Updated June 2026
This Data Processing Agreement (“DPA“) is entered into by and between the customer identified in the Agreement (“Customer“) and phData, Inc. (“phData“). This DPA supplements and forms part of the agreement, statement of work, or other written agreement governing the services provided by phData to Customer (the “Agreement“).
This DPA applies only to the extent phData Processes Customer Personal Data on behalf of Customer in connection with the Services.
For purposes of this DPA:
“Applicable Data Protection Law” means all laws and regulations applicable to the Processing of Customer Personal Data under the Agreement, including, as applicable, the GDPR, UK GDPR, Swiss data protection laws, U.S. state privacy laws, the California Consumer Privacy Act, as amended, Canada’s applicable privacy laws, and India’s Digital Personal Data Protection Act, 2023 and its implementing rules.
“Business Purpose” means the limited and specified purposes for which phData is authorized to Process Customer Personal Data under the Agreement and this DPA.
“Controller” and “Processor” have the meanings given under Applicable Data Protection Law. Where applicable, “Controller” includes “Business” and “Processor” includes “Service Provider” and “Contractor.” Where applicable under India’s Digital Personal Data Protection Act, “Controller” includes “Data Fiduciary” and “Processor” includes “Data Processor.”
“Customer Personal Data” means personal data, personal information, or other similar term under Applicable Data Protection Law that phData Processes on behalf of Customer in connection with the Services.
“Data Subject” means an identified or identifiable natural person to whom Customer Personal Data relates and includes any analogous term under Applicable Data Protection Law, including “consumer” and “data principal,” as applicable.
“GDPR” means Regulation (EU) 2016/679.
“Restricted Transfer” means any transfer of Customer Personal Data for which the Standard Contractual Clauses, the UK Addendum, Swiss transfer provisions, or another cross-border transfer mechanism is required under Applicable Data Protection Law.
“Process” or “Processing” means any operation performed on Customer Personal Data, whether or not by automated means, including access, collection, receipt, storage, organization, use, disclosure, transmission, analysis, deletion, or destruction.
“Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Personal Data Processed by phData in connection with the Services.
“Sensitive Personal Data” means any category of Customer Personal Data that is subject to heightened requirements under Applicable Data Protection Law, including special categories of personal data, sensitive personal information, precise geolocation, financial account credentials, government identification numbers, health data, biometric data, children’s data, and any analogous category under Applicable Data Protection Law.
“Services” means the services provided by phData under the Agreement.
“Standard Contractual Clauses” or “SCCs” means the European Commission Implementing Decision (EU) 2021/914 standard contractual clauses, as updated, replaced, or superseded from time to time.
“Subprocessor” means any third party engaged by phData to Process Customer Personal Data on behalf of Customer in connection with the Services.
“Swiss Addendum” means the modifications to the SCCs required for transfers governed by Swiss data protection law.
“UK Addendum” means the United Kingdom International Data Transfer Addendum to the EU Standard Contractual Clauses, as updated, replaced, or superseded from time to time.
“UK GDPR” means the GDPR as incorporated into the laws of the United Kingdom.
Customer acts as Controller or Processor, as applicable, with respect to Customer Personal Data. phData acts as Processor or Subprocessor, and where applicable as Service Provider or Contractor, with respect to Customer Personal Data Processed under this DPA.
Customer appoints phData to Process Customer Personal Data solely for the purpose of providing the Services in accordance with the Agreement, this DPA, and Customer’s documented instructions.
The subject matter, duration, nature, and purpose of the Processing, and the categories of Data Subjects and Customer Personal Data, are described in Annex I.
This DPA does not apply to the extent phData Processes personal data as an independent Controller for its own ordinary business operations, including billing, contract administration, legal compliance, fraud prevention, and information security administration.
Customer represents and warrants that: (a) it has all rights and authority necessary to provide Customer Personal Data to phData for Processing under the Agreement; (b) it will comply with Applicable Data Protection Law in connection with its use of the Services and its instructions to phData; (c) it has provided all notices and obtained all consents or established all other lawful bases required under Applicable Data Protection Law; and (d) it will identify to phData any Processing requirements applicable to Sensitive Personal Data to the extent such requirements differ from phData’s standard service delivery assumptions.
