DATA PROCESSING AGREEMENT / SAMPLE
Phylax - Data Processing Agreement (Sample)
Non-binding sample published for pre-contact review. Binding DPA terms are agreed per customer through procurement, together with the paired licence.
Sample document. This page sets out, in sample form, the terms of the Data Processing Agreement ("DPA") that accompanies the Phylax commercial licence. Evaluation and commercial terms are agreed on a per-customer basis. This sample is not a binding offer; any negotiated agreement supersedes it. This DPA is intended to be executed together with the Phylax commercial licence at /legal/license/phylax-sample as a condition of the Deployment.
1. Parties
- Processor: Varinomics Ltd ("Varinomics"), a company incorporated in Cyprus under registration number HE 434980, with registered office at Agiou Athanasiou 59, 4102 Limassol, Cyprus.
- Controller / Operator: the legal entity named in the Order Form ("Operator"), which is the controller of the Personal Data processed through the Phylax pipeline within the meaning of Article 4(7) of Regulation (EU) 2016/679 ("GDPR").
2. Background and purpose
(a) The Operator licenses Phylax, an automated parking-enforcement workflow, from Varinomics under the commercial licence at /legal/license/phylax-sample (the "Licence Agreement"). Phylax is deployed at the Operator's site (the "Deployment") and, in ordinary operation, processes Personal Data on infrastructure controlled by the Operator.
(b) This DPA governs the processing of Personal Data by Varinomics on behalf of the Operator in the circumstances where Varinomics acts as Processor within the meaning of Article 4(8) GDPR - primarily during support engagements in which Varinomics incidentally accesses Personal Data held at the Deployment.
(c) This DPA is entered into pursuant to Article 28(3) GDPR. The Operator and Varinomics acknowledge that entering into this DPA is a condition of the Deployment under section 13(b) of the Licence Agreement.
3. Definitions
(a) Terms defined in the GDPR - including controller, processor, sub-processor, data subject, personal data, processing, personal data breach, and supervisory authority - have the same meaning in this DPA.
(b) "Personal Data" in this DPA refers specifically to the categories of personal data described in Annex A that are processed under the Deployment.
(c) "Applicable Data Protection Law" means the GDPR and any national implementing or supplementing legislation, together with any other data-protection law applicable to the Operator's Deployment.
(d) "Sub-processor" means a third party engaged by Varinomics to process Personal Data on the Operator's behalf, as further described in section 12.
(e) "Term" has the meaning given in the Licence Agreement.
4. Subject matter, nature, and purpose of processing
(a) The subject matter, nature, and purpose of the processing of Personal Data under this DPA are set out in Annex A (Processing details).
(b) In summary, Varinomics processes Personal Data on behalf of the Operator only to the extent necessary to provide support and maintenance services for the Deployment and, where expressly requested by the Operator, to assist with specific operational or diagnostic tasks. Routine operational processing of Personal Data - including ALPR capture, KBA enquiries under section 39 StVG, ticket-letter generation and dispatch, and payment reconciliation - is performed by the Operator on infrastructure under the Operator's control; Varinomics does not have routine access to production Personal Data.
5. Duration
This DPA takes effect on the Effective Date of the Licence Agreement and continues for the Term of the Licence Agreement. Obligations in this DPA that are intended by their nature to survive - including sections 8(g), 10, 11, 12, 13, 15, and the audit records referenced in Annex B - survive termination.
6. Types of personal data and categories of data subjects
The categories of Personal Data and of data subjects are set out in Annex A. In summary:
(a) Categories of data subjects include (i) vehicle drivers and registered keepers whose vehicles are recorded at the Operator's enforced parking areas; (ii) recipients of enforcement correspondence; and (iii) the Operator's staff who correspond with Varinomics during support engagements.
(b) Types of Personal Data include (i) vehicle-plate captures and associated image data; (ii) owner-data responses returned by the Kraftfahrt-Bundesamt (KBA) under section 39 StVG; (iii) ticket-recipient names, addresses, and correspondence records; (iv) payment-reconciliation records; and (v) support-correspondence content where it contains Personal Data.
7. Roles and compliance with the GDPR
(a) The Operator is the controller within the meaning of Article 4(7) GDPR for all Personal Data processed through the Deployment.
