# Data Processing Agreement (DPA) **Between:** **Data Controller:** [INSTITUTION NAME], represented by [CONTACT PERSON], [EMAIL] **Data Processor:** Istražimo (The Absurd Solutions), Novi Sad, Republic of Serbia, represented by legal@istrazimo.rs **Date:** [DATE] --- ## 1. Subject and Duration of Processing This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the use of the Istražimo academic research platform (istrazimo.rs). The processing shall continue for the duration of the Controller's use of the platform, plus a 90-day post-termination data retention period. ## 2. Nature and Purpose of Processing The Processor processes personal data for the following purposes: - Storage and management of survey responses collected by the Controller - Statistical analysis of survey data (descriptive and inferential) - AI-powered analysis of open-ended responses (optional, only when explicitly enabled by the Controller) - Data export in standard formats (CSV, SPSS, Excel, R) - Generation of landing pages for participant recruitment ## 3. Types of Personal Data - Survey responses (as defined by the Controller's survey instrument) - Researcher account data (email address, name) - Minimal metadata (timestamp, completion status, time per question) - **No IP addresses** (anonymized by default) - **No tracking cookies** ## 4. Categories of Data Subjects - **Survey respondents** — participants who complete surveys created by the Controller - **Researchers** — individuals with platform accounts who create and manage surveys ## 5. Obligations of the Processor (Istražimo) The Processor shall: a) Process personal data only on documented instructions from the Controller, unless required by law; b) Ensure that persons authorized to process personal data have committed to confidentiality; c) Take all technical and organizational measures required under GDPR Article 32 (see Section 8); d) Not engage another processor without prior written authorization of the Controller (see Section 7 for approved sub-processors); e) Assist the Controller in responding to requests from data subjects exercising their rights under GDPR Chapter III; f) Assist the Controller in ensuring compliance with obligations under GDPR Articles 32-36; g) At the Controller's choice, delete or return all personal data after the end of the provision of services, and delete existing copies unless EU or member state law requires storage; h) Make available to the Controller all information necessary to demonstrate compliance with Article 28 obligations and allow for and contribute to audits. ## 6. Obligations of the Controller The Controller shall: a) Ensure that there is a lawful basis for the processing of personal data (e.g., respondent consent, legitimate interest); b) Inform data subjects about the processing in accordance with GDPR Articles 13 and 14; c) Obtain appropriate ethics committee approval where required; d) Ensure that survey instruments do not collect unnecessary personal data (data minimization); e) Respond to data subject requests in a timely manner. ## 7. Sub-processors The Controller hereby authorizes the use of the following sub-processors: | Sub-processor | Purpose | Location | DPA in place | |---|---|---|---| | Amazon Web Services (AWS) | Infrastructure, hosting, data storage | Frankfurt, Germany (eu-central-1) | Yes (AWS DPA) | | Amazon Bedrock (Anthropic) | AI analysis of open-ended responses (optional) | EU region | Yes (AWS DPA) | | Stripe, Inc. | Payment processing for premium plans | EU/US | Yes (Stripe DPA) | The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. ## 8. Technical and Organizational Measures The Processor implements the following security measures: **Encryption:** - Data at rest: AES-256 encryption (AWS managed keys) - Data in transit: TLS 1.3 **Access Control:** - Role-based access control (RBAC) with principle of least privilege - Multi-factor authentication for infrastructure access - JWT-based API authentication with Cognito **Data Protection:** - IP anonymization for survey respondents (by default) - No tracking cookies - Automatic data deletion via TTL (configurable by Controller) - Data export available at any time **Backup and Recovery:** - Daily encrypted backups - Backup retention: 30 days - Point-in-time recovery enabled **Monitoring:** - CloudWatch monitoring and alerting - 6 operational alarms - Access logging for all API requests **Employee Access:** - No employee access to user data without explicit permission - Minimal team (under 5 persons) - All team members trained on GDPR obligations ## 9. Breach Notification In the event of a personal data breach, the Processor shall: a) Notify the Controller without undue delay and in any event within **72 hours** of becoming aware of the breach; b) Provide the Controller with sufficient information to meet its own breach notification obligations under GDPR Article 33; c) Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. ## 10. Audit Rights The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. The Processor shall: a) Make available all information necessary to demonstrate compliance; b) Allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller; c) Provide audit results upon reasonable request. Audits shall be conducted with reasonable notice and during normal business hours. ## 11. Data Return and Deletion Upon termination of the service: a) The Controller may export all data at any time during the service period; b) The Processor shall delete all personal data within **30 days** of termination, unless required by law to retain it; c) The Processor shall provide written confirmation of deletion upon request. ## 12. Service Level Agreement For paid plans, the Processor commits to: - **99.9% uptime** (measured monthly, excluding scheduled maintenance) - Maximum scheduled maintenance window: 4 hours per month, with 48 hours notice - Incident response time: 4 hours for critical issues ## 13. Governing Law This DPA shall be governed by the laws of the Republic of Serbia and the General Data Protection Regulation (EU) 2016/679. ## 14. Signatures **Data Controller:** Name: ___________________________ Title: ___________________________ Organization: [INSTITUTION NAME] Date: ___________________________ Signature: ___________________________ **Data Processor:** Name: ___________________________ Title: ___________________________ Organization: Istražimo (The Absurd Solutions) Date: ___________________________ Signature: ___________________________