Established: April 1, 2026
Data Processing Agreement (DPA)
JITERA PTE. LTD.
This Data Processing Agreement (this “DPA”) is entered into between JITERA PTE. LTD. (the “Company,” “Processor,” or “we”) and you (the “Controller” or “you”).
This DPA forms part of the Terms of Service and shall be read in conjunction with the Terms of Service. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail.
By processing personal data of your customers, employees, or other third parties through the Service, you are deemed to have agreed to this DPA.
Article 1. Definitions
For purposes of this DPA:
1.1 “Customer Data”
“Customer Data” means personal data that you process using the Services.
1.2 Defined Terms
“Personal Data,” “Data Subject,” “Processing,” “Controller,” “Processor,” “Sub-processor,” “Personal Data Breach,” and “Supervisory Authority” have the meanings given to them in the GDPR, UK GDPR, Swiss FADP, and other applicable data protection laws.
1.3 “Services”
“Services” means the services provided by the Company as defined in the Terms of Service.
1.4 “GDPR”
“GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679).
1.5 “Standard Contractual Clauses” or “SCCs”
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses pursuant to Commission Implementing Decision 2021/914.
Article 2. Scope and Details of Processing
2.1 Scope
This DPA applies when you use the Services to process personal data of your customers, employees, or other third parties (Customer Data). In such cases, you act as the data controller and we act as the data processor.
2.2 Subject Matter and Duration
We will process Customer Data in accordance with your written instructions during the term of the agreement. Your use of the Services constitutes such instructions.
2.3 Nature and Purpose
We process Customer Data in accordance with the purposes set forth in the Terms of Service. This includes providing, operating, maintaining, and improving the Service.
2.4 Types of Personal Data
The types of personal data processed are determined by the data you upload or input into the Services. This may include:
- Contact information (name, email, phone number, etc.)
- Employee information (job title, department, etc.)
- Customer information (purchase history, transaction data, etc.)
- Other data you store in the Services
2.5 Categories of Data Subjects
The categories of data subjects are determined by your use of the Services. This may include:
- Your employees
- Your customers
- Your business partners
- Other individuals whose data you process through the Services
Article 3. Processor’s Obligations
3.1 Process in Accordance with Instructions
We process Customer Data in accordance with your written instructions, unless required to do so by EU law or EU Member State law. In such cases, we may inform you of that legal requirement before processing, unless prohibited by law.
3.2 Confidentiality
We ensure that all personnel authorized to access Customer Data are subject to confidentiality obligations.
3.3 Security Measures
We implement appropriate technical and organizational security measures in accordance with GDPR Article 32, including:
- Pseudonymization and encryption of personal data
- Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- Ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident
- Regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures
See Appendix II for details.
3.4 Sub-processors
We may engage sub-processors with your general authorization. See Article 4 for details.
3.5 Assist with Data Subject Rights
We will assist you, to the extent reasonably possible, in responding to data subject rights requests (access, rectification, erasure, data portability, restriction, objection, etc.).
If we receive a data subject request directly regarding Customer Data, we will notify you and follow your instructions, unless prohibited by law.
3.6 Assist with Compliance
We will assist you, to the extent reasonably possible, in ensuring compliance with GDPR Articles 32 to 36 (security, data breach notification, data protection impact assessment, prior consultation).
3.7 Deletion or Return of Data
Upon termination of the agreement, we will delete or return Customer Data at your choice, unless EU law or EU Member State law requires storage.
You may notify us of your choice (deletion or return) within 30 days of termination. If no notification is received, we will delete Customer Data.
3.8 Demonstrate Compliance
We will provide information necessary to demonstrate compliance with this DPA upon reasonable request.
Article 4. Sub-processors
4.1 General Authorization
By agreeing to this DPA, you provide general authorization for us to engage the following categories of sub-processors:
- Cloud infrastructure providers
- AI processing providers
- Payment processors
- Communication service providers
- Analytics service providers
4.2 Sub-processor List
The current list of sub-processors is available at https://trust.jitera.app/subprocessors.
4.3 Change Notification
We may update the sub-processor list one or more times per year. When adding new sub-processors, we may update https://trust.jitera.app/subprocessors and notify you by email.
In emergencies (including for security reasons, legal requirements, or to ensure service continuity), we may change sub-processors without prior notice.
4.4 Objection
You may object to a new sub-processor on reasonable grounds within 20 business days of notification by providing written notice (including email).
If you raise a legitimate objection, we will use commercially reasonable efforts to either:
- Not use the new sub-processor, or
- Allow you to terminate the agreement
4.5 Sub-processor Obligations
We will use commercially reasonable efforts to enter into contracts with sub-processors imposing data protection obligations substantially equivalent to this DPA.
We remain liable to you for any failure by a sub-processor to fulfill its data protection obligations.
Article 5. Data Subject Rights
5.1 Controller’s Responsibility
You are responsible for responding to data subject rights requests.
5.2 Processor’s Assistance
We will assist you, to the extent reasonably possible, in responding to data subject rights requests.
5.3 Direct Requests
If we receive a data subject request directly regarding Customer Data, we will notify you and follow your instructions, unless prohibited by law.
Article 6. Data Breaches
6.1 Notification Obligation
We will notify you without undue delay upon becoming aware of a personal data breach affecting Customer Data.
6.2 Notification Content
The notification will include, to the extent reasonably available to us:
- The nature of the breach
- Our contact point
- Measures taken or proposed to mitigate the breach
- Where appropriate, recommended measures
6.3 Cooperation
We will assist you, to the extent reasonably possible, in complying with your obligations under GDPR Articles 33 and 34 (notification to supervisory authority and data subjects).
Article 7. Audits
7.1 Audit Rights
You have the right to conduct audits once per year upon reasonable advance notice (at least 30 days).
7.2 Audit Conditions
Audits shall be conducted:
- During normal business hours
- Without unreasonably interfering with our business operations
- By auditors who have entered into confidentiality agreements with us
- At your expense
7.3 Information Provision
We will provide information necessary to demonstrate compliance with this DPA upon reasonable request. This may include security certifications, audit reports, and other relevant documentation.
7.4 Alternative Compliance
You may accept our security certifications or audit reports in lieu of conducting an on-site audit.
Article 8. International Data Transfers
8.1 Application
This Article applies when we transfer Customer Data outside the EEA, UK, or Switzerland.
8.2 Safeguards
We will implement appropriate safeguards in accordance with GDPR Article 46, UK GDPR, or Swiss FADP.
8.3 Standard Contractual Clauses
We will use Standard Contractual Clauses (SCCs) approved by the European Commission. This DPA incorporates SCC Module 2 (Controller to Processor).
8.4 Precedence
In the event of any conflict between the SCCs and this DPA, the SCCs shall prevail.
8.5 UK Addendum
For transfers from the UK, the UK International Data Transfer Addendum applies.
8.6 Swiss Addendum
For transfers from Switzerland, the Swiss Federal Data Protection and Information Commissioner (FDPIC) approved addendum applies.
Article 9. Controller’s Responsibilities
You are responsible for:
9.1 Legal Basis
Having an appropriate legal basis for processing Customer Data.
9.2 Obtaining Consent
Obtaining necessary consents from data subjects.
9.3 Providing Notice
Providing appropriate notices (privacy notices, etc.) to data subjects.
9.4 Lawful Instructions
Providing only lawful instructions to us.
9.5 Data Accuracy
Maintaining the accuracy and currency of Customer Data.
9.6 Data Subject Rights
Responding to data subject rights requests.
Article 10. Liability and Indemnification
10.1 Limitation of Liability
Our liability under this DPA is subject to the limitation of liability provisions in the Terms of Service.
10.2 Processor’s Liability
Under GDPR Article 82, we are liable for damages only if we have not complied with obligations under this DPA, or have acted outside or contrary to your lawful instructions.
10.3 Sub-processor Liability
We remain liable to you for any failure by a sub-processor to fulfill its data protection obligations.
Article 11. Termination
11.1 Deletion or Return of Data
Upon termination, we will delete or return Customer Data at your choice.
11.2 Choice Notification
You may notify us in writing of your choice (deletion or return) within 30 days of termination.