(b) Varinomics is the processor within the meaning of Article 4(8) GDPR, acting on the Operator's behalf in the circumstances described in section 2(b) and section 4(b).
(c) The Operator is responsible for establishing and documenting the lawful basis for KBA enquiries under section 39 StVG and for the downstream processing of owner-data under Article 6(1)(f) GDPR (legitimate interest) or another applicable legal basis under Article 6(1) GDPR; for fulfilling Article 13 and 14 transparency obligations to data subjects; for conducting any data-protection impact assessment required under Article 35 GDPR and for any prior consultation required under Article 36 GDPR; for responding to data-subject-rights requests; and for retention and deletion at the Deployment.
(d) Varinomics assists the Operator with those obligations as set out in sections 8 and 10 and taking into account the nature of processing and the limited role of Varinomics under this DPA.
8. Processor obligations
Varinomics undertakes, in relation to Personal Data it processes on behalf of the Operator:
(a) Documented instructions. Varinomics processes Personal Data only on documented instructions from the Operator, including with regard to transfers to a third country or an international organisation, unless required to do so by EU or Member State law; in that case, Varinomics informs the Operator of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest. The Licence Agreement, this DPA, the Order Form, and any further written instructions given by the Operator under this DPA, constitute the Operator's documented instructions. Varinomics informs the Operator without undue delay if, in Varinomics's opinion, an instruction infringes the GDPR or other Applicable Data Protection Law.
(b) Confidentiality. Varinomics ensures that personnel authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and limits access to Personal Data to personnel whose duties require it.
(c) Security measures (Article 32 GDPR). Varinomics implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures described in Annex B (Technical and organisational measures). Varinomics reviews and updates those measures where appropriate.
(d) Sub-processors. Varinomics complies with section 12 below and with the list of approved Sub-processors in Annex C.
(e) Data subject rights assistance. Taking into account the nature of the processing, Varinomics assists the Operator by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Operator's obligation to respond to requests for exercising data subject rights under Chapter III of the GDPR (Articles 12 to 23). The Operator acknowledges that Varinomics's ability to assist is limited by the fact that Personal Data processed through the Phylax pipeline is held primarily at the Deployment, under the Operator's control.
(f) Assistance with controller obligations. Taking into account the nature of processing and the information available to Varinomics, Varinomics assists the Operator in ensuring compliance with its obligations under Articles 32 to 36 GDPR, including (i) security of processing, (ii) notification of a Personal Data Breach to the supervisory authority and, where applicable, to data subjects, (iii) carrying out data-protection impact assessments, and (iv) prior consultation with the supervisory authority.
(g) Return or deletion on termination. At the Operator's choice, Varinomics deletes or returns all Personal Data processed on the Operator's behalf at the end of the provision of services relating to the processing, and deletes existing copies unless EU or Member State law requires storage. Certification of deletion is provided on request. Varinomics retains Personal Data that it is required to retain by applicable law only for the period and for the purposes of that retention. This section 8(g) addresses Personal Data processed by Varinomics on the Operator's behalf under this DPA; Personal Data held at the Deployment on infrastructure under the Operator's control remains within the Operator's custody and is governed by the Operator's own retention, deletion, and data-subject-response policies.
(h) Information and audits. Varinomics makes available to the Operator all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA, and allows for and contributes to audits, including inspections, conducted by the Operator or by a mutually agreed independent third-party auditor. Audits take place on reasonable prior written notice, no more frequently than once per calendar year save in the event of a material Personal Data Breach, compliance failure, or where required by a supervisory authority; are conducted during business hours; respect Varinomics's confidentiality and security obligations to third parties; and are carried out at the Operator's cost unless the audit reveals a material non-compliance by Varinomics, in which case the Operator's reasonable audit costs are borne by Varinomics.
9. Controller obligations
The Operator:
(a) ensures that Personal Data is collected and provided to Varinomics lawfully and that a lawful basis under Article 6 GDPR applies to each processing operation, including the lawful basis for KBA enquiries under section 39 StVG;
(b) provides data subjects with the information required by Articles 13 and 14 GDPR, including the identification of Varinomics as a processor where disclosure of processor identity is required;
(c) conducts a data-protection impact assessment under Article 35 GDPR where required and consults the supervisory authority under Article 36 GDPR where required;
(d) responds to data-subject-rights requests as the controller, with Varinomics's assistance under section 8(e); and
(e) complies with any sector-specific obligations applicable to the Operator (including, where applicable, obligations under road-traffic, consumer-protection, and consumer-contract law) and with the terms of any access authorisation granted by the KBA under section 39 StVG.
