EU Data Processing Addendum (DPA) for compliance with GDPR and other data protection regulations.
Last updated: January 1, 2025
This Data Processing Addendum ("DPA") governs the data processing operations between the Customer ("Data Controller") and FruitApps ("Data Processor"). By entering into a commercial agreement that references this DPA, Customer agrees to the terms and conditions of this DPA.
Within the scope and for the performance of the services defined in the Commercial Agreement, the Data Processor will process certain Personal Data on behalf of the Data Controller. In addition to what may be provided in the Commercial Agreement, the following shall apply to the Data Processor's processing of Personal Data on behalf of the Data Controller to fulfill the requirements under Applicable Data Protection Legislation.
The Data Processor and any person acting under its authority undertake to only process Personal Data as instructed in writing by the Data Controller. The Data Processor shall only process Personal Data to the extent necessary to fulfill its obligations under this DPA or Applicable Data Protection Laws.
The categories of Personal Data to be processed by default include:
Data subjects by default include users of the SaaS platform and individuals whose Personal Data is included in the data sources from which customers transfer data to FruitApps services.
The Data Controller authorizes the Data Processor to engage Sub-processors. All Sub-processors authorized by the Data Controller are acting under the authority and subject to direct instructions of the Data Controller.
The Data Processor shall notify the Data Controller in writing in advance of any changes, in particular before engaging other Sub-processors. The Data Controller may object with good cause to any such changes within 8 weeks after the Data Processor's notice.
The Data Processor must not transfer or otherwise directly or indirectly disclose Personal Data outside the designated processing locations without the prior written consent of the Data Controller and ensure that the level of protection guaranteed by Applicable Data Protection Laws is not undermined.
The Data Processor guarantees to implement and uphold appropriate technical and organizational measures according to the current state of the art to ensure an appropriate level of security for Personal Data, including:
The Data Processor shall without undue delay notify the Data Controller of any Personal Data Breach after becoming aware of such incidents. The notification shall be in written form and shall at least:
The Data Processor shall allow the Data Controller or an external auditor appointed by the Data Controller to conduct audits, investigations, and inspections on data protection and/or data security to ensure compliance with the obligations under this DPA and Applicable Data Protection Laws.
Upon expiration or termination of this DPA, the Data Processor shall delete or return all Personal Data to the Data Controller, as instructed by the Data Controller, and shall ensure that any Sub-processors do the same unless otherwise required by applicable law.
The Data Processor implements the following technical and organizational measures:
Hosting providers comply with information security standards such as ISO 27018 and ISO 27001, and AICPA SOC 2 standards.
Database security controls restrict access, with access rights granted based on roles and need-to-know basis. Password policies are based on established information security standards.
Encrypted transfer based on secure management of encryption keys and minimum requirements for encryption algorithms (e.g., AES 256), with comprehensive log files.
Backup procedures based on Business Impact Analysis, disaster recovery plans, and routine testing of disaster recovery procedures.