Data Processing Agreement (DPA)
KohaSupport
KohaSupport Services
Last updated: January 11, 2022
Structure
This DPA is structured as follows:
| Section | Content |
|---|---|
| Section A | Key Terms |
| Section B | Processing Instructions |
| Section C | Security Measures |
| Section D | Sub-Processors |
| Section E | Data Subject Rights |
| Section F | Audit and Compliance |
Section A: Key Terms
Parties
Data Controller: The Client (library or organization using KohaSupport services)
Data Processor: KohaSupport
Definitions
Personal Data: Any information relating to library patrons, staff, or other identifiable individuals processed through the Koha library system.
Processing: Any operation performed on personal data, including collection, storage, retrieval, use, transmission, and deletion.
Sub-Processor: Third-party service providers engaged by KohaSupport to assist in providing services.
Scope of Processing
Subject Matter: Provision of Koha library management system hosting and support services
Duration: For the term of the service agreement
Nature and Purpose:
- Hosting library catalog databases
- Managing patron records
- Processing circulation transactions
- Providing technical support
Types of Personal Data:
- Patron names and contact information
- Library card numbers
- Borrowing history
- Account status and fines
- Staff user accounts
Categories of Data Subjects:
- Library patrons
- Library staff members
- Vendors and suppliers
Section B: Processing Instructions
General Instructions
- KohaSupport shall process personal data only on documented instructions from the Client
- Instructions may be provided through:
- The service agreement
- Email communications
- Service dashboard controls
- Technical support tickets
Prohibited Processing
KohaSupport shall NOT:
- Process data for own purposes
- Sell or share data with third parties for marketing
- Transfer data outside agreed locations without authorization
- Retain data beyond agreed retention periods
Data Location
Primary Data Center: AWS US-East-1 (Virginia)
Backup Location: AWS US-West-2 (Oregon)
Geographic Restriction: United States only (unless otherwise agreed)
Section C: Security Measures
Technical Measures
- Encryption
- TLS 1.3 for data in transit
- AES-256 encryption for data at rest
- Encrypted database backups
- Access Control
- Multi-factor authentication
- Role-based access controls
- Audit logging of all access
- Network Security
- Firewall protection
- DDoS mitigation
- Regular security scanning
- Backup and Recovery
- Daily automated backups
- 30-day retention period
- Tested recovery procedures
Organizational Measures
- Staff Training
- Annual GDPR and privacy training
- Security awareness programs
- Confidentiality agreements
- Incident Response
- 24/7 monitoring
- Incident response procedures
- Breach notification protocol
- Vendor Management
- Sub-processor due diligence
- Contractual data protection obligations
- Regular vendor assessments
Section D: Sub-Processors
Authorized Sub-Processors
KohaSupport uses the following sub-processors:
| Sub-Processor | Service | Location | Purpose |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud Infrastructure | United States | Hosting and storage |
| Stripe | Payment Processing | United States | Billing services |
| SendGrid | Email Delivery | United States | Transactional emails |
Sub-Processor Changes
- KohaSupport will notify the Client of any intended changes to sub-processors
- Client has 30 days to object to new sub-processors
- If Client objects, parties will work together to find alternative solution
Section E: Data Subject Rights
Assistance with Rights Requests
KohaSupport will assist the Client in responding to data subject requests:
- Access Requests: Provide data exports in common formats
- Rectification: Enable data correction through system interfaces
- Erasure: Delete data upon instruction (subject to legal retention)
- Portability: Provide data in machine-readable format
- Restriction: Implement processing restrictions as instructed
Response Time
KohaSupport will respond to rights assistance requests within:
- Urgent requests: 48 hours
- Standard requests: 5 business days
Section F: Audit and Compliance
Audit Rights
The Client may:
- Request information demonstrating compliance
- Conduct audits (with reasonable notice)
- Engage third-party auditors (subject to confidentiality)
Compliance Documentation
KohaSupport maintains:
- SOC 2 Type II certification (available upon request)
- AWS compliance certifications
- Security assessment reports
- Incident logs
Audit Process
- Client provides 30 days written notice
- Audits conducted during business hours
- KohaSupport provides reasonable assistance
- Audit findings shared within 15 days
- Remediation plan for any issues identified
Section G: Data Breach Notification
Notification Procedure
In the event of a personal data breach, KohaSupport will:
- Immediate Actions (within 24 hours)
- Contain and investigate the breach
- Notify internal security team
- Begin evidence preservation
- Client Notification (within 72 hours)
- Description of the breach
- Categories and approximate number of affected records
- Likely consequences
- Measures taken or proposed
- Ongoing Communication
- Regular updates during investigation
- Final incident report
- Lessons learned and improvements
Section H: Data Deletion and Return
Upon Termination
Within 30 days of service termination, KohaSupport will:
- Client Choice:
- Return all personal data in agreed format, OR
- Securely delete all personal data
- Deletion Process:
- Remove from production systems
- Delete from all backups
- Provide certificate of deletion
- Retention Exceptions:
- Legal or regulatory requirements
- Anonymized data for statistical purposes
- Data necessary for dispute resolution
Section I: Liability and Indemnification
Liability
Each party is liable for damages caused by breach of this DPA, subject to:
- Limitations in the main service agreement
- Applicable law
- Force majeure exceptions
Indemnification
KohaSupport will indemnify the Client for:
- Fines imposed by supervisory authorities
- Claims by data subjects
- Direct damages
Resulting from KohaSupport’s breach of this DPA.
Section J: Governing Law and Dispute Resolution
Governing Law: Laws of the State of Delaware, United States
Dispute Resolution:
- Good faith negotiations
- Mediation
- Binding arbitration
- Courts of competent jurisdiction
Section K: Amendments
This DPA may be amended:
- By mutual written agreement
- To comply with changes in data protection law
- Following written notice of 30 days
Contact Information
For DPA-related inquiries:
KohaSupport
KohaSupport Data Protection Team
Email: support@kohasupport.com
Website: https://kohasupport.com/contact/
Execution
This DPA is incorporated into and forms part of the service agreement between the parties.
Effective Date: Date of service agreement execution
KohaSupport
Committed to Data Protection and Privacy