10. Personal Data Breach notification
(a) Varinomics notifies the Operator without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Operator. Notification is sent to the contact address designated by the Operator in the Order Form (and, failing that, to the notice address under the Licence Agreement), and contains the information required by Article 33(3) GDPR to the extent known at the time of notification, with subsequent updates as further information becomes available.
(b) The Operator is responsible for any notification to the supervisory authority under Article 33(1) GDPR and any communication to data subjects under Article 34 GDPR. Varinomics assists the Operator with such notifications as contemplated by section 8(f).
(c) Nothing in this section 10 limits the Operator's own obligations under Article 33 GDPR, including the 72-hour deadline from awareness.
11. International transfers
(a) Varinomics is established in the European Union (Cyprus). Processing of Personal Data by Varinomics takes place within the European Economic Area except to the extent that a Sub-processor listed in Annex C processes Personal Data from a third country.
(b) Where a transfer of Personal Data to a third country or an international organisation occurs under this DPA, that transfer is safeguarded under one of the transfer mechanisms permitted by Chapter V GDPR, namely (i) an adequacy decision adopted by the European Commission under Article 45 GDPR, including the EU-US Data Privacy Framework adequacy decision where applicable, (ii) Standard Contractual Clauses adopted by the European Commission under Article 46(2)(c) GDPR, or (iii) another lawful transfer mechanism under Chapter V GDPR. The applicable transfer mechanism for each current Sub-processor is identified in Annex C.
(c) Varinomics informs the Operator in advance of any intended change to a Sub-processor or to the transfer mechanism applicable to a Sub-processor, as contemplated by section 12, so that the Operator may exercise its right of objection.
(d) Government access requests. Where Varinomics or a Sub-processor receives a legally binding request from a public authority of a third country or an international organisation for access to Personal Data processed on the Operator's behalf, Varinomics - to the extent legally permitted - notifies the Operator promptly, challenges the request by all available means, suspends the affected transfers where required, and takes such further steps as are required under the applicable transfer mechanism (including Clause 15 of the 2021 Standard Contractual Clauses where those Clauses apply). Varinomics maintains reasonable documentation of such requests and of the responses taken, and makes that documentation available to the Operator on request.
12. Sub-processors
(a) General authorisation. The Operator grants Varinomics a general authorisation to engage the Sub-processors listed in Annex C for the processing activities described there.
(b) Changes. Varinomics notifies the Operator in writing at least thirty (30) days before adding or replacing a Sub-processor, identifying the new Sub-processor, the processing activity, the location of processing, and the transfer mechanism where applicable. The Operator may object on reasonable grounds relating to data protection within the notice period.
(c) Objection. If the Operator objects on reasonable grounds, the parties cooperate in good faith to agree an alternative arrangement. If no alternative can be agreed within a further thirty (30) days, the Operator may terminate the affected service, and, to the extent the objection cannot be accommodated without terminating this DPA and the Licence Agreement, the Operator may terminate both for convenience; fees paid for the terminated period are non-refundable, and section 14 applies.
(d) Flow-down. Varinomics imposes, by written contract, data-protection obligations on each Sub-processor that are substantially equivalent to those set out in this DPA, including the obligations relating to security, confidentiality, audit, sub-processing, and notification of a Personal Data Breach to Varinomics without undue delay of the Sub-processor's awareness. Varinomics remains fully liable to the Operator for the performance of each Sub-processor's data-protection obligations.
(e) Operator's own vendors. The Operator's own vendors used in the ordinary operation of the Deployment - including the Operator's ALPR vendor, letter-dispatch service, and banking-channel provider - are not Varinomics's Sub-processors under this DPA. The Operator's processor relationships with those vendors are governed by the Operator's own contracts with them.
13. Liability
(a) Except as expressly provided in this section 13 and in section 11(c)(iii) of the Licence Agreement, liability arising out of or in connection with this DPA is governed by section 11 of the Licence Agreement.