Customer is solely responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data.
Customer will not instruct phData to Process Customer Personal Data in a manner that would violate Applicable Data Protection Law.
phData will Process Customer Personal Data only: (a) to provide the Services; (b) in accordance with the Agreement, this DPA, and Customer’s documented instructions; or (c) as otherwise required by applicable law, in which case phData will notify Customer before such Processing unless legally prohibited from doing so.
phData will promptly notify Customer if, in phData’s opinion, an instruction infringes Applicable Data Protection Law.
phData will not: (a) sell or share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than the Business Purpose and the limited and specified purposes set out in the Agreement and this DPA, except as permitted by Applicable Data Protection Law; (c) Process Customer Personal Data outside the direct business relationship with Customer except as permitted by Applicable Data Protection Law; or (d) combine Customer Personal Data with personal data received from another source except as permitted by Applicable Data Protection Law.
Unless expressly authorized in a separate written agreement, phData will not use Customer Personal Data in identifiable form to train, retrain, improve, or benchmark any generally available artificial intelligence or machine learning model.
Taking into account the nature of the Processing, phData will provide reasonable assistance to Customer with: (a) responding to Data Subject requests; (b) data protection impact assessments and transfer impact assessments, where required; (c) consultations with regulators, where required; and (d) compliance with Customer’s obligations under Applicable Data Protection Law, in each case to the extent Customer cannot reasonably fulfill such obligations without phData’s assistance and subject to reimbursement of phData’s reasonable costs for materially burdensome assistance unless otherwise stated in the Agreement.
phData will ensure that persons authorized to Process Customer Personal Data: (a) are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality; (b) receive appropriate privacy and security training; and (c) access Customer Personal Data only on a need-to-know basis.
phData will maintain reasonable personnel security measures, including background screening where appropriate and permitted by law.
phData will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
Those measures will take into account the nature of the Processing, the state of the art, the costs of implementation, and the risks presented by the Processing.
phData’s current technical and organizational measures are described in Annex II. phData may update such measures from time to time, provided that the updated measures do not materially diminish the overall security of the Services.
phData will maintain an incident response program appropriate to the Services.
If phData becomes aware of a confirmed Security Incident, phData will notify Customer without undue delay and, in any event, no later than seventy-two (72) hours after becoming aware of the confirmed Security Incident, unless a shorter period is required by Applicable Data Protection Law.
phData’s notification will include the then-known details reasonably necessary for Customer to understand the nature of the Security Incident and phData may provide additional information in phases as it becomes available.
phData will take reasonable steps to investigate, contain, mitigate, and remediate the Security Incident.
phData will not make any public statement specifically identifying Customer in connection with a Security Incident without Customer’s prior written consent, unless required by law.
If phData receives a request from a Data Subject relating to Customer Personal Data, phData will promptly notify Customer and will not respond directly except: (a) on Customer’s documented instructions; or (b) if required by law.
If phData becomes legally compelled by a court or government authority to disclose Customer Personal Data, phData will, to the extent legally permitted: (a) notify Customer promptly; and (b) reasonably cooperate with Customer’s efforts to challenge or limit the disclosure.
Customer authorizes phData to use the Subprocessors listed in Annex III.
phData may engage new Subprocessors or replace existing Subprocessors by providing at least thirty (30) days’ prior written notice to Customer.
Customer may object to a new Subprocessor on reasonable grounds relating to data protection by giving written notice during the notice period.
If Customer objects, the parties will work in good faith to address the objection through commercially reasonable alternatives. If the parties cannot resolve the objection, Customer may terminate only the affected Services upon written notice.
phData will impose data protection obligations on each Subprocessor that are no less protective than those set out in this DPA, to the extent applicable to the services performed by that Subprocessor.
phData remains responsible for the acts and omissions of its Subprocessors to the same extent phData would be responsible if performing the relevant services directly.
phData will not transfer Customer Personal Data in a manner that constitutes a Restricted Transfer except in accordance with Applicable Data Protection Law and this Section 10.
