This Data Processing Addendum (“Addendum”) forms part of the Terms & Conditions or any other service agreement (“Agreement”) between you (“Customer”) and Aris Insights (“Processor”, “we”, “us”, or “our”).
Effective Date: [Insert Date]
1. Definitions
- Controller: The party that determines the purpose and means of processing personal data (your client).
- Processor: The party that processes personal data on behalf of the Controller (Aris Insights).
- Personal Data: Any information relating to an identified or identifiable natural person.
- Data Subject: The individual to whom the personal data relates.
- Processing: Any operation performed on personal data (e.g., collection, storage, analysis).
2. Scope and Role of the Parties
The Processor agrees to process Personal Data only on behalf of the Controller and in accordance with the Controller’s instructions, unless required by law.
3. Nature and Purpose of Processing
- Purpose: Providing fintech business insights, analytics, reports, and recommendations.
- Data Types: May include names, emails, business metrics, financial performance data, user behavior data, etc.
- Data Subjects: Employees, customers, users, or clients of the Controller.
4. Obligations of the Processor (Aris Insights)
We agree to:
- Process personal data solely to fulfill our obligations under the Agreement.
- Implement appropriate technical and organizational measures to ensure data security (e.g., encryption, access control).
- Ensure staff are bound by confidentiality obligations.
- Assist the Controller with data subject requests (e.g., access, deletion, correction).
- Assist with audits and inspections (upon reasonable request).
5. Sub-processors
We may engage third-party sub-processors to assist in delivering our services. A list of current sub-processors is available upon request. We will notify the Controller of any changes and provide an opportunity to object on reasonable grounds.
All sub-processors are bound by written agreements that impose data protection obligations equivalent to those in this Addendum.
6. International Data Transfers
If we transfer personal data outside of the EU/EEA or your local jurisdiction, we will ensure such transfers are done lawfully using:
- Standard Contractual Clauses (SCCs),
- Adequacy decisions, or
- Other approved mechanisms under applicable law.
7. Data Subject Rights
We will assist the Controller in responding to any request from a Data Subject under applicable data protection laws, including:
- Right to access
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to data portability
- Right to object or restrict processing
8. Data Breach Notification
In the event of a data breach involving Personal Data, we will:
- Notify the Controller without undue delay (typically within 72 hours)
- Provide relevant information, including nature of the breach, affected data, mitigation actions, and future prevention
9. Data Retention and Deletion
Upon termination of the Agreement, at the Controller’s option, we will delete or return all personal data unless required to retain it by applicable law. Deletion will be confirmed in writing upon request.
10. Liability
The liability of each party under this Addendum shall be subject to the limitations and exclusions of liability set out in the Agreement.
11. Governing Law and Jurisdiction
This Addendum is governed by the laws of [Insert Jurisdiction, e.g., England & Wales / United States / European Union country]. Any disputes shall be resolved in the courts of the same jurisdiction.
12. Contact
For questions or requests related to this DPA, please contact:
📧 inf@arisinsights.com
🌐 Aris Insights