(b) Nothing in this DPA or in the Licence Agreement limits or excludes (i) a data subject's rights against either party under Article 82 GDPR; (ii) any liability that cannot be limited or excluded under Applicable Data Protection Law; or (iii) either party's obligation to compensate the other for damages paid to data subjects under Article 82 GDPR in proportion to that party's responsibility for the damage, as provided by Article 82(4) and 82(5) GDPR.
(c) The specific liability cap and allocation applicable to breaches of data-protection obligations under this DPA is agreed in the Order Form; absent a specific allocation, the cap under section 11(b) of the Licence Agreement applies separately to claims under this DPA.
14. Term and termination
(a) This DPA takes effect on the Effective Date of the Licence Agreement and continues for the Term of the Licence Agreement, subject to the survival of the return/deletion obligations in section 8(g) and any other obligations that are intended by their nature to survive, including those listed in section 5.
(b) Either party may terminate this DPA on written notice if the other party materially breaches it and fails to cure the breach within thirty (30) days after receipt of written notice. Material breach of this DPA constitutes a material breach of the Licence Agreement.
(c) Termination of the Licence Agreement automatically terminates this DPA, subject to section 14(a).
15. Governing law and dispute resolution
This DPA is governed by and construed in accordance with the laws of the Republic of Cyprus, excluding its conflict-of-laws rules. The courts of Cyprus have exclusive jurisdiction over any dispute arising out of or in connection with this DPA, without prejudice to the rights of a data subject to bring proceedings before the courts of the Member State in which the data subject has his or her habitual residence under Article 79(2) GDPR. The United Nations Convention on Contracts for the International Sale of Goods does not apply.
16. Notices
Notices under this DPA are given in writing to the addresses set out in the Order Form. Notices to Varinomics are sent to [email protected] with a copy to the registered office. Notices to the Operator are sent to the data-protection contact identified in the Order Form (and, failing that, to the notice address under the Licence Agreement). Email notices are effective on the next business day following dispatch.
17. Entire agreement; amendments
This DPA, together with the Licence Agreement, the Order Form, and the Annexes to each, constitutes the entire agreement between the parties relating to the processing of Personal Data under the Deployment and supersedes all prior communications on that subject. In case of conflict between this DPA and the Licence Agreement on data-protection matters, this DPA prevails. Amendments must be in writing and signed by authorised representatives of both parties.
18. Severability
If any provision of this DPA is held to be unenforceable, the remaining provisions remain in full force and the unenforceable provision is replaced by an enforceable provision that most closely approximates the parties' original intent and the requirements of Applicable Data Protection Law.
Annex A - Processing details
| Field | Detail |
|---|---|
| Subject matter of processing | Provision of support and maintenance services for the Phylax Deployment, and, where expressly requested by the Operator, assistance with specific operational or diagnostic tasks that incidentally involve Personal Data held at the Deployment. |
| Nature of processing | Access, viewing, analysis, transmission, and - where necessary for support - temporary storage of Personal Data provided by or on behalf of the Operator. |
| Purpose of processing | Supporting the Operator's automated parking-enforcement workflow on parking areas controlled by the Operator. |
| Duration of processing | For the Term of the Licence Agreement, plus any return/deletion period under section 8(g). |
| Frequency of processing | Occasional, tied to support engagements initiated by the Operator; not continuous. |
| Categories of data subjects | (i) vehicle drivers and registered keepers recorded at the Operator's enforced parking areas; (ii) recipients of enforcement correspondence; (iii) the Operator's staff who correspond with Varinomics during support engagements. |
| Types of Personal Data | (i) vehicle-plate captures and associated image data; (ii) KBA owner-data responses (name, address); (iii) ticket-recipient names, addresses, and correspondence records; (iv) payment-reconciliation records; (v) support-correspondence content where it contains Personal Data. |
| Special categories of data | None intended. The Operator is responsible for ensuring that no special categories of personal data under Article 9 GDPR, and no personal data relating to criminal convictions and offences under Article 10 GDPR, are provided to Varinomics outside the specific and documented instructions of the Operator. |
Annex B - Technical and organisational measures (Article 32 GDPR)
Varinomics implements, and maintains for the duration of this DPA, technical and organisational measures appropriate to the risks presented by the processing. The measures below are the baseline; specific measures for a Deployment are agreed in the Order Form where additional controls are required.
