This Data Processing Agreement ("DPA") forms part of the agreement between the Customer ("Controller") and Arbitrail Pte. Ltd. ("Arbitrail", "Processor") under which Arbitrail provides services that involve the processing of personal data on behalf of the Controller. This DPA reflects the parties' commitment to compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the Singapore Personal Data Protection Act (PDPA), the California Consumer Privacy Act (CCPA), and other applicable regimes.
"Personal Data," "Processing," "Data Subject," "Controller," and "Processor" have the meanings given in applicable data protection law. "Sub-processor" means any third party engaged by Arbitrail to process personal data on behalf of the Controller.
[Customize: Subject matter is the processing of personal data necessary for Arbitrail to provide the agreed services. Duration is the term of the underlying services agreement, plus any post-termination retention required by law.]
Arbitrail will process personal data only as necessary to deliver the contracted services and only on documented instructions from the Controller. Processing activities may include, depending on the service line engaged: collection, storage, retrieval, consultation, transmission, and deletion of personal data relating to Controller's customers, employees, contractors, or end users.
[Customize per engagement. Data subjects may include the Controller's customers, employees, suppliers, prospects, or website visitors. Personal data categories may include identifiers (name, email, phone), professional data, transaction data, support communications, and audio recordings of customer interactions where applicable.]
The Controller authorizes Arbitrail to engage sub-processors to support service delivery. Arbitrail will maintain a current list of approved sub-processors and provide it to the Controller on request. Arbitrail will impose data protection obligations on each sub-processor that are no less protective than those in this DPA.
[Customize: list current sub-processors. Common categories include cloud infrastructure (AWS / GCP / Azure), telephony, ticketing, CRM, and payroll providers.]
Arbitrail will implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. These measures include, where applicable: encryption of data in transit and at rest, access controls and authentication, employee training, secure software development practices, vulnerability management, incident response procedures, and physical security at delivery sites.
Arbitrail will, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling Controller's obligations to respond to requests from data subjects exercising their rights under applicable data protection laws (including rights to access, rectification, erasure, restriction, portability, and objection).
Arbitrail will notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting Controller's data. The notification will include, to the extent known, the nature of the breach, categories and approximate number of affected data subjects and records, likely consequences, and measures taken or proposed to address it.
Where Arbitrail transfers personal data from the European Economic Area, the United Kingdom, or Switzerland to a third country, the transfer will be made pursuant to the European Commission's Standard Contractual Clauses (SCCs) or another approved transfer mechanism. [Customize for actual transfer flows: which countries, which mechanisms.]
Arbitrail will make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to reasonable confidentiality and frequency limitations.
Upon termination of services, Arbitrail will, at the Controller's choice, delete or return all personal data processed under this DPA, and delete existing copies, unless applicable law requires storage of the personal data.
[Customize: align with the liability cap and exclusions in the underlying services agreement.]
This DPA is governed by the laws of the Republic of Singapore, consistent with the underlying services agreement and the Terms of Service published on the Arbitrail website. Any disputes arising under this DPA shall be resolved in accordance with the dispute-resolution provisions of that underlying agreement.
To request a signed DPA or with any questions, please contact info@arbitrail.com.