DATA PROCESSING AGREEMENT — TEMPLATE (v1.0)

This Data Processing Agreement ("DPA") is entered into between Customer
(the "Controller") and Atestaria ("Processor") pursuant to GDPR Art. 28
and equivalent obligations under LGPD, CCPA, PIPEDA and POPIA.

1. SUBJECT MATTER
Processor processes hashes and metadata strictly necessary to provide the
Atestaria notarization, identity, and trust services as described in the
Service Description.

2. CATEGORIES OF DATA
- Account data: name, email, organization
- Authentication data: password hash, session token
- Content metadata: title, type, hash (no original content stored)
- Usage data: request logs, IP address, audit events

3. SECURITY MEASURES
Processor maintains technical and organizational measures including
encryption in transit and at rest, KMS-managed keys, RBAC, hash-chained
audit logging, secure SDLC, and incident response procedures (see /trust).

4. SUB-PROCESSORS
Listed at https://[domain]/trust. Customer is notified at least 30 days
before any change.

5. INTERNATIONAL TRANSFERS
Standard Contractual Clauses apply where required. Region-pinning
available on Enterprise plans.

6. DATA SUBJECT RIGHTS
Processor assists Controller in fulfilling DSARs through endpoints at
/privacy.

7. AUDITS
Controller may audit annually with 30 days notice. Processor provides
SOC 2 / ISO 27001 reports on completion.

8. RETENTION & DELETION
Data is retained per the configurable retention policy (default 730 days)
and deleted within 30 days of contract termination.

9. INCIDENT NOTIFICATION
Processor notifies Controller within 72 hours of confirmed breach.

10. GOVERNING LAW
As specified in the Master Services Agreement.

[End of template — to be customized and executed by both parties.]