Data Processing Agreement (GDPR)

1. Introduction

This Data Processing Agreement ("DPA") is entered into between:

and

This DPA forms part of the agreement between the parties for the provision of services and sets out the terms and conditions for the processing of personal data in accordance with the General Data Protection Regulation (GDPR).

2. Definitions

• "GDPR" means the General Data Protection Regulation (EU) 2016/679
• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data
• "Data Subject" means the individual to whom Personal Data relates
• "Supervisory Authority" means an independent public authority responsible for monitoring GDPR compliance

3. Subject Matter and Duration

3.1 Subject Matter

The Data Processor shall process Personal Data on behalf of the Data Controller for the purpose of providing social fitness application services, including user authentication, data storage, analytics, and platform functionality for the statis mobile application.

3.2 Duration

This DPA shall remain in effect for the duration of the service agreement between the parties and shall terminate automatically upon the termination of that agreement.

4. Nature and Purpose of Processing

4.1 Nature of Processing

The Data Processor shall process Personal Data for the following purposes:

• User account management and authentication
• Fitness and nutrition data storage and processing
• Social features and community interaction
• Competitive seasons and ranking systems
• Analytics and progress tracking
• Health data integration and processing
• Push notifications and communication
• Customer support and service improvement
• Data backup and disaster recovery

4.2 Categories of Personal Data

The following categories of Personal Data may be processed:

• User account information (username, email, profile data, display name)
• Fitness and health data (workout logs, exercise data, nutrition information, health metrics)
• Social interaction data (posts, comments, likes, follows, community interactions)
• Device and usage information (app usage patterns, device identifiers, IP addresses)
• Communication data (support requests, feedback, in-app messages)
• Payment information (processed securely through third-party processors)
• Apple Health integration data (with explicit user consent)

4.3 Categories of Data Subjects

Personal Data relates to the following categories of Data Subjects:

• statis mobile application users
• Data Controller employees and contractors
• Other individuals whose data is processed through the Service

5. Obligations of the Data Controller

The Data Controller shall:

5.1 Legal Basis

Ensure that the processing of Personal Data has a legal basis under GDPR, including consent, contract performance, legitimate interests, and legal obligations.

5.2 Data Subject Rights

Handle requests from Data Subjects regarding their rights under GDPR, including access, rectification, erasure, portability, and objection to processing.

5.3 Data Quality

Ensure that Personal Data provided to the Data Processor is accurate, up-to-date, and collected lawfully.

5.4 Instructions

Provide clear, documented instructions to the Data Processor regarding the processing of Personal Data.

6. Obligations of the Data Processor

The Data Processor shall:

6.1 Processing Instructions

Process Personal Data only on documented instructions from the Data Controller, including regarding transfers to third countries.

6.2 Confidentiality

Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.3 Security Measures

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit and at rest
• Regular testing and evaluation of security measures
• Access controls and authentication procedures
• Incident detection and response procedures
• Regular security assessments and updates
• Data backup and disaster recovery procedures

6.4 Sub-processors

• Obtain prior written consent from the Data Controller before engaging sub-processors
• Ensure sub-processors are bound by data protection obligations at least as protective as those in this DPA
• Remain liable to the Data Controller for the performance of sub-processors' obligations

6.5 Data Subject Rights

Assist the Data Controller in responding to Data Subject requests by:

• Providing technical and organizational measures to enable the Data Controller to respond to requests
• Implementing appropriate procedures for handling Data Subject requests
• Providing necessary information and assistance within reasonable timeframes

6.6 Data Breach Notification

• Notify the Data Controller without undue delay after becoming aware of a Personal Data breach
• Provide the Data Controller with sufficient information to enable it to meet its obligations to report the breach
• Assist the Data Controller in meeting its breach notification obligations

6.7 Data Protection Impact Assessment

Assist the Data Controller in conducting Data Protection Impact Assessments and prior consultations with Supervisory Authorities.

6.8 Deletion or Return

At the choice of the Data Controller, delete or return all Personal Data after the end of services, unless required by law to retain the data.

6.9 Audit Rights

Make available to the Data Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections.

