← Trust Center

Data Processing Agreement

For any engagement involving Personal Data processed through the PrimeTDAP platform, Primus and the engaging customer countersign a Data Processing Agreement (DPA) as an addendum to the Master Services Agreement. The full DPA is shared with prospective customers under NDA — this page summarizes what it addresses.

What the DPA addresses

Roles and scope

• Customer is the data controller for Personal Data Processed under the MSA; Primus is the data processor.
• Processing is limited to the purposes set out in the MSA and SOW, and to Customer's documented instructions.
• Where Primus engages sub-processors, Primus remains responsible to Customer for their performance.

Technical and organisational measures (TOMs)

The DPA references — and the underlying Security & Compliance documentation set provides:

• Information Security Policy (top-level)
• Access Control Policy
• Encryption Standards (at rest AES-256; in transit TLS 1.2+; key management via Azure Key Vault)
• Incident Response Plan
• Business Continuity & Disaster Recovery Plan
• Data Retention Policy
• AI Use Policy

These documents are shared under NDA on request — see the Security & Compliance documentation pack.

Sub-processors

• Current sub-processors are listed publicly at /legal/sub-processors.
• Additions, removals, or material changes are notified to Customer at least 45 days in advance.
• Customer has the right to object within the notice period; if no alternative is found, either party may terminate the affected portion of the engagement.

Cross-border transfer

• All Processing performed in the United States (Microsoft Azure, East US 2).
• No cross-border transfers occur in the operation of the Service today.
• If Processing outside the US is proposed, Standard Contractual Clauses (EU/UK) or equivalent transfer mechanisms apply, with prior written Customer consent.

Breach notification

• Customer notified without undue delay, and in any event within 72 hours of awareness.
• Notification includes information reasonably required for Customer's own breach-notification obligations.
• Process governed by Primus's Incident Response Plan.

Data Subject rights

• Primus assists Customer in responding to access, rectification, erasure, restriction, portability, and objection requests.
• Requests received directly by Primus are forwarded to Customer without undue delay.
• The platform provides admin-issued DSAR export and erasure endpoints for Customer use.

Audit rights

• Customer may audit Primus's DPA compliance no more than once per calendar year (or following a Personal Data breach / regulator request).
• Audits may take the form of documentation review, written questionnaire, or — at Customer's expense — on-site audit by Customer or an agreed independent auditor.

Return / deletion at end of engagement

• At end of engagement, Personal Data is returned or deleted at Customer's choice.
• Written confirmation of the action taken is provided within 30 days.
• Exceptions only where retention is required by law.

Liability and governing law

• Liability and indemnification are governed by the corresponding sections of the MSA.
• The DPA is governed by the law specified in the MSA, with Applicable Data Protection Law overriding where mandatory.
• In case of conflict, the DPA prevails over the MSA for matters related to Personal Data Processing.

Applicable law coverage

The standard DPA is drafted to support compliance with:

• EU GDPR and UK GDPR (with SCCs available where required)
• California Consumer Privacy Act (CCPA / CPRA)
• NY SHIELD Act
• HIPAA (where the engagement involves PHI — separate Business Associate Agreement on request)
• Other privacy or data-protection law relevant to the engagement scope

For executable contract questions, contact legal@primussoft.com directly.