Data Processing Agreement

Last updated: December 2024

1. Definitions

For the purposes of this DPA, the following definitions apply:

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on personal data, including collection, use, storage, and deletion
• "Data Controller" means the entity that determines the purposes and means of processing personal data
• "Data Processor" means the entity that processes personal data on behalf of the Data Controller
• "Data Subject" means the identified or identifiable natural person to whom personal data relates
• "GDPR" means the General Data Protection Regulation (EU) 2016/679

2. Scope and Application

2.1 Applicability

This DPA applies when and insofar as Mobile Proxy Data Service processes personal data on behalf of the Customer in the course of providing proxy services.

2.2 Data Controller and Processor Relationship

• Customer acts as the Data Controller for any personal data processed through our proxy services
• Mobile Proxy Data Service acts as the Data Processor
• Customer determines the purposes and means of processing
• Mobile Proxy Data Service processes data only on documented instructions from Customer

3. Processing Instructions

3.1 Processing on Instructions

Mobile Proxy Data Service will process personal data only on documented instructions from the Customer, including:

• Instructions contained in this DPA
• Additional written instructions provided by Customer
• Processing necessary for the provision of proxy services

3.2 Unlawful Instructions

If Mobile Proxy Data Service believes that any instruction infringes applicable data protection law, we will immediately inform the Customer and may suspend processing until the instruction is modified or confirmed.

4. Categories of Data and Data Subjects

4.1 Categories of Data Subjects

The personal data processed may relate to the following categories of data subjects:

• Website visitors whose data is collected through proxy services
• Users of online services accessed through proxy connections
• Individuals whose data appears in web content accessed via proxies

4.2 Categories of Personal Data

The types of personal data that may be processed include:

• IP addresses and network identifiers
• Browser and device information
• Website URLs and content accessed
• Timestamps and usage logs
• Any personal data contained in accessed web content

5. Security Measures

5.1 Technical and Organizational Measures

Mobile Proxy Data Service implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical Measures:

• Encryption of personal data in transit and at rest
• Network security and firewall protection
• Access controls and authentication systems
• Regular security updates and patches
• Secure data backup and recovery procedures

Organizational Measures:

• Security policies and procedures
• Employee training on data protection
• Incident response procedures
• Regular security assessments and audits
• Vendor management and due diligence

5.2 Confidentiality

Mobile Proxy Data Service ensures that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6. Sub-processing

6.1 General Authorization

Customer provides general authorization for Mobile Proxy Data Service to engage sub-processors for the processing of personal data, subject to the conditions set out in this section.

6.2 Current Sub-processors

Mobile Proxy Data Service currently engages the following categories of sub-processors:

• Cloud infrastructure providers
• Payment processing services
• Technical support and monitoring services
• Data analytics and performance monitoring

6.3 Sub-processor Obligations

Mobile Proxy Data Service ensures that sub-processors:

• Provide sufficient guarantees regarding data protection
• Are bound by data protection obligations equivalent to this DPA
• Process personal data only for the purposes specified
• Implement appropriate technical and organizational measures

6.4 Changes to Sub-processors

Mobile Proxy Data Service will inform Customer of any intended changes concerning the addition or replacement of sub-processors with at least 30 days notice. Customer may object to such changes on reasonable data protection grounds.

7. Data Subject Rights

7.1 Assistance with Data Subject Requests

Mobile Proxy Data Service will assist Customer in responding to data subject requests by:

• Providing technical and organizational measures to facilitate Customer's compliance
• Implementing appropriate measures to enable data portability
• Assisting with data rectification and erasure when technically feasible
• Providing information about processing activities upon request

7.2 Limitations

Customer acknowledges that due to the nature of proxy services, some data subject rights may be technically impossible to fulfill, particularly regarding data accessed through proxy connections that is not stored by Mobile Proxy Data Service.

8. Personal Data Breaches

8.1 Notification Obligations

Mobile Proxy Data Service will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer's data, and in any case within 72 hours where feasible.

8.2 Breach Information

The notification will include, where possible:

• Description of the nature of the breach
• Categories and approximate number of data subjects concerned
• Categories and approximate number of personal data records concerned
• Likely consequences of the breach
• Measures taken or proposed to address the breach

8.3 Cooperation

Mobile Proxy Data Service will cooperate with Customer and provide reasonable assistance in investigating and mitigating the breach.

9. Data Protection Impact Assessments

Mobile Proxy Data Service will provide reasonable assistance to Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, where required by applicable law.

10. International Data Transfers

10.1 Transfer Safeguards

Where personal data is transferred to countries outside the European Economic Area, Mobile Proxy Data Service will ensure appropriate safeguards are in place:

• Adequacy decisions by the European Commission
• Standard Contractual Clauses approved by the European Commission
• Binding Corporate Rules where applicable
• Other approved transfer mechanisms under GDPR

10.2 Transfer Locations

Personal data may be transferred to and processed in the following regions:

• Pakistan (primary processing location)
• European Union (sub-processors)
• United States (cloud services with appropriate safeguards)

11. Data Retention and Deletion

11.1 Retention Periods

Mobile Proxy Data Service will retain personal data only for as long as necessary to provide the services and fulfill legal obligations:

• Connection logs: 30 days for security and troubleshooting
• Account data: Duration of service plus 7 years for legal compliance
• Payment data: As required by financial regulations

11.2 Data Deletion

Upon termination of services or Customer's request, Mobile Proxy Data Service will:

• Delete or return all personal data to Customer
• Delete existing copies unless retention is required by law
• Provide certification of deletion upon request

12. Audits and Compliance

12.1 Audit Rights

Customer has the right to conduct audits and inspections to verify compliance with this DPA, subject to:

• Reasonable advance notice (at least 30 days)
• Conducting audits during normal business hours
• Maintaining confidentiality of Mobile Proxy Data Service's business information
• Customer bearing the costs of such audits

12.2 Compliance Documentation

Mobile Proxy Data Service will make available to Customer information necessary to demonstrate compliance with this DPA and applicable data protection laws.

13. Liability and Indemnification

13.1 Allocation of Liability

Each party's liability is limited to damages caused by its own breach of this DPA. Customer remains liable for ensuring lawful processing instructions and compliance with data protection laws.

13.2 Regulatory Fines

If either party receives a regulatory fine as a result of the other party's breach of this DPA, the breaching party will indemnify the non-breaching party for such fines.

14. Term and Termination

14.1 Term

This DPA will remain in effect for as long as Mobile Proxy Data Service processes personal data on behalf of Customer.

14.2 Termination

This DPA will automatically terminate upon termination of the main service agreement between the parties.

15. Governing Law and Jurisdiction

This DPA shall be governed by the laws of Pakistan, while respecting the applicability of European data protection law where relevant. Disputes relating to data protection matters may be brought before the competent supervisory authorities.

16. Contact Information

For matters relating to this DPA and data protection, please contact: