Not legal advice. This is a starting-point DPA for teams selling a SaaS or digital product. Replace party names, roles, and data categories with your counsel before signing or publishing as binding.
This Data Processing Agreement ("DPA") forms part of the agreement between the Customer (as controller or controller instruction, as applicable) and CoreLaunch ("Processor," "we," or "us") when we process personal data on the Customer's behalf in connection with the services described in the main agreement (e.g. support, onboarding, or any hosted services we provide). It does not replace your Privacy Policy for end users of products you build — you remain responsible for your own applications.
1. Definitions
Terms such as "personal data," "processing," "controller," "processor," and "data subject" have the meanings under applicable data protection law (including the GDPR where it applies).
2. Subject matter, nature, and purpose
Subject matter: Processing of personal data related to the Customer's use of CoreLaunch-delivered services (e.g. account, billing contact, and support communications).
Nature and purpose: Hosting, delivery, security, improvement, and support of those services as instructed by the Customer through normal use and documented configuration — not for Processor's independent marketing unless separately agreed.
Duration: For the term of the main agreement and until deletion or return of data in accordance with Section 6.
3. Types of personal data and data subjects
Categories may include: identifiers (name, email), account and technical metadata, and content the Customer submits in support tickets. Data subjects may include the Customer's staff, contractors, and end users where their data is processed in connection with the services. Update this list to match what you actually process.
4. Processor obligations
We will:
- Process personal data only on documented instructions from the Customer, including as required by applicable law;
- Ensure persons authorized to process data are bound by confidentiality;
- Implement appropriate technical and organizational measures for security, taking into account the state of the art and risk;
- Assist the Customer, insofar as possible, with data subject requests and DPIAs where applicable, subject to reimbursement for disproportionate effort if agreed in the main contract;
- Notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer data we process on their behalf;
- At the end of services, delete or return personal data as the Customer directs, except where retention is required by law.
5. Sub-processors
The Customer authorizes us to engage sub-processors (e.g. cloud hosting, payment processors, email delivery, analytics) who process data only to deliver the services. We remain liable for their performance. We will publish or provide a current list of sub-processors and give notice of material changes where required by law or contract. Maintain an accurate sub-processor list in your privacy notice or an annex to this DPA.
6. International transfers
Where personal data is transferred outside the Customer's jurisdiction, we will implement appropriate safeguards (e.g. Standard Contractual Clauses, UK IDTA, or other lawful mechanisms) as required by applicable law. Specify mechanisms that match your vendors and regions.
7. Audits
On reasonable request, we will make available information necessary to demonstrate compliance with this DPA and allow for audits agreed in the main contract (including questionnaires or third-party certifications), subject to confidentiality and security constraints.
8. Conflict with main agreement
If this DPA conflicts with the main agreement, the terms that provide the stronger protection for data subjects under applicable law prevail, to the extent permitted.
9. Contact
For DPA-related requests, email: ziyad.a.webdev@gmail.com · X (Twitter): @ZiyadVA
See also: Terms of Service · Privacy Policy