11.3 Default
If no notification is received, we will delete Customer Data.
11.4 Legal Storage Obligations
If EU law or EU Member State law requires storage, we will retain the applicable Customer Data.
11.5 Certification of Deletion
Upon your request, we may provide written certification of data deletion.
Article 12. General Provisions
12.1 Entire Agreement
This DPA constitutes the entire agreement between the parties regarding the processing of Customer Data.
12.2 Amendments
We may amend this DPA from time to time. For material changes, we will notify you.
12.3 Severability
If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.
12.4 Governing Law
This DPA is governed by the law specified in the Terms of Service.
12.5 Dispute Resolution
Disputes regarding this DPA shall be resolved in accordance with the dispute resolution procedures in the Terms of Service.
Appendix I: Description of Processing Activities
(Information required by Standard Contractual Clauses)
| Item | Description |
|---|---|
| Data Exporter (Controller) | You (the Customer) |
| Data Importer (Processor) | JITERA PTE. LTD. |
| Subject Matter | Provision of the Services |
| Duration | Term of the agreement |
| Nature of Processing | Storage, retrieval, organization, structuring, adaptation, alteration, use, disclosure, deletion |
| Purpose | Provision of the Services |
| Categories of Personal Data | Contact information (name, email, phone number, etc.) Employee information (job title, department, etc.) Customer information (purchase history, transaction data, etc.) Other data you store in the Services |
| Categories of Data Subjects | Your employees Your customers Your business partners Other individuals whose data you process through the Services |
| Contact Information | JITERA PTE. LTD. 18 ROBINSON ROAD, #20-02, 18 ROBINSON, SINGAPORE (048547) customer-support@jitera.com |
Appendix II: Technical and Organizational Measures
(Security measures under GDPR Article 32)
1. Data Encryption
1.1 Encryption in Transit
- End-to-end encryption using TLS 1.2 or higher
- Authentication tokens for all API connections
1.2 Encryption at Rest
- Database encryption
- Encrypted backups
- Secure key management systems
2. Access Controls
2.1 Authentication
- Multi-factor authentication (MFA)
- Strong password policies
2.2 Authorization
- Role-based access control (RBAC)
- Principle of least privilege
- Regular access reviews
2.3 Employee Access
- Access to personal data limited to minimum necessary
- All access logged
3. System Resilience
3.1 Backups
- Continuous data backups
- Geographically distributed backup storage
- Tested recovery procedures
3.2 Redundancy
- Redundant infrastructure
- Automatic failover
3.3 Disaster Recovery
- Disaster recovery plan
- Business continuity plan
4. Security Monitoring
4.1 Monitoring
- 24/7 security monitoring
- Intrusion detection systems
- Security information and event management (SIEM)
4.2 Vulnerability Management
- Regular vulnerability assessments
- Penetration testing
- Security patch application
4.3 Log Management
- Security log retention (up to 1 year)
- Regular log reviews
5. Physical Security
5.1 Data Centers
- Use of SOC 2 Type II or ISO 27001 certified data centers
- Physical access controls
- Surveillance cameras
- Environmental controls (fire suppression, climate control)
6. Personnel Security
6.1 Employee Management
- Background checks for employees with access to personal data
- Confidentiality agreements with all employees
- Annual security training
6.2 Policies and Procedures
- Data handling policies
- Incident response procedures
- Security policies
7. Incident Response
7.1 Incident Response Team
- Dedicated team available 24/7
- Regularly tested incident response plan
7.2 Notification Procedures
- Notification procedures compliant with GDPR Articles 33 and 34
- Notification to supervisory authority within 72 hours
- Notification to data subjects where required
7.3 Post-Incident
- Post-incident analysis
- Implementation of corrective measures
- Prevention of recurrence
8. Third-Party Security
8.1 Sub-processor Management
- Due diligence of all sub-processors
- Contractual security requirements
- Regular audits
9. Compliance
9.1 Certifications
For details on our security certifications, please visit https://trust.jitera.app/.
9.2 Regular Reviews
- Regular review and update of security measures
- Response to new threats
Appendix III: List of Sub-processors
The current list of sub-processors is available at https://trust.jitera.app/subprocessors.