Capantra
Legal PolicyAU · UK · US

Data Processing Agreement

Enterprise DPA defining controller/processor roles, processing scope, security controls, transfer safeguards, and audit/deletion obligations.

Request a briefing/demoLegal index
Governance-first posture

We design for review-readiness: clear documentation, versioned policies, and operational controls.

Explore Trust Center
Policy ID
legal-dpa
Last updated
02-03-2026
Version
v1.0
Category
Legal

1. Roles

Customer acts as Controller and Capantra acts as Processor / Service Provider.

2. Nature of Processing

Processing is necessary to provide SaaS services, including hosting, storage, transmission, support, and analytics where contracted.

3. Categories of Data

  • Contact information.
  • Communication records.
  • Usage data.
  • Device/IP data.
  • Account credentials.

4. Processor Obligations

  • Process only on documented instructions.
  • Ensure confidentiality.
  • Maintain security measures.
  • Assist with data subject rights.
  • Notify of data breaches without undue delay.
  • Delete or return data upon termination.

5. Security Measures

  • Encryption in transit.
  • Encryption at rest.
  • Role-based access controls.
  • MFA for privileged access.
  • Logging and monitoring.
  • Vulnerability management.
  • Incident response plan.

6. Subprocessors

  • Capantra may engage subprocessors.
  • Equivalent contractual safeguards are imposed.
  • Subprocessor list is maintained.
  • Material changes are notified.

7. International Transfers

Transfers rely on EU SCC (2021), UK Addendum, APP-compliant safeguards, and US Service Provider provisions.

SCCs are incorporated by reference where required.

8. US Privacy Compliance

Capantra acts as a Service Provider, does not sell personal data, does not share for behavioural advertising, and processes solely for business purposes.

9. Breach Notification

Capantra notifies without undue delay, provides breach details, cooperates in investigations, and does not notify regulators without instruction unless legally required.

10. Audit Rights

Customer may request security documentation and conduct one remote audit annually with notice.

Third-party certifications may satisfy audit requirements.

11. Data Deletion

Upon termination, data export is available for 30–60 days, then data is securely deleted, with backups overwritten per retention schedule.

12. Liability

Liability under this DPA is subject to the MSA liability caps.

Versioning & change log

v1.0 · 02-03-2026
  • Aligned to updated enterprise DPA draft dated 2 March 2026.
  • Updated section order and control language to match published DPA summary.
v0.2 · 31-12-2025
  • Added enterprise procurement summary structure.
  • Added change log and versioning.
  • Clarified AU/US/EU scope and responsibilities.
v0.1 · 31-12-2025
  • Initial publication of Data Processing Agreement.

Policies may be updated for regulatory, security, or product reasons. Material changes are communicated where required.

Policy notice

This policy is provided for transparency and procurement support and does not constitute legal advice.

Privacy: privacy@capantra.com

Contact legal team Trust Center