Data Processing Agreement
When we host or operate systems for you, we act as your processor. These Article 28 GDPR terms govern that processing. They form part of the service agreement.
Roles
For personal data we process to deliver a hosted or managed service, the client is the controller and [Legal entity name] (Argus Root) is the processor. Each party complies with its own obligations under the GDPR and applicable data-protection law.
Subject matter, nature and duration
The subject matter is the processing necessary to provide the contracted service. The nature and purpose, the types of personal data, and the categories of data subjects are set out in the Annex to the signed agreement. Processing lasts for the term of the service agreement plus any return or deletion period.
Processing on documented instructions
We process personal data only on the controller's documented instructions, including for transfers, unless required to do otherwise by EU or member-state law — in which case we inform the controller first, unless the law prohibits it. We tell the controller if, in our opinion, an instruction infringes data-protection law.
Confidentiality
Personnel authorised to process personal data are bound by confidentiality obligations and are trained on their responsibilities. Access is limited to those who need it to deliver the service.
Security measures
We implement appropriate technical and organisational measures under Article 32 — including encryption in transit and at rest where appropriate, access control, segregation, hardening, logging, monitoring, backup and tested recovery. The specific measures for your engagement are described in the Annex and reflect the state of the art and the risk to data subjects.
Sub-processing
The controller gives general authorisation for us to engage sub-processors, listed on our Sub-processors page. We impose data-protection obligations on each sub-processor equivalent to those in this DPA, and remain responsible for their performance. We give advance notice of intended additions or replacements so the controller can object on reasonable grounds.
Assisting with data-subject rights
Taking into account the nature of the processing, we assist the controller with appropriate measures to fulfil requests to exercise data-subject rights, and pass on any such request we receive directly without undue delay.
Personal-data breach notification
We notify the controller without undue delay after becoming aware of a personal-data breach affecting the controller's data, and provide the information the controller reasonably needs to meet its own notification obligations. Our security contact is [email protected].
International transfers
We process data within the EU by default. Any transfer outside the EEA is made under an adequacy decision or appropriate safeguards such as the Standard Contractual Clauses, with supplementary measures where required, and only as instructed.
Return and deletion
On termination of the service, at the controller's choice, we delete or return the personal data and delete existing copies, unless EU or member-state law requires storage.
Audits
We make available the information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by the controller or an auditor it mandates, subject to reasonable notice, confidentiality and security constraints.
Contact
Questions about this document: [email protected]. Privacy and data-protection matters: [email protected]. You can also use our contact form.