Data Processing Agreement

Last updated: 28 May 2026

1. What this is

A Data Processing Agreement (DPA) is the contract required by Art. 28 of the EU/UK GDPR (and equivalent provisions under CCPA/CPRA, LGPD, and similar regimes) between a data controller and a data processor. Where your organisation acts as controller of personal data that Cogniron Technology Solutions Private Limited (“Cogniron”) processes on your behalf via the Cognituring platform (the “Service”), a DPA must be in place between us.

2. How to put one in place

Email support@cogniron.com with:

  • your legal entity name and registered address;
  • the authorised signatory's name and email;
  • your Cognituring organisation slug (or sign-in email);
  • any specific requirements (jurisdiction, governing law, regulator notification flow).

We send back a counter-signed DPA within five business days. The DPA incorporates the European Commission's 2021 Standard Contractual Clauses where international transfers apply, the UK International Data Transfer Addendum where processing involves UK personal data, and the Cognituring Annexes described below.

3. What the DPA covers

  • Annex I — Description of processing. Subject matter, duration, nature, purpose, categories of data, and categories of data subject. Drawn from your actual use of the Service.
  • Annex II — Technical and organisational measures. Cogniron's controls inventory, mirrored from /trust. Updated when controls change.
  • Annex III — Sub-processors. The list at /subprocessors forms part of the DPA. We notify you at least 30 days before adding a new sub-processor so you may object.
  • Standard Contractual Clauses (Module 2). Cogniron acts as data importer where your data is processed in the United States or other third countries.

4. If you have your own DPA template

We are happy to review and counter-sign a customer-provided DPA, provided it incorporates the European Commission's 2021 SCCs and the technical/organisational measures match Cogniron's implemented controls. Material edits go to legal review and may extend the five-business-day turnaround.

5. Sub-processor change notifications

When a DPA is in force, we notify the customer's privacy contact at least 30 days before adding or replacing a sub-processor. The customer may object on reasonable grounds; if the issue cannot be resolved, the customer may terminate the affected portion of the Service without penalty.

6. Security incident notification

In the event of a personal data breach affecting customer data, Cogniron notifies the customer without undue delay and in any case within 72 hours of becoming aware, in line with GDPR Art. 33(2). Notification includes the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to mitigate possible adverse effects.

7. Data subject requests

If your organisation receives a data subject access, deletion, rectification, or portability request that involves data processed by Cogniron on your behalf, raise it with us via support@cogniron.com and we will assist within the statutory response window.

8. Contact

Privacy and DPA matters: support@cogniron.com.