Data Processing Agreement (DPA)

Last updated: January 2026

1. Definitions

In this Data Processing Agreement ("DPA"), the following terms have the meanings set forth below:

  • Controller: The entity (Client) that determines the purposes and means of processing personal data
  • Processor: Gold Bar Consultancy Services, which processes personal data on behalf of the Controller
  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data (collection, recording, organization, storage, retrieval, use, transmission, deletion)
  • Subprocessor: An entity that processes personal data on behalf of the Processor
  • Data Subject: The individual to whom personal data relates
  • Applicable Laws: GDPR, CCPA, Zimbabwe Data Protection Act, and similar regulations

2. Scope and Applicability

This DPA applies to all processing of personal data by Gold Bar Consultancy Services on behalf of clients in connection with providing consulting services. It supplements our Terms of Service and Privacy Policy.

This DPA is effective when a client engages our services involving personal data processing and remains in effect until termination of the engagement.

3. Role and Responsibilities

3.1 Controller Responsibilities

The Client (Controller) agrees to:

  • Determine the purposes, scope, and means of personal data processing
  • Obtain necessary consents and legal basis for processing
  • Ensure compliance with applicable data protection laws
  • Inform data subjects about data processing practices
  • Provide only necessary personal data for service delivery
  • Ensure personal data is accurate and up-to-date

3.2 Processor Responsibilities

Gold Bar Consultancy Services (Processor) agrees to:

  • Process personal data only as instructed by the Controller
  • Implement appropriate technical and organizational security measures
  • Ensure employees handling data are bound by confidentiality
  • Assist the Controller with data subject rights requests
  • Maintain records of processing activities
  • Notify the Controller of personal data breaches without undue delay
  • Delete or return personal data upon termination of engagement

4. Processing Details

4.1 Categories of Personal Data

We may process the following categories of personal data as instructed by the Controller:

  • Identity information (names, contact details, identification numbers)
  • Organizational information (company name, position, department)
  • Financial information (salary, compensation, financial metrics)
  • Employment information (employment history, skills, qualifications)
  • Communication data (emails, meeting notes, correspondence)
  • System and access data (IP addresses, log files, authentication data)

4.2 Categories of Data Subjects

Personal data may relate to:

  • Client employees
  • Client customers and stakeholders
  • Third-party vendors and partners
  • Website visitors and contact form submitters

4.3 Purpose of Processing

Personal data is processed exclusively for the purposes outlined in the service engagement letter and for:

  • Delivering consulting services
  • Analyzing organizational data for recommendations
  • Facilitating communication between parties
  • Maintaining records of service delivery
  • Complying with legal obligations

4.4 Duration of Processing

Personal data is processed for the duration of the service engagement and retained for the retention period specified in our Privacy Policy or applicable law, whichever is longer.

5. Data Subject Rights

5.1 Assistance with Rights Requests

Gold Bar Consultancy Services will assist the Controller in enabling data subjects to exercise their rights under applicable law, including:

  • Right of access (to obtain a copy of personal data)
  • Right to rectification (to correct inaccurate data)
  • Right to erasure (to delete personal data)
  • Right to restrict processing
  • Right to data portability (to receive data in a structured format)
  • Right to object (to opt out of processing)
  • Rights related to automated decision-making and profiling

5.2 Response Timelines

The Controller is responsible for responding to data subject requests within statutory timelines (typically 30 days). We will assist by providing relevant information within our possession promptly.

6. Security Measures

6.1 Technical Safeguards

We implement the following technical security measures:

  • SSL/TLS encryption for data in transit
  • AES-256 encryption for data at rest
  • Secure password hashing and authentication mechanisms
  • Firewalls and intrusion detection systems
  • Regular security audits and vulnerability assessments
  • Automatic backups with secure recovery procedures

6.2 Organizational Safeguards

We implement the following organizational security measures:

  • Access controls limiting data access to authorized personnel
  • Employee confidentiality and non-disclosure agreements
  • Data protection training for staff handling personal data
  • Segregation of duties and role-based access control
  • Incident response procedures and breach notification protocols
  • Vendor management and subprocessor agreements

6.3 Physical Safeguards

We implement the following physical security measures:

  • Secure facilities with controlled access
  • Video surveillance and monitoring
  • Environmental controls (climate, fire suppression)
  • Secure device management and destruction

7. Sub-processors

7.1 Authorized Subprocessors

We may engage third-party subprocessors to assist in delivering services. Current authorized subprocessors include:

  • Hosting Provider: Laragon/Local Server Infrastructure
  • Email Service: Email hosting and communication platforms
  • Analytics: Google Analytics (for non-sensitive website analytics)
  • Cloud Storage: Encrypted backup and storage services

7.2 Subprocessor Notification

We will notify the Controller of any additions, changes, or removals of subprocessors before they begin processing personal data. The Controller may object to new subprocessors by notifying us within 15 days.