-
Access control. Access to Operator Personal Data is restricted to Varinomics personnel whose duties require it. Access uses individually-identifiable accounts with strong authentication. Access for a specific support engagement is scoped to the task, is time-limited for the duration of that engagement, and requires documented approval under Varinomics's internal support-access procedure. Access is logged and reviewed periodically, and is revoked promptly when no longer required.
-
Transport and at-rest encryption. Personal Data transmitted between the Deployment and Varinomics during support engagements is transmitted over encrypted channels (TLS 1.2 or higher; see RFC 5246 and RFC 8446). Personal Data held by Varinomics for the purposes of a support engagement is encrypted at rest wherever stored - including on support-workspace systems, personnel endpoints (see item 3), and backup media (see item 8). Encryption keys are managed under documented key-management procedures.
-
Endpoint security. Varinomics personnel accessing Personal Data do so from endpoints under corporate management, with disk encryption, current security patches, and endpoint-protection software.
-
Confidentiality of personnel. Personnel authorised to access Personal Data are bound by confidentiality obligations extending beyond termination of their engagement.
-
Segregation and integrity of temporary support copies. Operator Personal Data received during a support engagement is handled separately from Varinomics's own records and from other operators' data. Temporary copies created for the engagement are subject to integrity checks (for example, cryptographic hash verification against the Operator-provided source) before and after handling, and are deleted - together with any derived working material - once the engagement is concluded, save where retention is required under Applicable Data Protection Law.
-
Incident response. Varinomics maintains a documented incident-response procedure covering detection, assessment, containment, Operator notification, remediation, and post-incident review. The procedure implements the notification obligations in section 10.
-
Data minimisation in support engagements. Varinomics requests and receives only the Personal Data necessary for the specific support task. Where diagnostic or operational information can be provided in a form that does not contain Personal Data, the Operator is asked to provide it in that form.
-
Backup, recovery, and secure deletion of backups. Varinomics maintains backup procedures for its own systems that hold Personal Data processed under this DPA; backups are encrypted at rest and access-controlled in the same manner as primary systems, and are retained only for the period necessary for recovery. Secure deletion of Operator Personal Data under section 8(g) extends to backup media on a defined rolling basis, with certification of deletion available on request. Backup restoration procedures are tested periodically to verify that recovery preserves the integrity of Operator Personal Data and that secure-deletion routines remove restored copies once the test is concluded.
-
Logging and monitoring. Operational logs of access to Personal Data are maintained for the period necessary for audit and incident response, and no longer.
-
Training. Varinomics personnel with access to Personal Data receive training on data-protection obligations and on the procedures in this Annex B.
-
Sub-processor oversight. Sub-processors are engaged under written agreements imposing measures substantially equivalent to this Annex B; see Annex C.
-
Review. This Annex B is reviewed at least annually and updated where appropriate in light of the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing.
Annex C - Approved Sub-processors
The following Sub-processor is approved as of the Effective Date of this DPA.
| Sub-processor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Google LLC (Google Workspace) | Mailbox hosting for @varinomics.com addresses. Processes Personal Data only insofar as Operator correspondence with Varinomics (sent to, or received from, Varinomics mailboxes) contains Personal Data. | United States | EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795); Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR as an alternative. Google LLC is certified under the EU-US DPF. |
No other Sub-processor processes Personal Data on behalf of the Operator as of the Effective Date.
Note - outside DPA scope. Hosting of varinomics.com itself is not within the scope of this DPA. The public marketing website is hosted by GitHub, Inc. (United States) as described in /legal/privacy; that hosting does not process Operator Personal Data, and GitHub, Inc. is therefore not a Sub-processor under this DPA. It is mentioned here only to avoid confusion between the public website's data-protection surface (governed by the Privacy policy page) and the processing scope of this DPA (governed by this Annex C).
Sample document - not binding. This page is a sample for reference only. Binding DPA terms are agreed through /procurement, together with the Phylax commercial licence at /legal/license/phylax-sample. Legal review is required before any operator executes a DPA based on this sample.