# Data processing agreement (DPA) > Learn more about Data Processing Agreement in Holistics here :::tip Where to sign this document Sign the Holistics Data Processing Agreement at: https://go.holistics.io/signdpa ::: ## Holistics Data Processing Agreement (DPA) _Last Updated: 28 May 2026_ **Definitions** "California Personal Information" means Personal Data that is subject to the protection of the CCPA. "CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018). "Consumer", "Business", "Sell" and "Service Provider" shall have the meanings given to them in the CCPA. "Customer" refers to the Customer on a paid subscription plan with Holistics as described in the Terms, and all of its Affiliates. "Customer Data" or "Customer Database" refers to all data residing in the Customer's database(s) and data source(s) connected to Holistics by Customer. Customer End Users means the employees of the Customer who have been invited to access the Holistics Subscription Service in their customer account, or are in contact with Holistics. "Data Protection Laws" means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws (EU and UK GDPR), the US CCPA, the Swiss FDPA, the Singapore PDPA, and the data protection and privacy laws of Australia; in each case as amended, repealed, consolidated or replaced from time to time. "Data Subject" means the individual to whom "Personal Data" relates. "Database Metadata" refers to the following categories of metadata from the customers' database which includes broadly (but not limited to): User credentials of data source(s), applied with the necessary security encryption before storing in Holistics database. The metadata (e.g. names of schemas, tables, fields, model relationships descriptions) of the database tables, excluding physical data record entries. The metadata of definitions of objects created within the Holistics application (dashboards, data sets, data models, automated schedules). Any other metadata that may be added from time to time. "Europe" means the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom. "European Data" means Personal Data that is subject to the protection of European Data Protection Laws. "European Data Protection Laws" means data protection laws applicable in Europe, including: Regulation 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, "GDPR"); Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; Applicable national implementations of (i) and (ii); UK GDPR as it forms part of UK domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018; Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance (“Swiss DPA”), as may be amended, superseded, or replaced. "Instruction" means the written instruction, issued by Customer to Holistics, and directing the same to perform a specific action with regard to the Customer Database (including, but not limited to, depersonalising, blocking, deletion, making available). Instructions shall initially be specified in the Terms and may, from time to time thereafter, be amended, amplified or replaced by Customer in separate written instructions (individual instructions). "PDPA" refers to the Personal Data Protection Act 2012 legislated in Singapore. "Personal Data" means the personal data contained within the Customer Database, including any special categories of personal data defined under the Data Protection Laws of each jurisdiction, in each case processed by Holistics under the Terms. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Holistics and/or its Sub-Processors in connection with the provision of the Subscription Services. "Personal Data Breach" shall not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. "Process" or "Processing" means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. "SCCs" means the Customer SCCs and/or SCCs as applicable, including: Module 2: From a controller based in Europe to a processor (C2P) Module 3: From a processor based in Europe to a processor (P2P) UK SCC: From a controller based in UK to a Processor "Sub-Processor" means any Processor engaged by Holistics or its Affiliates to assist in fulfilling the obligations with respect to the provision of the Subscription Services under the Agreement. Sub-Processors may include third parties or Affiliates but will exclude any Holistics employee or consultant. "Temporary Cached Query Results" refer to all results provided to Customer, Customer End Users, or for System Consumption (APIs) for queries executed against Customer Database via Holistics for technical and performance reasons. These results are cached temporarily and will automatically expire after a specific time (minimum 10 minutes) after a unique SQL query is executed from the Customer Database. "Terms" refers to the Terms of Service at https://www.holistics.io/terms. ### Introduction This Data Processing Agreement ("DPA") reflects the parties' agreement with respect to the terms governing the Processing of data in the Customer Database under the Holistics Customer Terms of Service ("Terms"), and supersedes any previously signed DPA on an earlier date. The DPA is an addon to, and forms an integral part of the Terms. It is effective upon its incorporation into the Terms, an online self-service purchase, or an Order or an executed amendment to the Agreement. The terms "personal data", "data subject", "processing", "controller" and "processor" used in this DPA have the meanings given in the GDPR irrespective of whether European Data Protection Law or Non-European Data Protection Law applies. The terms "Personal Data", "Customer Data", and "Customer Database" may be used interchangeably in this DPA. This DPA shall follow the term of the Terms, including but not restricted to the Terms clauses "Account Information from Third Party Providers" "Limitation of Liability" and "Indemnification" clauses. In case of any conflict or inconsistency with the Terms, this DPA will take precedence to the extent of such conflict or inconsistency The duration of Processing shall be the same as the duration of the Terms and this DPA. The clauses