Data Processing Agreement
Last updated: January 1, 2026
Table of Contents
This Data Processing Agreement (DPA) is incorporated into and forms part of the UnivoCorp Terms of Service. It sets forth the parties' obligations with respect to the processing of Personal Data.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"Controller" means the entity that determines the purposes and means of the processing of Personal Data.
"Processor" means the entity that processes Personal Data on behalf of the Controller.
"Sub-processor" means any Processor engaged by UnivoCorp to process Personal Data.
2. Scope and Purpose
This Data Processing Agreement (DPA) governs the processing of Personal Data by UnivoCorp on behalf of the Customer. UnivoCorp acts as a Processor and the Customer acts as a Controller. Processing is limited to providing the UnivoCorp services and supporting activities.
3. Customer Obligations
The Customer shall ensure it has obtained all necessary consents and legal bases for processing Personal Data through UnivoCorp.
The Customer shall provide lawful instructions to UnivoCorp regarding the processing of Personal Data.
The Customer is responsible for the accuracy, quality, and legality of Personal Data provided to UnivoCorp.
4. UnivoCorp Obligations
Process Personal Data only on documented instructions from the Customer.
Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
Implement appropriate technical and organizational security measures.
Assist the Customer in responding to Data Subject requests.
Assist the Customer in ensuring compliance with security and breach notification obligations.
Delete or return Personal Data at the end of the service relationship.
Make available all information necessary to demonstrate compliance with this DPA.
5. Sub-processors
UnivoCorp may engage Sub-processors to process Personal Data. A current list is maintained in our Trust Center.
We will notify Customers of new Sub-processors 30 days before engagement.
Sub-processors are bound by contractual obligations at least as protective as this DPA.
6. International Data Transfers
UnivoCorp may transfer Personal Data outside the European Economic Area (EEA) only with appropriate safeguards.
We rely on Standard Contractual Clauses approved by the European Commission for such transfers.
Transfer impact assessments are conducted where required.
7. Security Measures
UnivoCorp implements technical and organizational measures appropriate to the nature of the Personal Data processed. These include encryption, access controls, regular testing, and incident response procedures. Details are provided in our Security documentation.
8. Personal Data Breach
UnivoCorp will notify the Customer without undue delay upon becoming aware of a Personal Data breach. The notification will include the nature of the breach, categories of data affected, and measures taken or proposed.
9. Data Subject Rights
UnivoCorp will assist the Customer in responding to requests from Data Subjects to exercise their rights under applicable law, including access, rectification, erasure, and portability.
10. Audit Rights
UnivoCorp will make available information necessary to demonstrate compliance with this DPA. The Customer may audit UnivoCorp's compliance, subject to reasonable notice and confidentiality obligations.
11. Term and Termination
This DPA is effective for the duration of the service agreement. Upon termination, UnivoCorp will delete or return Personal Data within 90 days, unless retention is required by law.
Questions?
If you have any questions about this data processing agreement, please contact us at legal@univocorp.com