses and access logs
• Any other data the Controller chooses to upload

4. Categories of Data Subjects

• Individuals submitting DSARs to the Controller
• Controller's employees and users of the Service

5. Processor's Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure confidentiality of persons authorized to process Personal Data
• Implement appropriate technical and organizational security measures (see Section 7)
• Engage Sub-processors only with prior written consent (see Section 8)
• Assist the Controller in responding to Data Subject rights requests
• Assist the Controller with DPIAs and consultations with supervisory authorities
• Delete or return Personal Data upon termination (at Controller's choice)
• Make available all information necessary to demonstrate compliance
• Notify the Controller of any data breach within 24 hours of discovery

6. Controller's Rights and Instructions

The Controller:

• Retains full control over Personal Data processing
• May issue additional processing instructions in writing
• May audit the Processor's compliance (subject to reasonable notice)
• Remains responsible for compliance with GDPR

Standard Instructions: By using SAR Portal, the Controller instructs the Processor to process Personal Data as necessary to provide the Service.

7. Security Measures (Article 32 GDPR)

The Processor implements the following technical and organizational measures:

7.1 Technical Measures

• Encryption:
  • Data in transit: TLS 1.3
  • Data at rest: AES-256
  • Database encryption via Azure Cosmos DB
• Access Control:
  • Multi-factor authentication (MFA)
  • Role-based access control (RBAC)
  • OAuth 2.0 / OpenID Connect authentication
  • Time-limited SAS URLs for document access
• Network Security:
  • Firewalls and DDoS protection
  • Intrusion detection and monitoring
  • Rate limiting and bot protection (reCAPTCHA Enterprise)
• Logging and Monitoring:
  • Immutable audit logs
  • Security event monitoring
  • Automated alerting for suspicious activity

7.2 Organizational Measures

• Data protection policies and procedures
• Employee confidentiality agreements
• Regular security training
• Incident response plan
• Annual third-party security audits
• Penetration testing (at least annually)
• Vulnerability scanning (continuous)

8. Sub-processors

The Controller grants general authorization for the Processor to engage Sub-processors. Current Sub-processors:

Sub-processor	Service	Location	Safeguards
Microsoft Ireland Operations Ltd.	Azure cloud hosting (Cosmos DB, Blob Storage)	Ireland (EU)	Microsoft Customer Agreement, EU Data Boundary
Microsoft Corporation	Azure OpenAI (AI features - PII detection, risk scoring, text improvement)	Ireland (EU)	Data not used for training, SCCs, Microsoft DPA
Microsoft Corporation	Azure Document Intelligence (PDF text extraction)	Ireland (EU)	OCR and text extraction, SCCs, Microsoft DPA, EU Data Boundary
Stripe Payments Europe Ltd.	Payment processing	Ireland (EU)	PCI DSS Level 1, Stripe DPA
Google Ireland Ltd.	reCAPTCHA Enterprise	Ireland (EU)	Google Cloud DPA, SCCs
Email Service Provider	Transactional emails	EU	SCCs, GDPR-compliant

Sub-processor Changes: We will notify you of any new Sub-processors via email 30 days before engagement. You may object on reasonable data protection grounds.

9. International Data Transfers

All Personal Data is stored in EU data centers (Ireland region). If any Sub-processor transfers data outside the EU/EEA:

• Standard Contractual Clauses (SCCs) approved by the European Commission apply
• Additional safeguards (encryption, access controls) are implemented
• Transfer Impact Assessments (TIAs) are conducted where necessary

10. Data Subject Rights

The Processor will assist the Controller in fulfilling Data Subject rights requests:

• Access: Export functionality available in-app
• Rectification: Edit capabilities for all case data
• Erasure: Delete function available (with audit log retention for legal compliance)
• Restriction: Archive functionality to restrict processing
• Portability: CSV and PDF export available
• Objection: Processing can be stopped by deleting data

Response Time: The Processor will respond to Controller requests for assistance within 5 business days.

11. Data Breach Notification

In the event of a Personal Data breach, the Processor will:

• Notify the Controller within 24 hours of becoming aware
• Provide details of:
  • Nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Likely consequences
  • Measures taken or proposed to address the breach
• Cooperate with the Controller's investigation
• Implement remedial measures to prevent recurrence

Notification Method: Email to primary account holder and DPO (if provided)

12. Data Protection Impact Assessments

The Processor will provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) when required under Article 35 GDPR.

13. Audits and Inspections

The Controller may:

• Request and review security documentation
• Request third-party audit reports (SOC 2, ISO 27001, etc.)
• Conduct on-site audits (subject to 30 days' notice and reasonable costs)

Frequency: Maximum once per year unless a breach has occurred

14. Data Deletion and Return

Upon termination of the subscription:

• The Controller has 90 days to export all data
• Export available via in-app functionality (CSV/PDF)
• All tenant data (cases, documents, users, settings) is permanently deleted 90 days after termination
• Deletion is irreversible and includes all backups after retention period expires
• Exception: Audit logs retained for 7 years (legal requirement)

Certification of Deletion: Provided upon request after deletion is complete

15. Liability and Indemnification

Each party is liable for its own GDPR violations:

• The Controller is liable for compliance with GDPR as Data Controller
• The Processor is liable for breaches of this DPA or GDPR Chapter V (Processor obligations)
• The Processor is not liable for processing carried out per Controller's instructions

Limitation: Subject to the liability limits in the Terms of Service

16. Duration and Termination

• This DPA remains in effect for the duration of the subscription
• Termination does not relieve either party of obligations accrued before termination
• Sections 14 (Data Deletion), 15 (Liability), and 17 (Governing Law) survive termination

17. Governing Law and Jurisdiction

• Governing Law: Laws of Ireland and GDPR
• Jurisdiction: Courts of Ireland
• Supervisory Authority: Data Protection Commission (Ireland)

18. Changes to This DPA

We may update this DPA to reflect changes in:

• Data protection law
• Sub-processors
• Security measures

Notification: Material changes communicated via email 30 days in advance

19. Standard Contractual Clauses

This DPA incorporates the EU Standard Contractual Clauses (SCCs) for processors (Module 2: Controller to Processor) as approved by Commission Implementing Decision (EU) 2021/914.

Download SCCs: Official EU Text

20. Contact Information

For DPA-related questions:

• Data Protection Officer: dpo@sarportal.com
• Security Team: security@sarportal.com
• General: info@sarportal.com

21. Acceptance

By using SAR Portal, the Controller accepts this DPA as part of the service agreement. This DPA is legally binding and forms part of the Terms of Service.