Skip to Content

IVIS - Data Processing Addendum (DPA) Policy

Data Processing Addendum (DPA)1. Purpose2. Definitions3. Roles and Responsibilities4. Data Processing Scope5. Obligations of IVIS6. Cross-Border Data Transfers7. Subprocessing8. Client Rights and Instructions9. Termination and Deletion10. Liability and IndemnityANNEX I – Technical & Organizational Measures

Data Processing Addendum (DPA)

Effective Date: July 22, 2025

Last Reviewed: July 22, 2025

Contact: [email protected]

1. Purpose

This Data Processing Addendum (DPA) forms part of any agreement between IntelliVersal Integrated Solution (IVIS) and its clients that involves the processing of personal data under the scope of General Data Protection Regulation (GDPR) or any similar global data protection frameworks. It ensures that such processing is conducted in a lawful, secure, and transparent manner, especially in cross-border contracts.

2. Definitions

  • Controller: The client who determines the purposes and means of processing personal data.
  • Processor (IVIS): The party that processes personal data on behalf of the controller.
  • Subprocessor: A third party engaged by IVIS to assist with processing tasks.
  • Personal Data: Any data relating to an identified or identifiable natural person.
  • SCCs: Standard Contractual Clauses as adopted by the European Commission for lawful data transfer.

3. Roles and Responsibilities

  • IVIS acts as Processor under this Addendum.
  • Clients act as Controller and are responsible for ensuring lawful basis for processing.
  • Both parties agree to comply with their respective obligations under GDPR Articles 28–36 and related frameworks (e.g., UK GDPR, CCPA).

4. Data Processing Scope

Element

Description

Subject Matter

Delivery of services to client

Duration

For the duration of the main service agreement

Nature & Purpose

Data hosting, storage, analysis, and platform enablement

Type of Data

Names, contact info, IP addresses, user IDs, metadata, financial info

Data Subjects

Client personnel, end-users, customers, partners


5. Obligations of IVIS

IVIS shall:

  • Process data only as per client’s instructions
  • Ensure confidentiality through NDAs and role-based access
  • Assist client in fulfilling rights of data subjects (access, rectification, deletion, etc.)
  • Provide information for demonstrating compliance (audit logs, DPIAs, etc.)
  • Notify the client within 72 hours of a data breach
  • Ensure subprocessors are under written, compliant agreements
  • Implement technical and organizational measures per Annex I (below)

6. Cross-Border Data Transfers

  • Data transfers outside the EU/EEA are governed by SCCs or other lawful mechanisms
  • IVIS supports data localization options for enterprise clients upon request
  • Clients may request transfer impact assessments or documentation

7. Subprocessing

  • IVIS maintains an up-to-date Subprocessors List
  • Client is notified 30 days in advance of any new subprocessor engagement
  • Client may object on reasonable data protection grounds

8. Client Rights and Instructions

  • Clients may request:
    • Access to processing documentation
    • Reports on subprocessors
    • Execution of data subject rights (DSARs)
  • IVIS shall follow client instructions unless prohibited by law

9. Termination and Deletion

  • Upon contract termination, IVIS shall:
    • Delete or return all personal data (as per client instruction)
    • Provide deletion confirmation upon request
  • Some data may be retained per legal retention periods or compliance obligations

10. Liability and Indemnity

  • Each party is liable for its own breaches of data protection obligations
  • Indemnities shall be governed by the Master Service Agreement (MSA) between the parties

ANNEX I – Technical & Organizational Measures

IVIS implements:

  • AES-256 encryption at rest and TLS 1.3 in transit
  • Role-based access control (RBAC) and MFA
  • Annual penetration testing and vulnerability scanning
  • Daily backups and disaster recovery systems
  • Continuous monitoring via SIEM tools
  • Secure development lifecycle (SDLC) with code review
  • Data loss prevention (DLP) and endpoint protection

Frequently asked questions

Data Processing Addendum (DPA) Policy

Q1: Do I need to sign this DPA separately?

No. It is automatically incorporated into your master agreement with IVIS if you are subject to data protection laws such as GDPR or CCPA.

Q2: Does IVIS process any sensitive data?

Only if explicitly instructed by the client. In such cases, additional safeguards and data minimization practices are applied.

Q3: What if a client requests data deletion?

IVIS will delete all personal data within 30 days of a verified request, unless retention is legally required.

Q4: How does IVIS handle cross-border compliance?

Through SCCs, data transfer impact assessments, encryption, and optional regional hosting zones for data localization.

Q5: Can clients audit IVIS for GDPR compliance?

Yes. Clients may request audit cooperation or summaries under NDA. IVIS may also provide ISO/SOC certification evidence upon request.