Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Master Services Agreement and any Statement of Work between karenlee ("Processor") and the client ("Controller") under which karenlee processes personal data on the Controller's behalf. The DPA reflects the parties' obligations under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, and the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"). It is countersigned by entering into the MSA.
1. Definitions
Terms not defined here have the meaning given in the GDPR. "Personal Data", "Data Subject", "Processing", "Personal Data Breach", "Sub-processor", "Supervisory Authority" and "Standard Contractual Clauses" (SCCs) have their GDPR meanings.
2. Scope & roles
The Controller is the controller of Personal Data that karenlee processes under the MSA. karenlee is the Processor. The subject matter, duration, nature and purpose of the processing, the categories of Data Subjects, and the types of Personal Data processed are set out in Annex A.
3. Processor obligations
karenlee will:
- Process Personal Data only on the Controller's documented instructions, including the MSA and any SOW;
- Ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations;
- Implement and maintain the technical and organisational measures set out in Annex B;
- Assist the Controller in responding to Data Subject requests and complying with its security, breach-notification, impact-assessment and prior-consultation obligations;
- At the Controller's choice, delete or return Personal Data at the end of the engagement, and delete existing copies unless storage is required by law;
- Make available the information necessary to demonstrate compliance and allow for audits as described in Section 7.
4. Sub-processors
The Controller authorises karenlee to engage the Sub-processors listed in Annex C. karenlee will give the Controller at least 30 days' prior notice of any new Sub-processor and the opportunity to object on reasonable grounds. karenlee will impose data-protection obligations on Sub-processors no less protective than those in this DPA and remains liable for their performance.
5. International transfers
For transfers of Personal Data from the EEA, UK or Switzerland to a country not benefiting from an adequacy decision, the parties incorporate the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) Module Two (Controller to Processor), as modified by the UK International Data Transfer Addendum where applicable. Karenlee acts as the data importer.
6. Personal Data breach
karenlee will notify the Controller of a Personal Data breach affecting the Controller's Personal Data without undue delay and in any event within 48 hours of becoming aware. The notification will include, to the extent known, the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed.
7. Audit
karenlee will make available, on the Controller's reasonable request and no more than once per calendar year, the information necessary to demonstrate compliance with this DPA, including in the form of a current audit report or written responses to a recognised security questionnaire. The Controller may, on 30 days' notice, conduct an on-site audit at karenlee's facilities during business hours, at the Controller's expense, conducted by a mutually agreed independent auditor under non-disclosure.
8. CCPA addendum
To the extent karenlee processes Personal Information of California residents on the Controller's behalf, karenlee is a "Service Provider" under the CCPA/CPRA. karenlee will not (a) sell or share Personal Information, (b) retain, use or disclose it outside the direct business relationship with the Controller, or (c) combine it with information from other sources except as expressly permitted by the CCPA.
9. Apple-specific provisions
Where the engagement involves publishing an Application on the App Store under the Controller's Apple Developer Program account:
- The Controller remains the publisher of record and the controller for end-user data;
- karenlee will configure the Application's App Store privacy nutrition label to match this DPA and the Controller's Privacy Policy;
- karenlee will use Apple-provided services (CloudKit, Sign in with Apple, iCloud, App Store Connect) under Apple's terms and will pass through Data Subject requests Apple cannot satisfy directly;
- The Controller, not karenlee, is responsible for the Application's relationship with App Tracking Transparency requirements.
10. Liability
Each party's liability under this DPA is subject to the limits in the MSA, except for liability that cannot be excluded under applicable law. Where the parties are jointly liable to a Data Subject, the parties will allocate liability between themselves according to their relative responsibility for the breach.
11. Term & termination
This DPA remains in force for as long as karenlee processes Personal Data on the Controller's behalf. The obligations in Sections 3, 6, 7 and 10 survive termination.
12. General
This DPA is governed by the law of the MSA, except that GDPR-mandated SCCs are governed by the law of an EU Member State where the Controller is established (or, where the Controller is not established in the EU, by Irish law). In case of conflict, this DPA prevails over the MSA in matters of data protection.
Annex A — Description of processing
Subject matter: Design, engineering, maintenance and App Store operation of one or more Apple platform applications for the Controller.
Duration: The term of the MSA and applicable SOWs, plus the retention periods specified in karenlee's Privacy Policy.
Nature & purpose: Building, deploying and maintaining software; debugging issues reported by end users; assisting with App Review; preparing analytics and bug reports for the Controller.
Categories of Data Subjects: The Controller's end users (consumers, employees, business contacts), the Controller's personnel, and authorised testers.
Categories of Personal Data: Account identifiers, device identifiers, contact details, content created within the Application, crash and diagnostic data the user opts in to share, and any other category specified in the SOW.
Annex B — Technical & organisational measures
- Encryption in transit (TLS 1.2 or later) and at rest where supported;
- FileVault on all studio devices, Touch ID / Face ID at the user level;
- Multi-factor authentication on all production accounts (Apple Developer, App Store Connect, source control, email, password manager);
- Hardware-token-backed admin access for production-critical accounts;
- Per-engagement secrets rotation; secrets never committed to source control;
- Least-privilege access controls, with quarterly access review;
- Endpoint detection and response on all studio devices;
- Annual penetration test on infrastructure operated by karenlee;
- Written incident response plan with named owners and 48-hour breach notification target;
- Background-checked personnel; written confidentiality obligations; mandatory annual privacy training.
Annex C — Authorised Sub-processors
- Apple Inc. — App Store Connect, TestFlight, iCloud / CloudKit, Sign in with Apple. United States. Necessary for the Service.
- Google LLC — Firebase Hosting for the karenlee website. United States. Necessary for the website.
- GitHub Inc. — source code hosting and CI. United States.
- Sentry / Bugsnag (one chosen per project) — crash and error reporting, only with end-user opt-in.
- RevenueCat Inc. — subscription receipt validation, where the Application uses subscriptions and the Controller approves the choice.
Project-specific Sub-processors (analytics, payments, mapping, voice) are listed in the relevant SOW.