Draft — pending lawyer review.
GDPR Article 28 has strict required elements for processor agreements;
this template will be updated following Cyprus legal review.
This Data Processing Agreement ("DPA") forms part of the
Terms of Service
between you ("Customer", "Controller") and
[YOUR LEGAL NAME], sole trader in
Cyprus ("we", "us", "Processor") and applies when we process personal
data on your behalf as part of the Service.
By using the Service, you agree to this DPA. If your organisation
needs a signed paper version for your compliance records, email
support@cyprus24h.com and we will send one.
1. Definitions
Terms used here have the meanings given in the GDPR (Regulation (EU)
2016/679). In particular:
- "Personal Data" means personal data uploaded into
the Service by you or on your behalf — e.g. names and email
addresses of your customers, suppliers, employees, etc.
- "Processing" has the meaning in Article 4(2) GDPR.
- "Sub-processor" means a third party engaged by us
to process Personal Data on your behalf.
2. Subject-matter and duration
We process Personal Data only for the purpose of providing the
Service to you, for as long as you have an active account, plus a
short retention period thereafter as described in the
Privacy Policy.
3. Nature and purpose of processing
We provide hosted multi-tenant accounting software. We store,
transmit, back up, and operate on Personal Data only as needed to
deliver the Service's functionality.
We do NOT:
- Use Personal Data to train machine learning models
- Sell or share Personal Data with marketers
- Use Personal Data for purposes other than providing the Service
4. Types of data and categories of data subjects
Customers typically upload data including:
- Names, addresses, email addresses, phone numbers of their
customers, suppliers, employees
- Bank account details, VAT numbers, tax IDs
- Financial transaction data (invoices, payments, journal entries)
- Payroll data (where the payroll module is used) — which may
include national insurance numbers, salary details
Data subjects include the Customer's own:
- Customers and clients
- Suppliers and contractors
- Employees and contractors
You remain responsible for ensuring you have a lawful basis (under
Article 6 GDPR, and Article 9 where special categories are involved)
to upload this data into the Service.
5. Controller responsibilities
You confirm that:
- You have a lawful basis for processing the Personal Data you upload
- You have provided required notices to data subjects
- You have obtained any required consents
- Your instructions to us comply with applicable data protection law
6. Processor obligations
We will:
- Process Personal Data only on your documented instructions (using
the Service constitutes a documented instruction), and as required
by law
- Ensure persons authorised to process Personal Data are bound by
confidentiality
- Implement appropriate technical and organisational measures (see
Annex II)
- Assist you (at your expense, beyond reasonable assistance) in
responding to data subject rights requests
- Assist you with Data Protection Impact Assessments, breach
notification, and prior consultation with supervisory authorities
- Notify you without undue delay (and in any event within 72 hours
of becoming aware) of any personal data breach affecting your data
- On termination, return or delete Personal Data as you instruct,
subject to legal retention requirements
7. Sub-processors
We use the sub-processors listed in Annex I. By
accepting this DPA you consent to our use of these sub-processors.
We will give you at least 30 days' notice before adding or replacing
a sub-processor (by email, or by publishing an update on our website
with notice in the next product release notes). If you reasonably
object to a new sub-processor on data-protection grounds, you may
terminate the Service for the relevant tenant before the change
takes effect.
We remain liable for the acts and omissions of our sub-processors
as if they were our own.
8. International transfers
Personal Data is stored within Cyprus and the EEA. Where we use
sub-processors that transfer data outside the EEA (see Annex I), we
ensure appropriate safeguards are in place (e.g. EU Standard
Contractual Clauses, adequacy decisions).
9. Audit
You may audit our compliance with this DPA once per year on at least
30 days' written notice, during business hours, without unreasonably
disrupting our operations. We may charge reasonable costs of
providing audit support. As an alternative to on-site audits, you
may rely on written audit reports, certifications, or our completed
answers to a reasonable questionnaire.
10. Liability
Our liability under this DPA is subject to the limitations in the
Terms of Service,
except where mandatory law (including Article 82 GDPR) provides
otherwise.
11. Term
This DPA applies for as long as we process Personal Data on your
behalf, plus any extended retention period required by law.
12. Conflicts
If this DPA conflicts with the Terms of Service, this DPA prevails
on matters of data protection.
Annex I — Sub-processors
The following third parties may process Personal Data on our behalf:
| Sub-processor | Purpose | Location | Safeguards |
|---|
| [SMTP PROVIDER] |
Transactional email delivery (welcome, password reset, notices) |
EU region |
EU Standard Contractual Clauses where applicable |
| Amazon Web Services (AWS) |
Encrypted off-site backups (S3) |
EU region |
AWS GDPR DPA, EU SCCs |
In addition, the following people may have access to your data on our side:
- [YOUR LEGAL NAME] —
sole operator, Cyprus resident, bound by confidentiality under
this DPA
If we engage additional sub-processors, we will update this list
and notify you per Section 7.
Annex II — Security measures
We implement at least the following technical and organisational measures:
Access control
- Operator accounts secured by password (bcrypt-hashed) and
optional TOTP two-factor authentication
- Tenant data isolated in separate SQLite databases per tenant
- Per-tenant audit logs of significant user actions
- Role-based access on the operator side (admin / operator)
- Session pinning to tenant ID; sessions invalidated on key
changes
Network and transport security
- HTTPS / TLS for all customer-facing connections
- Direct web access denied to backup directories
(deny-all
.htaccess)
- Master database not directly web-accessible
Data integrity and recovery
- Automated backup before destructive operations (hard-delete,
restore)
- Pre-restore backups retained in
backups/ directory
- Tenant self-service backup available via Admin → Backup
- Encrypted off-site backup to Amazon S3 (EU region)
Logging and monitoring
- Master audit log of operator actions
- Tenant-scoped audit logs of significant user actions
- Mail delivery log with 90-day retention
- Login attempts logged including IP address
Software security
- Update zip files validated by product fingerprint before
extraction
- Path-traversal and zip-bomb defences on upload endpoints
- CSRF tokens on all state-changing forms
Physical security
- Servers located at our premises in Cyprus, physical access
controlled, premises locked when unoccupied
Personnel security
- Single named operator
([YOUR LEGAL NAME])
- Confidentiality bound by this DPA
Breach response
- Breach notification to Customer within 72 hours of becoming aware
- Documented process for assessing and notifying breaches to the
Cyprus DPC where required
Annex III — Data subject request handling
For data subject requests (access, rectification, erasure,
portability, etc.) you can:
- Use the in-product features yourself (export, edit, delete
records)
- Email us at
support@cyprus24h.com for assistance
— we respond within 5 business days
Where the data subject contacts us directly, we will forward the
request to you and not respond directly except where required to
do so by law.