Data Processing Agreement (DPA)
Last updated: June 20, 2026.
This DPA forms part of, and is governed by, the Terms of Service. It is designed to align with major data protection frameworks, including Article 28 of the EU GDPR, and the data protection laws applicable to the parties.
1. Roles
The Organisation is the **Controller** of the personal data it enters or uploads about the individuals, households and establishments it records and serves on the platform (each, a "**Beneficiary**"), and about its staff, contacts and operations (together, "Organisation Data"). CommonLynk is the **Processor**, processing Organisation Data only to provide the platform and only on the Controller's **documented instructions** (including via configuration and use of the platform). CommonLynk will inform the Controller if, in its opinion, an instruction infringes applicable law.
2. Subject-matter, duration, nature & purpose
- **Subject-matter / nature:** hosting, storage, processing and display of Organisation Data to deliver the platform's beneficiary-management, programme, forms, reporting and related features.
- **Duration:** for the term of the subscription and the retention periods in the [Data Retention Policy](./DATA_RETENTION_POLICY.md).
- **Types of data:** as determined by the Controller — typically identifying data, contact details, programme/attendance records, form responses, and any special-category or children's data the Controller chooses to record.
- **Categories of data subjects:** the Controller's Beneficiaries, staff, and contacts.
3. Processor obligations
CommonLynk will:
1. Process Organisation Data only on documented instructions, including for transfers, unless required by law (and will notify the Controller of such a requirement unless legally prohibited).
2. Ensure persons authorised to process the data are bound by **confidentiality**.
3. Implement appropriate **technical and organisational security measures** (Schedule A).
4. Respect the conditions for engaging **sub-processors** (Section 5).
5. **Assist the Controller**, by appropriate measures, in responding to data-subject requests (access, correction, deletion, etc.).
6. **Assist the Controller** with security, breach notification, impact assessments and prior consultations, taking into account the information available to CommonLynk.
7. On termination, **delete or return** Organisation Data at the Controller's choice, and delete existing copies unless retention is required by law (see Retention Policy).
8. Make available information necessary to **demonstrate compliance** and allow for and contribute to **audits** (Section 7).
4. Security measures (Schedule A summary)
Encryption in transit (HTTPS/TLS); per-tenant data isolation; role-based access control; authenticated, ownership-checked access to uploaded files; secrets stored encrypted; regular encrypted backups; logging and monitoring; least-privilege administrative access. Full current measures: [SECURITY OVERVIEW URL].
5. Sub-processors
The Controller provides **general authorisation** for CommonLynk to engage sub-processors (e.g. email delivery, payment processing, cloud hosting/backups) listed at [SUB-PROCESSOR LIST URL]. CommonLynk will (a) impose data-protection obligations on each sub-processor at least as protective as this DPA, (b) remain **fully liable** for its sub-processors, and (c) give the Controller **prior notice** of intended additions or replacements, allowing the Controller to object on reasonable data-protection grounds.
6. Personal data breaches
CommonLynk will notify the Controller **without undue delay** after becoming aware of a personal data breach affecting Organisation Data, with the information the Controller reasonably needs to meet its own notification obligations (which, under some laws, can be as short as **72 hours** to a regulator). CommonLynk will not notify the Controller's data subjects or regulators on the Controller's behalf unless instructed.
7. Audits
CommonLynk will make available information reasonably necessary to demonstrate compliance with this DPA and allow audits/inspections by the Controller or its appointed auditor, on reasonable notice, during business hours, subject to confidentiality and not unreasonably disrupting operations. CommonLynk may satisfy audit requests through up-to-date third-party certifications or reports where available.
8. International transfers
Where CommonLynk processes or transfers Organisation Data across borders, it will apply the safeguards required by applicable law — which may include **regulator authorisations, Standard Contractual Clauses or equivalent contractual safeguards, and/or in-region hosting** where a jurisdiction so requires. The parties will cooperate to put the appropriate mechanism in place for the Controller's data subjects.
9. Data-subject requests
If CommonLynk receives a request from a data subject relating to Organisation Data, it will not respond directly (except to confirm the request should go to the Controller) and will promptly forward it to the Controller and assist as set out above.
10. Liability, term & precedence
This DPA's liability is subject to the limitations in the Terms of Service. It takes effect when the Controller accepts the Terms and continues while CommonLynk processes Organisation Data. If this DPA conflicts with the Terms on data-protection matters, **this DPA prevails**.