Data Processing Agreement (DPA)

KohaSupport
KohaSupport Services

This Data Processing Agreement applies where KohaSupport processes personal data on behalf of a client in connection with KohaSupport services.

1. Roles of the Parties

For the purposes of applicable data protection law:

• the Client acts as the data controller; and
• KohaSupport acts as the data processor,

except where KohaSupport acts as a controller for its own business records, billing, support correspondence, or legal compliance obligations.

2. Scope of Processing

KohaSupport processes personal data only to provide the agreed services.

This may include:

• hosting or supporting Koha library system deployments,
• processing patron and staff data within the service environment,
• providing technical support and service-related communications,
• maintaining backups, logs, and service records reasonably necessary to operate the service.

The categories of personal data and data subjects depend on the client’s use of the service and may include patron data, staff account data, and circulation-related records.

3. Processing Instructions

KohaSupport will process personal data only on documented instructions from the Client, unless otherwise required by applicable law.

The Client is responsible for:

• determining the purposes and lawful basis of processing,
• configuring the service for its own compliance needs,
• providing any required notices to data subjects.

KohaSupport will not sell client personal data or use it for unrelated marketing purposes.

4. Confidentiality

KohaSupport will ensure that persons authorized to process personal data are subject to appropriate confidentiality obligations.

5. Security Measures

KohaSupport will implement appropriate technical and organizational measures designed to protect personal data, taking into account the nature of the processing and the risks involved.

These measures may include, where appropriate:

• encryption in transit and at rest,
• access controls,
• logging and monitoring,
• backup and recovery measures,
• security updates and administrative safeguards.

No specific certification, audit standard, uptime target, or service level is promised in this DPA unless separately agreed in writing.

6. Sub-processors

KohaSupport may use sub-processors where reasonably necessary to provide the service.

Sub-processors may include providers for:

• cloud infrastructure,
• billing and payment processing,
• transactional email delivery,
• other service-related infrastructure.

Where required, KohaSupport will impose data protection obligations on sub-processors appropriate to the services they provide.

A current sub-processor list may be provided on request or made available through KohaSupport documentation.

7. Assistance to the Client

Taking into account the nature of the processing and the information available to KohaSupport, KohaSupport will provide reasonable assistance to the Client in relation to:

• data subject rights requests,
• security of processing,
• personal data breach notification obligations,
• data protection impact assessments or regulator consultations, where applicable.

Such assistance will be provided to the extent reasonably possible and may be subject to the service scope or additional fees where significant extra work is required.

8. Personal Data Breaches

If KohaSupport becomes aware of a personal data breach affecting personal data processed on behalf of the Client, KohaSupport will notify the Client without undue delay.

KohaSupport will provide information reasonably available at the time so the Client can assess and meet its own legal obligations.

9. Return and Deletion of Data

Upon termination of the relevant service, KohaSupport will, on request and subject to applicable law and technical feasibility:

• return personal data to the Client, or
• delete personal data from active service systems.

KohaSupport may retain data where required by law, for legitimate recordkeeping purposes, or where data remains in routine backups until overwritten in the ordinary course.

10. International Transfers

Where personal data is processed outside the country chosen by the Client, KohaSupport will use appropriate safeguards where required by applicable law.

11. Demonstrating Compliance

KohaSupport will make available information reasonably necessary to demonstrate compliance with this DPA.

Any audit, inspection, or additional information request must be reasonable in scope, subject to confidentiality, and must not unreasonably interfere with KohaSupport’s business operations.

Unless otherwise required by law or agreed in writing, on-site audits are not included by default.

12. Liability

This DPA does not create any separate indemnity or service level commitment.

Liability relating to the services and this DPA will be governed by the main agreement between the parties, if any, and by applicable law.

13. Order of Precedence

If there is a conflict between this DPA and the main service agreement, the terms of the DPA will control only to the extent required for data protection compliance.

14. Contact

For DPA-related questions, contact:

KohaSupport
Email: [email protected]
Website: https://kohasupport.com/contact/

---

This DPA forms part of the applicable service arrangement between KohaSupport and the Client.