Data Processing Agreement

Last updated: 8th of December, 2025

Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Customer" or "Data Controller") and Watchdog AS (the "Processor") for the provision of contract management services (the "Services").

This DPA reflects the parties' agreement with regard to the processing of Personal Data in accordance with the requirements of applicable Data Protection Laws, including the EU General Data Protection Regulation (GDPR).

Definitions

For the purposes of this DPA:

  • "Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including GDPR
  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on Personal Data, whether automated or not
  • "Sub-processor" means any third party appointed by Watchdog to process Personal Data

Scope and Roles

Data Processing

Watchdog will process Personal Data only:

  1. On documented instructions from the Customer
  2. To provide the Services as described in the main agreement
  3. As required by applicable law

Data Controller Responsibilities

The Customer is responsible for:

  • Ensuring lawful basis for processing
  • Obtaining necessary consents from data subjects
  • Responding to data subject requests
  • Ensuring data accuracy and completeness

Data Processing Details

Nature and Purpose of Processing

Processing is necessary to provide contract management services, including:

  • Contract storage and management
  • Alert generation and notifications
  • User access management
  • Analytics and reporting

Categories of Data Subjects

Personal Data processed may relate to:

  • Customer employees and users
  • Contractors and suppliers
  • Business contacts
  • Other individuals mentioned in contracts

Types of Personal Data

Personal Data processed may include:

  • Contact information (name, email, phone number)
  • Employment information (job title, company)
  • Contract-related information
  • Usage data and system logs

Processing Duration

Personal Data will be processed for the duration of the service agreement and retained according to our data retention policy, unless earlier deletion is requested.

Processor Obligations

Security Measures

Watchdog implements appropriate technical and organizational measures to ensure data security, including:

  1. Encryption: Data encrypted in transit (TLS) and at rest (AES-256)
  2. Access Controls: Role-based access control and multi-factor authentication
  3. Network Security: Firewalls, intrusion detection, and regular security monitoring
  4. Backup and Recovery: Regular encrypted backups with tested recovery procedures
  5. Security Audits: Annual third-party security assessments and penetration testing

Confidentiality

All Watchdog personnel with access to Personal Data are subject to confidentiality obligations.

Data Subject Rights

Watchdog will assist the Customer in responding to data subject requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

Data Breach Notification

In the event of a Personal Data breach, Watchdog will:

  1. Notify the Customer without undue delay (within 72 hours of becoming aware)
  2. Provide details of the breach and its likely consequences
  3. Describe measures taken or proposed to address the breach
  4. Cooperate with the Customer in any required regulatory notifications

Sub-processors

Use of Sub-processors

Watchdog may engage sub-processors to assist in providing the Services. Current sub-processors include:

  • Cloud Infrastructure: [e.g., AWS, Google Cloud, Azure]
  • Email Services: [e.g., SendGrid, Mailgun]
  • Analytics: [e.g., monitoring and logging services]

A current list of sub-processors is available at [URL].

Sub-processor Obligations

Watchdog ensures that:

  1. Sub-processors are bound by data protection obligations equivalent to this DPA
  2. Watchdog remains fully liable for sub-processor performance
  3. Customers are notified of any changes to sub-processors with a 30-day opt-out period

International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). Where such transfers occur, Watchdog ensures appropriate safeguards, including:

  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission
  • Other legally valid transfer mechanisms

Data Deletion and Return

Upon termination of the Services or upon request, Watchdog will:

  1. Return all Personal Data to the Customer in a commonly used format
  2. Delete all copies of Personal Data from its systems (subject to legal retention requirements)
  3. Provide written certification of deletion upon request

Standard retention after termination: 30 days, unless otherwise agreed.

Audit Rights

The Customer has the right to audit Watchdog's compliance with this DPA, subject to:

  • Reasonable advance notice (minimum 30 days)
  • No more than once per year (unless required by data protection authorities)
  • Execution of appropriate confidentiality agreements
  • Non-interference with business operations

Watchdog will provide:

  • Annual compliance reports
  • Security certifications (SOC 2, ISO 27001)
  • Audit logs and documentation as reasonably requested

Liability and Indemnification

Each party's liability under this DPA is subject to the limitation of liability provisions in the main service agreement.

Watchdog will indemnify the Customer against fines and penalties imposed by data protection authorities to the extent caused by Watchdog's breach of this DPA.

Term and Termination

This DPA remains in effect for as long as Watchdog processes Personal Data on behalf of the Customer. Upon termination of the main agreement, this DPA will remain in effect until all Personal Data has been deleted or returned.

Amendments

This DPA may be amended to reflect changes in Data Protection Laws or the Services. Material changes will be notified to the Customer with 30 days' notice.

Governing Law

This DPA is governed by the same law as the main service agreement.

Contact

For questions regarding this DPA, please contact:

Data Protection Officer
Email: dpo@watchdog.com
Address: Watchdog AS, [Your Address]

Appendix: Technical and Organizational Measures

Access Control

  • Multi-factor authentication required for all users
  • Role-based access control (RBAC)
  • Regular access reviews and revocation of unused accounts
  • Single sign-on (SSO) support

Data Encryption

  • TLS 1.3 for data in transit
  • AES-256 encryption for data at rest
  • Encrypted backups
  • Key management using industry-standard practices

Infrastructure Security

  • Hosted in ISO 27001 certified data centers
  • Network segmentation and firewalls
  • Intrusion detection and prevention systems
  • DDoS protection

Operational Security

  • Security incident response plan
  • Regular security training for all employees
  • Background checks for employees with data access
  • Secure software development lifecycle

Monitoring and Logging

  • Comprehensive audit logging
  • Real-time security monitoring
  • Automated alerting for suspicious activities
  • Log retention for 12 months

Business Continuity

  • Regular backups (daily incremental, weekly full)
  • Disaster recovery plan tested annually
  • High availability architecture
  • 99.9% uptime SLA