Data Processing Agreement (Template)

1. Parties & Roles

This Data Processing Agreement ("DPA") is entered into between [Customer Name] ("Controller") and Oikyo.ai ("Processor") and forms part of the underlying agreement governing use of the Oikyo Service (the "Agreement"). The Controller determines the purposes and means of processing personal data; the Processor processes personal data on behalf of the Controller.

2. Subject Matter & Duration

The subject matter of the processing is the personal data processed by the Oikyo console and related services in connection with authentication, configuration, collaboration, and audit logging. The duration of the processing is the term of the Agreement, unless otherwise required by law.

3. Nature & Purpose of Processing

Processor will process personal data only as necessary to provide the Service as described in the Agreement, including user authentication, access control, configuration management, collaboration features, audit logging, support, and security monitoring.

4. Types of Data & Data Subjects

Categories of personal data may include:

• Identification data (name, email address, organization).
• Authentication data (OAuth identifiers, access logs).
• Usage metadata related to console activity and configuration.

Data subjects may include employees, contractors, and other authorized users of the Controller.

5. Processor Obligations

Processor shall:

• Process personal data only on documented instructions from Controller.
• Ensure personnel authorized to process personal data are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures to protect personal data.
• Assist Controller in responding to data subject requests where feasible.
• Notify Controller without undue delay after becoming aware of a personal data breach.
• Delete or return personal data at the end of the engagement, subject to legal retention requirements.

6. Sub‑Processors

Controller authorizes Processor to engage sub‑processors as reasonably necessary to provide the Service. Processor will impose data protection obligations on sub‑processors that are at least as protective as those in this DPA. A draft list of sub‑processors is maintained at /subprocessors.

7. International Transfers

Where personal data is transferred outside of the jurisdiction of origin, the parties will implement appropriate safeguards (such as Standard Contractual Clauses) as required by applicable data protection law. Legal counsel should adapt this section to the relevant jurisdictions and transfer mechanisms.