Data Processing Agreement
This Data Processing Agreement (“DPA”) governs the processing of personal data by G.K.M. Jarif Ur Rahim on behalf of clients engaging our professional consulting services.
Professional PDF version for contract attachments and compliance records
1. Parties & Definitions
1.1 Parties
This DPA is entered into between:
Data Processor
G.K.M. Jarif Ur Rahim
Founder & Lead Consultant
Rashik — The Awakening
Email: [email protected]
Data Controller
The Client (“you” or “Controller”)
The organization or individual engaging our consulting services
1.2 Key Definitions
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person (GDPR Art. 4(1)) |
| Processing | Any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, or erasure (GDPR Art. 4(2)) |
| Data Subject | An identified or identifiable natural person whose personal data is processed |
| Sub-processor | Any third party engaged by the Processor to process personal data on behalf of the Controller |
| Supervisory Authority | An independent public authority responsible for monitoring the application of data protection law (GDPR Art. 4(21)) |
2. Scope & Purpose of Processing
2.1 Services Covered
This DPA applies to all personal data processed by the Processor in connection with the following consulting services:
| Service | Types of Data Processed | Data Subjects |
|---|---|---|
| Career & Branding Consulting | Names, contact details, professional history, career goals, resumes/CVs | Client employees, job seekers, professionals |
| Technology & AI Consulting | Names, contact details, organizational data, technical requirements | Client employees, stakeholders |
| Spiritual & Life Guidance | Names, contact details, personal goals (with explicit consent) | Individual clients |
| Institutional Training Programs | Names, contact details, attendance records, feedback | Participants, trainees, institutional staff |
2.2 Purpose Limitation
The Processor shall process personal data only for the purposes specified in the service agreement between the parties and as documented in this DPA. The Processor shall not process personal data for any other purpose unless expressly authorized in writing by the Controller.
3. Processor Obligations (GDPR Article 28(3))
In accordance with GDPR Article 28(3), the Processor undertakes the following obligations:
3.1 Lawful Processing
Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.
3.2 Confidentiality
Ensure that all persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation shall survive the termination of this DPA.
3.3 Security Measures (Article 32)
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 5 of this DPA.
3.4 Sub-processor Management
Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller. Where general written authorization is given, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object. See Section 6 for details.
3.5 Data Subject Rights Assistance
Assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights (access, rectification, erasure, portability, restriction, and objection).
3.6 Compliance Assistance
Assist the Controller in ensuring compliance with obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor. This includes assistance with data protection impact assessments and prior consultation with supervisory authorities.
3.7 Data Return & Deletion
At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data. See Section 7 for retention details.
3.8 Audit & Inspection
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions.
4. Controller Obligations
The Controller warrants and undertakes that:
- It has a lawful basis for processing personal data and for instructing the Processor to process such data
- It has provided all necessary notices and obtained all necessary consents from data subjects as required by applicable law
- It shall provide documented processing instructions that comply with applicable data protection laws
- It shall promptly notify the Processor of any changes to applicable data protection laws that may affect the Processor's obligations
- It shall be responsible for the accuracy, quality, and legality of personal data provided to the Processor
5. Technical & Organizational Security Measures (Article 32)
The Processor implements the following security measures appropriate to the risk:
| Category | Measures Implemented |
|---|---|
| Encryption | SSL/TLS encryption for all data in transit; encrypted storage for sensitive data at rest |
| Access Control | Role-based access control; multi-factor authentication for administrative access; principle of least privilege |
| Data Minimization | Collection limited to data necessary for the specified purpose; regular review and purging of unnecessary data |
| Backup & Recovery | Regular automated backups; tested disaster recovery procedures; geographic redundancy |
| Monitoring | Continuous security monitoring; intrusion detection; regular vulnerability assessments |
| Personnel | Confidentiality agreements; security awareness training; background verification for personnel handling sensitive data |
6. Sub-processors
6.1 Current Sub-processors
The following sub-processors are currently engaged to assist in the delivery of our services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud Hosting Platform | Website hosting, database, and application infrastructure | United States |
| Google (Calendar API) | Appointment scheduling and calendar synchronization | United States / Global |
| SMTP Email Service | Transactional email delivery (appointment confirmations, notifications) | United States / Global |
6.2 Sub-processor Changes
The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of sub-processors. The Controller may object to such changes within 14 days of notification. If the Controller objects, the Processor shall either not engage the new sub-processor or the Controller may terminate the affected services. Each sub-processor is bound by data protection obligations no less protective than those set out in this DPA.