7.3 Subprocessor Agreements

All subprocessors are bound by written data processing agreements containing terms equivalent to this DPA.

8. Data Breach Notification

8.1 Breach Detection and Notification

In the event of a confirmed or suspected personal data breach, we will notify the Controller without undue delay and in no case later than 48 hours after discovery. Notification will include:

  • Nature and scope of the breach
  • Categories and number of affected data subjects (if known)
  • Likely consequences of the breach
  • Measures we have taken or propose to take
  • Contact information for further inquiries

8.2 Controller Notification Responsibility

The Controller is responsible for notifying relevant authorities and affected data subjects as required by law. We will provide reasonable assistance in meeting these obligations.

8.3 Investigation and Remediation

We will conduct a prompt investigation into any breach, document our findings, and implement remedial measures to prevent recurrence.

9. Data Transfers

9.1 International Transfers

If personal data is transferred outside Zimbabwe or the EU/EEA (if applicable), we ensure compliance through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Binding Corporate Rules (BCRs) for group transfers
  • Adequacy decisions where available
  • Your explicit consent

9.2 Transfer Mechanism Documentation

Documentation of transfer mechanisms is available upon request and will be provided to the Controller before any transfers occur.

10. Audit Rights

10.1 Audits and Inspections

The Controller may, upon reasonable notice, audit our compliance with this DPA. Audits may be conducted:

  • Directly by the Controller (no more than annually unless justified)
  • Through a third-party auditor under confidentiality obligations
  • By regulatory authorities as part of legal compliance

10.2 Audit Scope

Audits will be limited to verification of compliance with data protection obligations and security measures. Audits will not interfere with normal business operations.

10.3 Remediation of Findings

We will address any audit findings promptly and document remedial actions taken.

11. Data Return and Deletion

11.1 Upon Termination

Upon termination or expiration of the service engagement, we will:

  • Return all personal data to the Controller in a structured, commonly-used format
  • Delete personal data from our systems, unless retention is required by law
  • Certify in writing that all deletion has been completed

11.2 Retention Exceptions

We may retain personal data to the extent required by applicable law, provided the data is:

  • Processed only for legal compliance purposes
  • Kept secure and confidential
  • Deleted when retention is no longer legally required

12. Documentation and Records

12.1 Processing Records

We maintain comprehensive records of all personal data processing activities, including:

  • Purpose of processing and legal basis
  • Categories of personal data and data subjects
  • Retention periods and deletion procedures
  • Security measures implemented
  • Subprocessor information

12.1 Documentation Availability

Documentation will be made available to the Controller and regulatory authorities upon request.

13. Liability and Remedies

13.1 Liability

Liability for data protection breaches is governed by applicable law. In jurisdictions permitting contractual liability caps, our liability is limited to the value of the service engagement.

13.2 Remedies

Data subjects may pursue remedies under applicable law, including claims for damages, regulatory fines, and injunctive relief.

14. Compliance with Law

14.1 Applicable Laws

This DPA complies with:

  • General Data Protection Regulation (GDPR) - EU/EEA
  • California Consumer Privacy Act (CCPA) - USA
  • Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada
  • Zimbabwe Data Protection Act
  • Other applicable international and local data protection regulations

14.2 Government Requests

If we receive a government or court request for personal data, we will:

  • Notify the Controller promptly (unless legally prohibited)
  • Disclose only the minimum information required
  • Seek to challenge overly broad requests

15. Amendment and Effectiveness

15.1 Modifications

We may modify this DPA with 30 days' written notice to the Controller. Modifications will not materially reduce the Controller's rights without the Controller's consent.

15.2 Effective Date

This DPA is effective as of the date listed above and remains in effect for the duration of the service engagement and retention periods afterward.

16. Contact Information

For questions about this DPA or our data protection practices, please contact:

  • Email: goldbarinvestments56@gmail.com
  • Phone: +263 775 195 853
  • Address: 3 Trent Crescent, Marlborough, Harare, Zimbabwe
← Back to Home