Data Processing Agreement
This agreement governs how Cortiqa processes personal data on behalf of its users, in compliance with applicable data protection regulations.
1. Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Cortiqa and the user ("Controller"). It governs the processing of personal data by Cortiqa ("Processor") on behalf of the Controller.
This DPA is designed to comply with the General Data Protection Regulation (GDPR), UK GDPR, India's Digital Personal Data Protection Act (DPDPA), and other applicable data protection laws.
2. Definitions
The following terms have the meanings set out below for the purposes of this DPA:
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Processing | Any operation performed on personal data, including collection, storage, use, disclosure, or deletion. |
| Controller | The user who determines the purposes and means of processing personal data. |
| Processor | Cortiqa, which processes personal data on behalf of the Controller. |
| Sub-processor | A third party engaged by Cortiqa to assist in processing personal data. |
| Data Subject | The individual whose personal data is being processed. |
3. Roles and Responsibilities
This DPA establishes the respective obligations of the Controller and the Processor with respect to the processing of personal data.
Controller (You)
- Determines the purposes and means of processing.
- Ensures a lawful basis exists for all processing.
- Provides clear instructions to the Processor.
- Fulfills data subject rights requests.
- Maintains records of processing activities.
Processor (Cortiqa)
- Processes data only on documented instructions from the Controller.
- Does not use personal data for independent commercial purposes.
- Implements appropriate technical and organizational security measures.
- Assists the Controller in fulfilling data subject requests.
- Notifies the Controller of any data breach without undue delay.
4. Processor Obligations
Cortiqa commits to the following standards for all data processing activities conducted under this DPA:
Confidentiality
All personnel authorized to process personal data are bound by contractual confidentiality obligations.
Sub-processor Management
Sub-processors are engaged only with prior notice to the Controller and are subject to equivalent data protection obligations.
Incident Notification
In the event of a personal data breach, Cortiqa will notify the Controller without undue delay and within 72 hours of becoming aware.
Data Deletion and Return
Upon termination of the agreement, all personal data will be deleted or returned within 30–90 days, unless retention is required by law.
Privacy by Design
Data protection principles are embedded into the design and architecture of all processing systems and operations.
Audit and Compliance
Cortiqa will make available all information necessary to demonstrate compliance and allow for audits by the Controller or an authorized auditor.
5. Security Measures
Cortiqa implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of personal data at rest and in transit using industry-standard protocols.
- Access controls to ensure only authorized personnel can access personal data.
- Regular security assessments and vulnerability testing.
- Incident response procedures and disaster recovery capabilities.
- Employee training on data protection and security practices.
- Physical security measures for data center facilities.
6. International Data Transfers
Where personal data is transferred outside the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, Cortiqa ensures that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Adequacy decisions by relevant regulatory authorities.
- Binding Corporate Rules where applicable.
- Any other legally recognized transfer mechanisms.
7. Data Subject Rights
Cortiqa will assist the Controller in responding to data subject requests, including requests for access, rectification, erasure, restriction of processing, data portability, and objection to processing.
Processing of Requests
If Cortiqa receives a data subject request directly, we will promptly redirect the request to the Controller, unless otherwise instructed. Cortiqa will not respond to data subject requests independently without the Controller's authorization.
8. Data Retention and Deletion
Upon termination of the agreement or at the Controller's written request, Cortiqa will delete or return all personal data within 30 to 90 days, unless retention is required by applicable law (e.g., tax, audit, or regulatory obligations).
Cortiqa will provide written confirmation of deletion upon request. Any data retained for legal compliance will be securely isolated and protected until deletion is permissible.
9. Regulatory Compliance
This DPA is designed to comply with the following regulations:
| Regulation | Jurisdiction | Status |
|---|---|---|
| General Data Protection Regulation (GDPR) | EU / EEA | Compliant |
| UK General Data Protection Regulation | United Kingdom | Compliant |
| Digital Personal Data Protection Act (DPDPA) | India | Compliant |
| California Consumer Privacy Act (CCPA) | California, USA | Compliant |
10. Data Protection Officer
For questions regarding this DPA, data processing practices, or to exercise your rights, please contact our Data Protection Officer.
privacy@cortiqa.com
Response Time
Within 48 hours
This Data Processing Agreement is effective as of the date you accept the Cortiqa Terms of Service or begin using our services. Cortiqa reserves the right to update this DPA to reflect changes in legal requirements or our data processing practices. Material changes will be communicated to affected Controllers.
© 2025 Cortiqa. All rights reserved.