If a Restricted Transfer requires the SCCs and no alternative lawful transfer mechanism is available, the SCCs are incorporated by reference into this DPA and will apply as follows: (a) Module One applies where Customer is a Controller and phData is a Controller, but only to the extent such relationship exists for the relevant transfer; (b) Module Two applies where Customer is a Controller and phData is a Processor; (c) Module Three applies where Customer is a Processor and phData is a Subprocessor; and (d) Module Four applies where Customer is a Processor and phData is a Controller, but only to the extent such relationship exists for the relevant transfer.
For the SCCs: (a) Clause 7 (Docking Clause) applies; (b) in Clause 9(a), Option 2 applies and the time period for prior notice of Subprocessor changes is thirty (30) days; (c) Clause 11(a) will not apply unless required by Applicable Data Protection Law; (d) where the SCCs require selection of an EU Member State for governing law and none is otherwise specified in the Agreement, the governing law will be the law of Ireland; and (e) where the SCCs require selection of courts, and none is otherwise specified in the Agreement, the courts of Ireland will have jurisdiction.
Annex I, Annex II, Annex III, and Annex IV to this DPA will serve, as applicable, as the corresponding annexes, appendices, and tables to the SCCs and the UK Addendum.
For transfers governed by the UK GDPR, the UK Addendum is incorporated by reference into this DPA and applies to the SCCs as required for the relevant Restricted Transfer.
For transfers governed by Swiss data protection law, the SCCs apply with the modifications necessary to comply with Swiss law, including that: (a) references to the GDPR will be interpreted to include Swiss data protection law where required; (b) references to Member State law will be interpreted to refer to Swiss law where required; and (c) the competent supervisory authority and forum will be interpreted as required under Swiss law.
If phData self-certifies to a recognized cross-border transfer framework that is valid for the relevant transfer, including the EU-U.S. Data Privacy Framework, the UK Extension, or the Swiss-U.S. Data Privacy Framework, the parties may rely on that framework to the extent permitted by Applicable Data Protection Law.
In the event of a conflict between this DPA and the SCCs, UK Addendum, Swiss Addendum, or another mandatory transfer mechanism, the applicable transfer mechanism will prevail to the extent of the conflict.
To the extent U.S. state privacy laws apply to Customer Personal Data Processed by phData under the Agreement, Customer discloses Customer Personal Data to phData only for the limited and specified purposes described in the Agreement and this DPA.
phData will act as a Service Provider, Contractor, or Processor, as applicable, and will comply with the restrictions applicable to such role under Applicable Data Protection Law.
phData will not: (a) sell or share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than the Business Purpose and the limited and specified purposes described in the Agreement and this DPA, except as permitted by Applicable Data Protection Law; (c) retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer except as permitted by Applicable Data Protection Law; or (d) combine Customer Personal Data with personal data received from another source except as permitted by Applicable Data Protection Law.
phData certifies that it understands the restrictions in this DPA and will comply with them.
phData will provide the same level of privacy protection for Customer Personal Data as is required by Applicable Data Protection Law.
phData will notify Customer if phData determines that it can no longer meet its obligations under this Section.
Customer may take reasonable and appropriate steps to help ensure that phData uses Customer Personal Data in a manner consistent with Customer’s obligations under Applicable Data Protection Law.
To the extent India’s Digital Personal Data Protection Act, 2023 and its implementing rules apply to Customer Personal Data Processed by phData under the Agreement: (a) Customer will remain responsible, except to the extent otherwise expressly agreed in writing, for providing any notices and obtaining any consents or establishing any other valid grounds required for Customer’s collection and disclosure of Customer Personal Data to phData; (b) phData will Process Customer Personal Data only on Customer’s documented instructions and for the purposes set out in the Agreement and this DPA; (c) phData will provide reasonable assistance to Customer in responding to applicable data principal requests, grievance handling requirements, breach notification obligations, and cross-border transfer requirements, taking into account the nature of the Processing and the information available to phData; (d) if Customer authorizes phData to Process children’s data or other data subject to heightened obligations under applicable Indian law, the parties will document any additional requirements applicable to such Processing in the relevant statement of work or other written amendment; and (e) phData will notify Customer if phData determines that it can no longer meet its obligations under this Section.
Nothing in this Section requires phData to assume Customer’s independent compliance obligations as the party determining the purposes and means of Processing, except to the extent expressly agreed in writing.
Upon reasonable written request and no more than once annually, except following a Security Incident or where otherwise required by Applicable Data Protection Law, phData will provide information reasonably necessary to demonstrate compliance with this DPA. Such information may include: (a) completed security questionnaires; (b) current third-party audit reports or certifications; and (c) executive summaries of relevant assessments or remediation status.
phData may satisfy Customer’s audit rights by providing current third-party audit reports and certifications commonly maintained by phData, including SOC 2 Type II, ISO/IEC 27001, ISO/IEC 27701, or equivalent materials, if available.
Only if the information provided is reasonably insufficient to demonstrate compliance, or following a Security Incident materially affecting Customer Personal Data, Customer may request an additional audit of relevant records, systems, and controls.
Any additional audit shall: (a) occur during normal business hours on reasonable prior written notice; (b) be limited to information relevant to the Services and Customer Personal Data; (c) be conducted in a manner designed to minimize disruption; (d) not include access to source code, model weights, other customers’ data, or production systems except to the extent required by law; and (e) be subject to reasonable confidentiality obligations.
Customer will bear the costs of any audit under this Section unless the audit reveals material noncompliance by phData with this DPA, in which case phData will bear its own reasonable internal costs associated with the audit.
Upon termination or expiration of the Agreement, and upon Customer’s written request, phData will return or delete Customer Personal Data in its possession or control, unless retention is required by law.
phData may retain Customer Personal Data contained in archived backups for a limited period in accordance with its backup, disaster recovery, legal, or compliance retention practices, provided that such retained data remains protected in accordance with this DPA and is not otherwise actively Processed except as required by law.
Upon Customer’s written request, phData will certify deletion of Customer Personal Data to the extent deletion is required under this Section.
This DPA is subject to the limitations of liability, exclusions, and other allocation-of-risk provisions set out in the Agreement.
Nothing in this DPA expands the categories of damages recoverable, remedies available, or liability assumed by either party except to the extent expressly stated in the Agreement or required by Applicable Data Protection Law.
In the event of a conflict between this DPA and the Agreement, this DPA will prevail solely with respect to the parties’ data protection obligations.
In the event of a conflict between this DPA and the SCCs, UK Addendum, Swiss Addendum, or another mandatory transfer mechanism, the applicable transfer mechanism will prevail to the extent required by Applicable Data Protection Law.
This DPA will remain in effect for so long as phData Processes Customer Personal Data under the Agreement.
Either party may terminate the affected Services or this DPA for material breach of this DPA that remains uncured for thirty (30) days after written notice, unless a shorter period is required by Applicable Data Protection Law.
Termination of the entire Agreement will be permitted only if the breach cannot reasonably be isolated to specific Services or Processing activities.
Any amendment to this DPA must be in writing and signed by both parties, except that annexes may be updated by phData as expressly permitted under this DPA.
If any provision of this DPA is held invalid or unenforceable, the remainder will remain in effect.
No third-party beneficiary rights are created under this DPA except to the extent required by Applicable Data Protection Law or the SCCs.
Notices under this DPA will be given in accordance with the notice provisions of the Agreement, except that notices relating specifically to privacy, security incidents, or Subprocessors may also be sent to the operational contacts designated by the parties.
Parties
Data exporter: Customer, acting as Controller or Processor, as applicable.
Data importer: phData, acting as Processor, Subprocessor, Service Provider, or Contractor, as applicable.
Subject matter of Processing
Provision of technology consulting, implementation, managed services, AI-related services, SaaS-related services, and related professional services under the Agreement.
Duration of Processing
For the term of the Agreement and any limited retention period permitted under the Agreement, this DPA, phData’s backup and retention practices, or applicable law.
Nature and purpose of Processing
Accessing, using, transmitting, analyzing, organizing, storing where necessary, returning, and deleting Customer Personal Data solely as necessary to provide the Services and related security, support, hosting, collaboration, communication, and infrastructure functions.
Categories of Data Subjects
Customer personnel, Customer end users, Customer customers, Customer vendors, and other individuals whose personal data is included in the data made available by Customer in connection with the Services.
Categories of Customer Personal Data
Business contact information, account and user information, professional information, transactional information, system and usage information, and any other categories of personal data that Customer chooses to make available to phData in connection with the Services, as further described in the applicable statement of work or order.
Sensitive Personal Data
Only to the extent expressly authorized in the applicable statement of work and permitted under Applicable Data Protection Law. Customer is responsible for identifying any Sensitive Personal Data subject to heightened requirements unless otherwise expressly agreed in writing.
Frequency of transfer
Continuous or on an as-needed basis during the term of the Services.
Processing operations
Collection, access, review, storage where necessary, organization, hosting where applicable, support, troubleshooting, transfer, deletion, and other processing activities reasonably necessary to perform the Services.
Competent supervisory authority
The competent supervisory authority will be determined in accordance with the SCCs, UK Addendum, Swiss Addendum, or other applicable transfer mechanism.
phData implements and maintains appropriate technical and organizational measures to protect Customer Personal Data against unlawful destruction, loss, alteration, disclosure of, or access to Customer Personal Data Processed in connection with the Services.
These measures include, as appropriate:
access controls designed to limit access to authorized personnel on a need-to-know basis;
confidentiality obligations for personnel with access to Customer Personal Data;
reasonable physical, administrative, and technical safeguards;
encryption technologies for data transmission where Customer Personal Data is transmitted by phData;
incident response procedures aligned to recognized industry standards;
periodic independent audits and assessments based on recognized industry standards;
Subprocessors subject to written contractual privacy and security obligations; and
secure return or disposal procedures for Customer Personal Data, subject to legal retention and backup constraints.
phData’s information security program is aligned to recognized standards, including ISO/IEC 27001, ISO/IEC 27701, and SOC 2 Type II, to the extent maintained by phData.
Unless otherwise expressly described in the applicable statement of work or service description, phData’s services are generally performed against Customer-controlled systems and environments, and Customer Personal Data is not intended to be hosted in phData systems except to the extent necessary for limited support, security, collaboration, communication, infrastructure, backup, or other agreed service functions.
| Subprocessor | General Location | Description |
|---|---|---|
| Amazon Web Services, Inc. | Worldwide | Infrastructure-as-a-Service |
| Atlassian Corporation Plc | Worldwide | Software-as-a-Service |
| Okta, Inc. | Worldwide | Identity and access management |
| Salesforce, Inc. | Worldwide | Software-as-a-Service |
| Google Drive | Worldwide | File storage and collaboration |
| Google Workspace | Worldwide | Productivity and collaboration |
| Slack Technologies, LLC | Worldwide | Business communications |
| Zoom Video Communications, Inc. | Worldwide | Video conferencing and communications |
| Microsoft Azure | Worldwide | Cloud infrastructure and related services |
SCC module selection
The module or modules identified in Section 10.2 apply based on the role of the parties for the relevant Restricted Transfer.
SCC optional clauses
Clause 7 applies.
Clause 9(a), Option 2 applies, with thirty (30) days’ prior notice for Subprocessor changes.
Clause 11(a) does not apply unless required by Applicable Data Protection Law.
SCC governing law and forum
If required and not otherwise specified in the Agreement, the law of Ireland and the courts of Ireland will apply for purposes of Clauses 17 and 18 of the SCCs.
UK Addendum
The parties agree that the UK Addendum is incorporated into this DPA for Restricted Transfers governed by the UK GDPR, and the information in Annex I through Annex III of this DPA populates the corresponding tables and appendices of the UK Addendum to the extent applicable.
Swiss transfers
For Restricted Transfers governed by Swiss data protection law, the SCCs apply with the modifications required by Swiss law.
Data Coach is our premium analytics training program with one-on-one coaching from renowned experts.
