Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the SaaS Agreement between You (the "Controller") and instaSpace (the "Processor") and governs the processing of personal data by the Processor on behalf of the Controller.

This DPA applies to all personal data processed by instaSpace in the course of providing the Service, as described in the SaaS Agreement.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by instaSpace on behalf of the Controller in the course of providing the Service.

"Processing" means any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.

"Sub-processor" means any third party engaged by instaSpace to process personal data on behalf of the Controller.

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

instaSpace will process personal data only in accordance with the Controller's documented instructions and for the purpose of providing the Service. The categories of personal data processed may include names, email addresses, contract content, and usage data.

Processing activities include storing, analyzing, and managing contract documents and related metadata as part of the Service.

instaSpace shall process personal data only on documented instructions from the Controller, unless required to do so by applicable law.

instaSpace shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

instaSpace shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data at rest and in transit, access controls, and regular security assessments.

instaSpace shall not engage another processor (sub-processor) without prior written authorization of the Controller. Where sub-processors are engaged, instaSpace shall impose equivalent data protection obligations.

The Controller has the right to audit instaSpace's compliance with this DPA, subject to reasonable notice and confidentiality obligations.

instaSpace shall assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection law, including rights of access, rectification, erasure, and data portability.

instaSpace shall assist the Controller in ensuring compliance with obligations related to security of processing, data breach notification, and data protection impact assessments.

instaSpace shall notify the Controller without undue delay after becoming aware of a personal data breach. The notification shall include the nature of the breach, categories of data affected, approximate number of data subjects concerned, and measures taken or proposed to address the breach.

instaSpace shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each data breach.

instaSpace shall not transfer personal data to a country outside the Controller's jurisdiction unless appropriate safeguards are in place, such as standard contractual clauses or other legally recognized transfer mechanisms.

Where transfers occur, instaSpace shall ensure that the level of protection afforded to personal data is not undermined.

Upon termination of the Service or upon the Controller's request, instaSpace shall delete or return all personal data to the Controller, and delete existing copies unless applicable law requires retention.

instaSpace shall certify deletion of personal data upon the Controller's request.

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the SaaS Agreement.

Nothing in this DPA limits either party's liability for breaches of applicable data protection law to the extent such limitation is not permitted.

This DPA shall remain in effect for the duration of the SaaS Agreement and shall automatically terminate upon termination of the SaaS Agreement, subject to any surviving obligations regarding data deletion and return.