7. Data Retention & Deletion
| Data Category | Retention Period | Deletion Method |
|---|---|---|
| Active client data | Duration of service agreement + 90 days | Secure deletion from all systems |
| Consultation records | 24 months after last consultation | Automated purge with confirmation |
| Contact information | 12 months after last interaction | Secure deletion from databases |
| Backup copies | Deleted within 30 days of primary data deletion | Overwrite and verify |
Upon termination of services, the Controller may request return of all personal data in a commonly used, machine-readable format (e.g., CSV, JSON) within 30 days. Following return or upon Controller's written instruction, the Processor shall securely delete all personal data and certify such deletion in writing.
8. Data Breach Notification (Articles 33 & 34)
In the event of a personal data breach, the Processor shall:
Immediate Notification
Notify the Controller without undue delay and in any event within 48 hours of becoming aware of a personal data breach.
Detailed Report
Provide the Controller with sufficient information to meet any obligations to report or inform data subjects, including: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
Cooperation & Mitigation
Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each such breach.
9. International Data Transfers
The Processor shall not transfer personal data to a country outside the European Economic Area (EEA) unless one of the following conditions is met:
- The European Commission has issued an adequacy decision for the receiving country (GDPR Art. 45)
- Appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission (GDPR Art. 46)
- Binding Corporate Rules have been approved by the competent supervisory authority (GDPR Art. 47)
- The Controller has provided explicit prior written consent for the specific transfer
Where transfers rely on SCCs, the Processor shall conduct a Transfer Impact Assessment (TIA) to evaluate whether the laws of the receiving country provide adequate protection.
10. Duration & Termination
This DPA shall remain in effect for the duration of the service agreement between the parties. Upon termination of the service agreement:
- The Processor shall cease all processing of personal data within 30 days
- At the Controller's election, the Processor shall return or securely delete all personal data
- The Processor shall provide written certification of data deletion upon request
- Confidentiality obligations and audit rights shall survive termination for a period of 3 years
11. Liability & Indemnification
Each party shall be liable for damages caused by processing that infringes the GDPR, in accordance with Article 82 of the GDPR. The Processor shall be liable for damages caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside of or contrary to the Controller's lawful instructions.
Each party agrees to indemnify the other party against all costs, claims, damages, or expenses incurred as a result of any breach of this DPA or applicable data protection law by the indemnifying party.
12. Governing Law & Jurisdiction
This DPA shall be governed by and construed in accordance with the laws applicable to the main service agreement between the parties. For matters relating to GDPR compliance, the provisions of EU data protection law shall prevail. Any disputes arising under this DPA shall be resolved through the dispute resolution mechanism specified in the main service agreement.
13. Amendments
This DPA may be amended only by written agreement signed by both parties. The Processor reserves the right to update this DPA to reflect changes in applicable data protection laws. Material changes will be communicated to the Controller at least 30 days before they take effect. Continued use of services after the effective date of changes constitutes acceptance of the updated DPA.
14. Contact & Inquiries
For questions about this DPA, to request a signed copy, or to exercise any rights under this agreement, please contact:
G.K.M. Jarif Ur Rahim
Data Protection Contact & Lead Consultant
Rashik — The Awakening
Email: [email protected]
Phone: +880 1973 843752
Website: jarifurrahim.one
To obtain a customized, signed version of this DPA for your organization, please contact us with your company details and specific data processing requirements.