Data Processing Agreement

This agreement outlines how we process personal data on behalf of our clients in compliance with GDPR and other data protection regulations.

Last updated: December 16, 2024

Agreement Overview

This Data Processing Agreement (DPA) forms part of our Terms of Service and governs the processing of personal data by Phi Azar on behalf of our clients. This agreement ensures compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

Definitions

Data Controller

The client who determines the purposes and means of processing personal data.

Data Processor

Phi Azar, who processes personal data on behalf of the data controller.

Personal Data

Any information relating to an identified or identifiable natural person.

Processing

Any operation performed on personal data, including collection, storage, use, and deletion.

Processing Details

Subject Matter

The processing of personal data in connection with software development, consulting, and technical services provided by Phi Azar.

Duration

For the duration of the service agreement and as necessary to fulfill legal obligations or legitimate business purposes.

Nature and Purpose

  • Software development and testing
  • System integration and data migration
  • Technical support and maintenance
  • Project management and communication
  • Quality assurance and testing

Categories of Data Subjects

  • Client employees and representatives
  • End users of client applications
  • Customer data processed through client systems
  • Third-party service providers

Types of Personal Data

  • Contact information (names, email addresses, phone numbers)
  • Professional information (job titles, company details)
  • Technical data (IP addresses, device information, usage data)
  • Account credentials and authentication data
  • Communication records and project documentation

Data Controller Obligations

As the data controller, you are responsible for:

  • Ensuring you have lawful basis for processing personal data
  • Obtaining necessary consents from data subjects
  • Providing accurate and up-to-date personal data
  • Informing data subjects about the processing activities
  • Responding to data subject rights requests
  • Ensuring data accuracy and relevance

Data Processor Obligations

Processing Instructions

We will process personal data only in accordance with your documented instructions and this agreement.

Confidentiality

All personnel with access to personal data are bound by confidentiality obligations.

Security Measures

We implement appropriate technical and organizational measures to protect personal data.

Sub-processors

We may engage sub-processors only with your prior consent and under the same data protection obligations.

Security Measures

We implement the following security measures to protect personal data:

  • Encryption of data in transit and at rest
  • Access controls and authentication systems
  • Regular security assessments and updates
  • Secure data storage and backup procedures
  • Employee training on data protection
  • Incident response and breach notification procedures
  • Regular audits and compliance monitoring

Data Subject Rights

We will assist you in responding to data subject rights requests, including:

  • Right to access personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Rights related to automated decision-making

Data Breach Notification

Breach Response

In the event of a personal data breach, we will notify you without undue delay and in any case within 24 hours of becoming aware of the breach. We will provide detailed information about the breach and our response measures.

Data Transfers

Any transfer of personal data outside the European Economic Area will be subject to appropriate safeguards, including:

  • Adequacy decisions by the European Commission
  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules
  • Certification schemes and codes of conduct

Audit Rights

You have the right to audit our compliance with this agreement. We will:

  • Provide reasonable cooperation with audit requests
  • Allow access to relevant documentation and systems
  • Provide information about our security measures
  • Facilitate interviews with relevant personnel

Data Retention and Deletion

We will retain personal data only for as long as necessary to fulfill the purposes outlined in this agreement. Upon termination of services or at your request, we will:

  • Return all personal data to you in a structured format
  • Delete all copies of personal data from our systems
  • Provide certification of deletion upon request
  • Ensure sub-processors also delete the data

Liability and Indemnification

Each party will be liable for any damages caused by their breach of data protection laws. We will indemnify you against any claims arising from our breach of this agreement, subject to the limitations in our Terms of Service.

Governing Law

This agreement shall be governed by the laws of the State of California and applicable federal data protection laws. Any disputes shall be resolved in accordance with the dispute resolution procedures in our Terms of Service.

Contact Information

For questions about this Data Processing Agreement or data protection matters, please contact our Data Protection Officer:

Email:dpo@phiazar.com
Phone:+98 (902) 525-1066
Address:Phi Azar, Tehran, Iran