This Data Processing Agreement (“Agreement”) governs the processing of personal data by Amos IT Ltd (“Processor”) on behalf of its customers (“Controller”). This Agreement forms part of any principal agreement between Amos IT Ltd and the Controller relating to the provision of services.

Effective Date

[Insert Effective Date]

Definitions

1. Agreement: This Data Processing Agreement and its Schedules.
2. Company Personal Data: Personal data processed by the Processor on behalf of the Controller.
3. Contracted Processor: Any subprocessor appointed by the Processor.
4. Data Protection Laws: The EU General Data Protection Regulation (GDPR) 2016/679 and any applicable EU or national data protection laws.
5. GDPR: The General Data Protection Regulation 2016/679.
6. Personal Data / Special Categories of Data: As defined under GDPR.
7. Data Subject: Any individual whose personal data is processed under this Agreement.
8. Personal Data Breach: As defined under GDPR.
9. Processing: As defined under GDPR.
10. Subprocessor: A third party engaged by the Processor to process personal data.

Processing of Personal Data

The Processor shall process personal data strictly in accordance with the Controller’s documented instructions, solely for the purpose of delivering agreed services.

Processor Personnel

The Processor ensures that all personnel processing personal data are appropriately trained, subject to confidentiality obligations, and have access limited to what is strictly necessary.

Security Measures

The Processor implements appropriate technical and organizational measures to ensure the security of personal data, including encryption, multi-factor authentication, secure transfer protocols, controlled access, and secure deletion.

Subprocessing

The Processor uses the following subprocessors:

The Controller consents to these subprocessors. No additional subprocessors will be engaged without prior written notice and opportunity to object.

Data Subject Rights

The Processor shall assist the Controller in responding to data subject rights requests under Data Protection Laws.

Personal Data Breach Notification

The Processor shall notify the Controller without undue delay, and no later than 24 hours, after becoming aware of a personal data breach.

Data Protection Impact Assessment (DPIA)

The Processor shall assist the Controller in carrying out data protection impact assessments and consultations with supervisory authorities where required.

Audit Rights

The Controller has the right to audit the Processor’s compliance with this Agreement on 30 days’ written notice.

Data Transfers

The Processor shall not transfer personal data outside the EU/EEA without the Controller’s written consent, and shall rely on EU-approved Standard Contractual Clauses for any such transfers.

Deletion or Return of Personal Data

Upon termination of services, the Processor shall securely delete or return all personal data within 10 business days and confirm compliance in writing.

Indemnity

The Processor shall indemnify the Controller for any breaches of this Agreement.

Dispute Resolution

Disputes shall be resolved through good-faith negotiations, followed by mediation, prior to litigation.

Governing Law and Jurisdiction

This Agreement is governed by the laws of Ireland, and disputes shall be subject to the exclusive jurisdiction of Irish courts.

Contact

All notices shall be in writing and sent to the addresses provided in the main service agreement or as updated in writing by the parties.