Data Processing Agreement
GDPR compliance and data protection standards for our services.
GDPR Compliance: This Data Processing Agreement (DPA) outlines how Country Devs LLP processes personal data on behalf of our clients in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Definitions
For the purposes of this DPA, the following definitions apply:
- "Controller": The client who determines the purposes and means of processing personal data
- "Processor": Country Devs LLP, who processes personal data on behalf of the Controller
- "Personal Data": Any information relating to an identified or identifiable natural person
- "Processing": Any operation performed on personal data, including collection, storage, use, and deletion
- "Data Subject": The individual to whom the personal data relates
- "Sub-processor": Third party engaged by Country Devs LLP to process personal data
2. Scope and Application
2.1 When This DPA Applies
This DPA applies to all processing of personal data by CountryDevs on behalf of clients, including:
- Development of applications that handle personal data
- Website analytics and user tracking implementations
- Database design and management services
- Cloud hosting and maintenance services
- Technical support involving access to personal data
2.2 Relationship to Main Agreement
This DPA supplements and forms part of the main service agreement between Country Devs LLP and the client. In case of conflict, this DPA takes precedence regarding data protection matters.
3. Roles and Responsibilities
3.1 Controller Responsibilities (Client)
As the Controller, the client is responsible for:
- Determining the legal basis for processing personal data
- Ensuring compliance with applicable data protection laws
- Providing clear processing instructions to Country Devs LLP
- Obtaining necessary consents from data subjects
- Implementing appropriate privacy notices
- Conducting Data Protection Impact Assessments when required
- Responding to data subject requests and regulatory inquiries
3.2 Processor Responsibilities (Country Devs LLP)
As the Processor, Country Devs LLP will:
- Process personal data only on documented instructions from the Controller
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to data subject requests
- Notify the Controller of any personal data breaches
- Maintain records of processing activities
- Delete or return personal data upon termination of services
- Ensure any sub-processors are bound by equivalent data protection obligations
4. Processing Instructions
4.1 Lawful Processing
Country Devs LLP will process personal data only:
- On documented instructions from the Controller
- For the specific purposes outlined in the service agreement
- In accordance with applicable data protection laws
- Subject to the technical and organizational measures specified
4.2 Processing Details
| Processing Aspect | Details |
|---|---|
| Subject Matter | Provision of design and development services as specified in the main agreement |
| Duration | For the term of the service agreement and any applicable retention period |
| Nature and Purpose | Web/app development, hosting, maintenance, analytics, and support services |
| Categories of Data | As specified by the Controller (may include contact details, usage data, etc.) |
| Data Subjects | End users, customers, employees, or other individuals as determined by Controller |
5. Security Measures
5.1 Technical Measures
CountryDevs implements the following technical security measures:
- Encryption: Data encryption in transit (TLS/SSL) and at rest (AES-256)
- Access Controls: Role-based access controls and multi-factor authentication
- Network Security: Firewalls, intrusion detection, and secure network protocols
- Data Backup: Regular automated backups with secure storage
- Monitoring: Security monitoring and logging of data access
5.2 Organizational Measures
CountryDevs implements the following organizational security measures:
- Staff Training: Regular data protection and security awareness training
- Access Management: Strict need-to-know access policies
- Confidentiality: Confidentiality agreements for all personnel
- Incident Response: Documented procedures for security incidents
- Vendor Management: Security assessments of third-party providers
6. Sub-processors
6.1 Authorized Sub-processors
CountryDevs may engage the following categories of sub-processors:
| Sub-processor Category | Purpose | Examples |
|---|---|---|
| Cloud Infrastructure | Hosting, storage, and computing services | AWS, Google Cloud, Microsoft Azure |
| Communication Tools | Email, messaging, and collaboration | Google Workspace, Slack, Microsoft 365 |
| Analytics Services | Website and application analytics | Google Analytics, Mixpanel, Hotjar |
| Payment Processing | Payment handling and billing | Stripe, PayPal, Square |
| Support Tools | Customer support and ticketing | Intercom, Zendesk, Freshdesk |
6.2 Sub-processor Obligations
CountryDevs ensures that all sub-processors:
- Provide sufficient guarantees for data protection compliance
- Are bound by written contracts with equivalent data protection obligations
- Implement appropriate technical and organizational security measures
- Are regularly monitored for compliance
7. Data Subject Rights
7.1 Assistance with Data Subject Requests
CountryDevs will assist the Controller in fulfilling data subject requests, including:
- Right of Access: Providing information about data processing
- Right to Rectification: Correcting inaccurate personal data
- Right to Erasure: Deleting personal data when required
- Right to Restrict Processing: Limiting data processing activities
- Right to Data Portability: Transferring data in a structured format
- Right to Object: Stopping processing for specific purposes
7.2 Response Timeframe
CountryDevs will respond to Controller requests for assistance within 10 business days or as required by applicable law, whichever is shorter.
8. Data Breach Notification
8.1 Breach Detection and Response
In the event of a personal data breach, CountryDevs will:
- Notify the Controller without undue delay (within 24 hours of detection)
- Provide available information about the breach
- Take immediate measures to contain and mitigate the breach
- Assist with breach investigation and regulatory notifications
- Document the breach and response measures taken
8.2 Breach Information
Breach notifications will include:
- Description of the nature of the breach
- Categories and approximate number of data subjects affected
- Categories and approximate number of personal data records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
9. International Data Transfers
9.1 Transfer Mechanisms
When personal data is transferred outside the EEA, CountryDevs ensures appropriate safeguards through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions for specific countries
- Binding Corporate Rules where applicable
- Additional technical and organizational measures as required
10. Data Retention and Deletion
10.1 Retention Period
Personal data will be retained only for as long as necessary to fulfill the processing purposes or as required by law.
10.2 Data Deletion
Upon termination of services, CountryDevs will:
- Delete all personal data within 30 days
- Provide certification of deletion upon request
- Return personal data to the Controller if requested
- Ensure sub-processors also delete or return personal data
11. Audits and Compliance
11.1 Audit Rights
The Controller may conduct audits to verify compliance with this DPA, subject to:
- Reasonable advance notice (at least 30 days)
- Confidentiality obligations
- Non-interference with business operations
- Reimbursement of reasonable costs if audit shows no material non-compliance
11.2 Compliance Documentation
CountryDevs maintains documentation demonstrating compliance with data protection obligations and will provide such documentation upon reasonable request.
12. Liability and Indemnification
Each party's liability for data protection breaches shall be limited as follows:
- Each party is liable only for damages caused by its own non-compliance
- Total liability shall not exceed the amounts specified in the main service agreement
- Neither party is liable for damages caused by the other party's instructions or actions
13. Contact Information
Data Protection Officer
For all data protection matters and DPA-related inquiries: