Data Processing Agreement
Standard DPA for GDPR, PDPA, and enterprise data compliance. Last updated: 1 June 2026
Scope and parties
This Data Processing Agreement ("DPA") is between Tafkiro Technologies Co ("Processor") and the customer entity identified in the Master Services Agreement ("Controller").
This DPA supplements the Master Services Agreement and governs the processing of personal data by Tafkiro on behalf of the Controller in connection with the Tafkiro platform and related services.
Subject matter and duration
The subject matter of the processing is the delivery of the Tafkiro enterprise platform as described in the Statement of Work. The duration is coterminous with the Master Services Agreement.
Tafkiro processes personal data categories including: employee and user records, customer and vendor contact information, financial transaction data, and any other personal data uploaded to the platform by the Controller.
Processor obligations
Tafkiro shall process personal data only on documented instructions from the Controller, except where required by applicable law.
Tafkiro shall ensure that persons authorised to process personal data are committed to confidentiality.
Tafkiro shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption at rest and in transit, access controls, and regular security testing.
Tafkiro shall assist the Controller in responding to data subject requests under applicable data protection law.
Tafkiro shall notify the Controller without undue delay (and within 48 hours where technically feasible) after becoming aware of a personal data breach.
Sub-processors
Tafkiro uses sub-processors to deliver elements of the platform, including cloud infrastructure providers and security monitoring services. The current sub-processor list is available at tafkiro.com/legal/sub-processors.
Tafkiro shall inform the Controller of any intended changes to sub-processors at least 30 days in advance, giving the Controller the opportunity to object.
Tafkiro shall impose data protection obligations equivalent to those in this DPA on all sub-processors.
International transfers
Where Tafkiro transfers personal data outside the country of origin, it shall do so in accordance with applicable law, relying on Standard Contractual Clauses or equivalent mechanisms.
For Gulf customers, data residency in UAE or Saudi Arabia is available and documented in the individual service agreement.
For Singapore customers, data residency in Singapore is available under MAS-compliant infrastructure.
Audit rights
Upon 30 days' written notice, Tafkiro shall make available all information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or its appointed auditor.
Tafkiro may require the auditor to sign a non-disclosure agreement and to conduct the audit in a manner that does not unreasonably disrupt operations.
Deletion and return
Upon termination of the MSA, Tafkiro shall, at the Controller's election, return all personal data in a standard exportable format or securely delete it within 60 days.
Tafkiro shall retain copies of personal data only where required by applicable law, and shall notify the Controller of any such retention.
Execute a DPA
Enterprise customers requiring a signed DPA should contact [email protected]. We will issue a countersigned copy within 5 business days. For customers requiring customer-paper DPAs, contact us to discuss.