Data Processing Agreement (DPA)
(PDF version upon request)
Last Updated: September 29th, 2025
Purpose. This DPA forms part of any agreement under which Brandon Johnson (“Processor”) provides services that include processing Personal Data on behalf of Client (“Controller”).
1) Definitions
“Personal Data,” “Processing,” “Controller,” “Processor,” “Data Subject,” “Personal Data Breach,” and “Supervisory Authority” have the meanings in applicable Data Protection Laws (e.g., GDPR/UK GDPR/CPRA).
2) Scope & Instructions
Processor will process Personal Data solely on documented instructions from Controller for the Subject Matter/Nature of services specified in the main agreement, for the Duration of the services. Controller is responsible for the lawfulness of Personal Data and instructions.
Subject Matter/Nature: Marketing technology configuration, analytics implementation, email/SaaS systems administration, data migration, technical support.
Categories of Data: Contact data, online identifiers, usage/analytics data, transaction meta-data, and other data provided by Controller.
Data Subjects: Controller’s customers, prospects, website visitors, and personnel.
Duration: Term of services + [30] days for orderly return/deletion.
3) Confidentiality
Processor ensures personnel are bound by confidentiality obligations.
4) Security
Processor implements appropriate technical and organizational measures (TOMs) to protect Personal Data, considering risks, costs, and state of the art (e.g., access controls, least privilege, encryption in transit where feasible, secure credentials, logging).
5) Sub-processors
Controller authorizes Processor to use sub-processors reasonably necessary to deliver the services (e.g., hosting, email providers, task tools). Processor will maintain a list upon request and will ensure sub-processors are bound by written data protection terms no less protective than this DPA. Processor will notify Controller of material changes to sub-processors and give an opportunity to object on reasonable grounds.
6) International Transfers
Where applicable, Processor will use appropriate safeguards (e.g., EU Standard Contractual Clauses/UK IDTA) for transfers and will provide copies upon request (redacting confidential information).
7) Assistance
Taking into account the nature of processing, Processor will assist Controller with:
(a) responding to Data Subject requests;
(b) compliance with security, breach notifications, DPIAs, and consultations with authorities—to the extent applicable and at Controller’s expense if substantial effort is required.
8) Breach Notification
Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller data, providing reasonable information as it becomes available.
9) Return & Deletion
Upon termination/expiry, at Controller’s choice, Processor will delete or return Personal Data, unless retention is required by law. Processor may retain minimal logs/backups for [up to 90 days] for security/legal purposes, after which they will be deleted in the ordinary course.
10) Audits
Upon reasonable prior notice, Processor will make available information necessary to demonstrate compliance and will allow for reasonable audits by Controller or an independent auditor (max once per 12 months, during normal hours, respecting confidentiality; costs borne by Controller).
11) Liability
Each party’s liability under this DPA is subject to the limitations and exclusions in the main agreement.
12) Order of Precedence
If there is a conflict, this DPA prevails over the main agreement to the extent of the conflict relating to data protection.
Signed for and on behalf of Controller:
Name: __________________ Title: __________________ Date: ____________
Signed for and on behalf of Processor (Brandon Johnson):
Name: Brandon Johnson Title: Owner Date: ____________