Data Processing Agreement

Data Processing Agreement (DPA)

Effective Date: April 05, 2025

This Data Processing Agreement ("Agreement") is made between:

TeeMerch (the "Data Controller")

and

[Insert Name of Data Processor] (the "Processor")

1. Purpose

This Agreement governs the processing of personal data by the Processor on behalf of the Controller in accordance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and any other applicable data protection laws. The Processor agrees to process personal data solely for the purposes defined by the Controller.

2. Definitions

- "Personal Data": Any information relating to an identified or identifiable natural person.
- "Processing": Any operation performed on personal data, including collection, use, disclosure, or deletion.
- "Data Controller": The entity determining the purposes and means of data processing.
- "Data Processor": The entity processing data on behalf of the Controller.
- "Sub-Processor": A third party engaged by the Processor to process personal data.

3. Roles and Responsibilities

The Controller is responsible for the lawfulness of the data processing instructions. The Processor shall:
- Only process personal data on documented instructions from the Controller.
- Not use personal data for its own purposes.
- Ensure that persons authorized to process the data are bound by confidentiality.

4. Types of Personal Data Processed

The Processor may process the following types of personal data:
- Contact information (e.g., name, address, phone number, email)
- Transactional data (e.g., orders, payment history)
- Technical data (e.g., IP address, browser type)
- Behavioral data (e.g., website usage, interaction with emails)

5. Categories of Data Subjects

The personal data processed concerns the following categories of data subjects:
- Customers and potential customers
- Website users and visitors
- Newsletter subscribers

6. Purpose of Processing

The Processor shall only process personal data for the following purposes:
- Order fulfillment and customer support
- Payment processing
- Marketing communications (when permitted)
- Hosting, maintenance, and infrastructure support

7. Data Subject Rights

The Processor shall assist the Controller in fulfilling obligations related to data subject rights including:
- Right of access, rectification, and erasure
- Right to restriction and objection
- Right to data portability
- Right not to be subject to automated decision-making

8. Sub-Processing

The Processor shall not engage any Sub-Processor without prior written authorization from the Controller. The Processor shall ensure any Sub-Processor is contractually bound to equivalent data protection obligations.

9. Technical and Organizational Measures

The Processor shall implement appropriate safeguards including:
- Encryption of data in transit and at rest
- Multi-factor authentication and access controls
- Regular vulnerability scans and risk assessments
- Secure data backups and incident response protocols

10. Personal Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and include:
- The nature of the breach
- Categories and number of data subjects affected
- Probable consequences and remedial actions taken

11. International Data Transfers

Where personal data is transferred outside the EEA or UK, the Processor shall ensure adequate protection using:
- Standard Contractual Clauses (SCCs)
- Binding Corporate Rules (BCRs)
- Approved certification mechanisms

12. Data Retention and Return

Upon request or contract termination, the Processor shall:
- Return all personal data to the Controller, or
- Delete all personal data, unless retention is legally required
The Processor shall confirm deletion in writing upon request.

13. Confidentiality

The Processor shall ensure confidentiality of personal data by all persons authorized to process the data, and maintain these obligations after the termination of this Agreement.

14. Audits and Inspections

The Controller may audit the Processor’s compliance with this Agreement with at least 10 business days' notice. The Processor shall provide reasonable access and documentation. Audits shall not unreasonably interfere with normal operations.

15. Liability and Indemnity

The Processor shall be liable for damages caused by its own data processing breaches. Each party agrees to indemnify the other for losses resulting from its violation of applicable data protection laws.

16. Term and Termination

This Agreement is effective as of the date stated above and shall continue as long as the Processor processes personal data on behalf of the Controller. Either party may terminate this Agreement with written notice.

17. Governing Law and Jurisdiction

This Agreement shall be governed by and interpreted in accordance with the laws of Texas, United States. Any disputes shall be resolved exclusively in the courts of Travis County, Texas.

18. Entire Agreement

This Agreement constitutes the entire agreement between the parties concerning the processing of personal data and supersedes any prior agreements or understandings.

19. Signatures

IN WITNESS WHEREOF, the parties have executed this Data Processing Agreement as of the Effective Date:

For the Controller (TeeMerch):
Name: _________________________
Title: __________________________
Signature: _____________________
Date: _________________________

For the Processor ([Insert Processor]):
Name: _________________________
Title: __________________________
Signature: _____________________
Date: _________________________