7. Security Measures

The Data Processor shall implement the following security measures:

7.1 Technical Measures

• Encryption of Personal Data in transit and at rest using industry-standard encryption
• Regular security updates and patches for all systems
• Intrusion detection and prevention systems
• Secure development practices and code review procedures
• Regular vulnerability assessments and penetration testing
• Multi-factor authentication for administrative access

7.2 Organizational Measures

• Access controls and authentication procedures
• Employee training on data protection and security
• Incident response procedures and escalation protocols
• Regular security audits and compliance reviews
• Business continuity and disaster recovery plans
• Data classification and handling procedures

8. Sub-processing

8.1 General Authorization

The Data Controller grants the Data Processor general authorization to engage sub-processors, subject to the following conditions.

8.2 Sub-processor Requirements

The Data Processor shall:

• Maintain an up-to-date list of sub-processors
• Notify the Data Controller of any intended changes to sub-processors
• Allow the Data Controller to object to such changes
• Ensure sub-processors are bound by equivalent data protection obligations

8.3 Liability

The Data Processor remains fully liable to the Data Controller for the performance of sub-processors' obligations.

9. Data Transfers

9.1 International Transfers

If Personal Data is transferred outside the European Economic Area (EEA), the Data Processor shall ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions
• Binding corporate rules
• Other appropriate safeguards

9.2 Transfer Documentation

The Data Processor shall maintain documentation of all international transfers and make it available to the Data Controller upon request.

10. Data Breach Management

10.1 Breach Notification

The Data Processor shall notify the Data Controller without undue delay, and in any event within 24 hours, after becoming aware of a Personal Data breach.

10.2 Breach Information

The notification shall include:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects concerned
• Categories and approximate number of Personal Data records concerned
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact details for further information

10.3 Breach Response

The Data Processor shall:

• Take immediate steps to contain and remediate the breach
• Document all actions taken in response to the breach
• Cooperate with the Data Controller in any investigation
• Provide regular updates on the status of the breach response

11. Audit and Inspection Rights

11.1 Audit Rights

The Data Controller shall have the right to:

• Conduct audits of the Data Processor's compliance with this DPA
• Request information and documentation demonstrating compliance
• Inspect the Data Processor's facilities and systems
• Interview Data Processor personnel involved in data processing

11.2 Audit Cooperation

The Data Processor shall:

• Cooperate with audits and inspections
• Provide necessary access to facilities, systems, and personnel
• Provide requested information and documentation
• Implement any recommendations resulting from audits

11.3 Audit Costs

Each party shall bear its own costs for audits, unless the audit reveals material non-compliance by the Data Processor.

12. Liability and Indemnification

12.1 Liability

The Data Processor shall be liable to the Data Controller for any damages caused by its failure to comply with this DPA.

12.2 Indemnification

The Data Processor shall indemnify the Data Controller against any claims, damages, or expenses arising from the Data Processor's breach of this DPA.

13. Termination

13.1 Termination Events

This DPA may be terminated:

• Upon termination of the main service agreement
• If the Data Processor materially breaches its obligations under this DPA
• If required by law or regulation

13.2 Post-Termination Obligations

Upon termination, the Data Processor shall:

• Cease all processing of Personal Data
• Return or delete all Personal Data as directed by the Data Controller
• Provide certification of deletion upon request
• Maintain confidentiality obligations

14. Governing Law and Jurisdiction

This DPA shall be governed by applicable laws and regulations. Any disputes shall be resolved in the appropriate courts.

15. Miscellaneous

15.1 Entire Agreement

This DPA constitutes the entire agreement between the parties regarding data processing.

15.2 Amendments

This DPA may only be amended by written agreement between the parties.

15.3 Severability

If any provision of this DPA is found to be unenforceable, the remaining provisions shall continue in full force and effect.

15.4 Notices

All notices under this DPA shall be in writing and sent to the addresses specified above.

15.5 Contact Information

This Data Processing Agreement template should be reviewed by a qualified attorney and customized based on your specific business relationships and legal requirements. It is designed to comply with GDPR requirements but may need adjustments for your jurisdiction and specific circumstances.