1. Introduction and Definitions
This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer," "Data Controller") and UNISEN Systems ("Processor," "we," "us") for the provision of services.
1.1 Definitions
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on Personal Data, including collection, storage, use, or disclosure
- Data Controller: The entity that determines the purposes and means of processing Personal Data (Customer)
- Data Processor: The entity that processes Personal Data on behalf of the Data Controller (UNISEN Systems)
- Data Subject: The individual to whom Personal Data relates
- Sub-processor: Any third party engaged by the Processor to process Personal Data
Important: This DPA applies to all Personal Data processed by UNISEN Systems on behalf of the Customer through our services.
2. Scope and Applicability
This DPA applies to:
- All Personal Data processed through LedgerOne ERP, AccountOne ERP, and custom solutions
- Customer data, employee data, and end-user data stored in our systems
- Data processed during the provision of support and maintenance services
3. Roles and Responsibilities
3.1 Customer as Data Controller
The Customer:
- Determines the purposes and means of processing Personal Data
- Is responsible for ensuring lawful basis for processing
- Must obtain necessary consents from Data Subjects
- Is responsible for the accuracy and legality of data provided
- Must comply with applicable data protection laws
- Is responsible for responding to Data Subject requests
3.2 UNISEN Systems as Data Processor
UNISEN Systems:
- Processes Personal Data only on documented instructions from the Customer
- Ensures authorized personnel are bound by confidentiality
- Implements appropriate technical and organizational security measures
- Assists the Customer in responding to Data Subject requests
- Assists the Customer in ensuring compliance with data protection obligations
- Deletes or returns Personal Data upon termination of services
4. Data Processing Instructions
UNISEN Systems will process Personal Data only:
- As necessary to provide the contracted services
- As instructed by the Customer through the use of the services
- As required by applicable law
- As documented in this DPA and related agreements
If we believe an instruction violates applicable law, we will inform the Customer immediately.
5. Security Measures
5.1 Technical Measures
- Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
- Access Controls: Role-based access control and multi-factor authentication
- Network Security: Firewalls, intrusion detection, and regular security audits
- Secure Development: Security testing and code reviews
- Vulnerability Management: Regular security patches and updates
5.2 Organizational Measures
- Access Limitation: Only authorized personnel can access Personal Data
- Confidentiality: All personnel bound by confidentiality agreements
- Training: Regular security and privacy training for staff
- Incident Response: Documented procedures for security incidents
- Data Minimization: Processing only necessary data
5.3 Physical Security
- Secure data centers with 24/7 monitoring
- Restricted physical access to servers and infrastructure
- Environmental controls (fire suppression, climate control)
- Backup power systems
6. Sub-processors
6.1 Authorization
The Customer authorizes UNISEN Systems to engage sub-processors for specific processing activities, including:
- Cloud hosting providers
- Payment processors
- Email service providers
- Analytics services
6.2 Sub-processor Requirements
UNISEN Systems ensures that sub-processors:
- Are bound by data protection obligations equivalent to this DPA
- Implement appropriate security measures
- Process data only as instructed
- Are subject to regular audits and assessments
6.3 Changes to Sub-processors
We will notify customers of any new sub-processors with 30 days advance notice. Customers may object to new sub-processors within 15 days of notification.
7. Data Subject Rights
UNISEN Systems will assist the Customer in fulfilling Data Subject requests:
7.1 Right of Access
We will provide tools and assistance to help customers respond to access requests within required timeframes.
7.2 Right to Rectification
Customers can update or correct Personal Data through the application interface.
7.3 Right to Erasure
We will delete Personal Data upon customer request, subject to legal retention requirements.
7.4 Right to Data Portability
We provide export functionality to enable data portability in standard formats.
7.5 Right to Object
We will assist customers in implementing objections to processing where applicable.
8. Data Breach Notification
8.1 Notification to Customer
In the event of a Personal Data breach, UNISEN Systems will:
- Notify the Customer without undue delay (within 72 hours of discovery)
- Provide details of the breach, including affected data and individuals
- Describe measures taken to address the breach
- Provide recommendations to mitigate potential harm
- Cooperate with the Customer's investigation
8.2 Breach Response
We will:
- Take immediate steps to contain and remediate the breach
- Preserve evidence for investigation
- Document the breach and response actions
- Implement measures to prevent future breaches
9. Data Transfers
Personal Data may be transferred to and processed in countries outside of Pakistan:
- We ensure appropriate safeguards are in place for international transfers
- Data is transferred only to countries with adequate data protection laws
- Standard contractual clauses are used where required
- Customers will be informed of data transfer locations upon request
10. Data Retention and Deletion
10.1 Retention Period
- Personal Data is retained for the duration of the service agreement
- Data may be retained longer if required by law
- Backup data is retained for 30 days
10.2 Data Deletion
Upon termination of services:
- Customer data will be available for export for 30 days
- After 30 days, all Personal Data will be securely deleted
- Deletion includes all backups and copies
- Deletion certificate provided upon request
11. Audits and Compliance
UNISEN Systems will:
- Maintain records of processing activities
- Make available information necessary to demonstrate compliance
- Allow for and contribute to audits by the Customer or appointed auditor
- Provide audit reports and certifications upon request
- Conduct regular internal security audits
12. Liability and Indemnification
Each party's liability under this DPA is subject to the limitations in the main service agreement. UNISEN Systems is liable only for damages caused by failure to comply with this DPA or by acting outside lawful instructions.
13. Term and Termination
This DPA:
- Remains in effect for the duration of the service agreement
- Survives termination with respect to data deletion obligations
- May be updated to reflect changes in data protection laws
14. Governing Law
This DPA is governed by the laws of Pakistan and applicable international data protection regulations.
15. Contact Information
For questions about data processing or to exercise data protection rights:
- Email: [email protected]
- Data Protection Officer: [email protected]
- Phone: +92 (346) 891-8711 | +92 (335) 378-9981
- Address: Saadi Town Block 1, R766, Karachi, Sindh 75340
Note: This DPA supplements our Privacy Policy and Terms of Service. In case of conflict, this DPA takes precedence for data processing matters.