of this DPA shall follow the Terms. Definitions not otherwise defined above herein shall have the meaning as set forth in the Terms. ### Holistics' Responsibilities Holistics will only Process Customer Database for the purposes described in this DPA or as otherwise agreed within the scope of the Customer's Instructions, except where and to the extent otherwise required by applicable law. Holistics will only access or use Customer Database to provide the Services ordered by Customer and will not use it for any other Holistics products, services, advertising, or to resell the data. Holistics is not responsible for compliance with any Data Protection Laws applicable to the Customer's industry that are not applicable to us. Holistics shall email the customer if we become aware of a confirmed breach and also further Take any such reasonably necessary measures and actions to remedy or mitigate the effects of the Breach and Keep the Customer informed of all material developments in connection with the Breach. Provide reasonable information and cooperation so that the Customer can fulfill any data breach reporting obligations it may have under (and in accordance with the timescales required by) the applicable Data Protection law. If any such request, correspondence, enquiry or complaint is made directly to the Holistics, Holistics will promptly inform the Customer providing full details of the same. Holistics will take the appropriate technical and organisational measures (listed in Annex 2) to adequately protect Customer Database against misuse and loss in accordance with the requirements of the applicable national data protection law. Such measures hereunder shall include, but not be limited to, the prevention of unauthorised persons from gaining access to Customer Database (physical access control), the prevention of Customer Database from being accessed without authorisation (logical access control), ensuring that Customer Database cannot be read, copied, modified or deleted without authorisation during electronic transmission and Holistics Software instance. (data transfer control), Have a reasonable audit trail system in place to document whether and by whom information on Customer Database has been entered into, modified in, or removed from Customer Database (entry control), ensuring that data from Customer Database are processed solely in accordance with the Instructions (control of instructions), persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, Holistics Data Protection Team will provide prompt and reasonable assistance with any Customer queries related to processing of Customer Personal Data under the Agreement and can be contacted at %%CONTACT%%. ### Customer Responsibilities Customer is responsible for complying with all applicable Data Protection Laws with respect to its Processing of Personal Data in the Customer Database connected to Holistics. Customer shall retain title to their Customer Database connected to the Holistics Software instance and take technical safeguards to provision (and not over-provision) the appropriate level of data source connection for the user credentials supplied to Holistics. Customer shall be solely responsible for the accuracy, quality, and legality of Customer Database and the means in which Personal Data is acquired; complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations (particularly for use by Customer for marketing purposes); complying with the statutory requirements relating to data protection, in particular regarding safeguards against unauthorized access to Customer Database from Holistics software systems. Customer shall inform Holistics without undue delay and comprehensively about any errors or irregularities related to statutory provisions on the Processing of Customer Database detected during a verification of the results of such Processing. Customer is responsible for security relating to its environment and databases and security relating its configuration of the Software. This includes implementing and managing procedural, technical, and administrative safeguards on its software and networks sufficient to: ensure the confidentiality, security, integrity, and privacy of Customer Database in transit, at rest, and in storage; protect against any anticipated threats or hazards to the security and integrity of Customer Database; and protect against any unauthorized processing, loss, use, disclosure or acquisition of or access to Customer Database. Customer will minimize the sharing of Personal Data of Data Subjects in the support tickets and emails information sent to Holistics. If such Personal Data needs to be included for troubleshooting, the Customer will deliberately add specific Instructions to handle such email communications. For the avoidance of doubt, emails sent by the Customer with generic company email content confidentiality boilerplates appended by default will not be classified as confidential information. Notwithstanding any other provision of this DPA, the Terms or any other agreement related to the Software and Services, Holistics has no obligations or liability as to any breach or loss resulting from: The Customer's environment, databases, systems or software, or The Customer's security configuration or administration of the Software. Customer is solely responsible for provisioning Users on the Software, including: methods of authenticating Users (such as industry-standard secure username/password policies, two-factor authentication etc); Restricting access by User or group, and from the database level down to the row or column level; Managing admin privileges; deauthorizing personnel who no longer need access to the Software; setting up any API usage in a secure way; and regularly auditing any public access links Users create and restricting the permission to create public links, as necessary. Customer is responsible to remove the network connection between Customer Database and the Holistics Software Instance should they terminate the Subscription Service. ### Customer Database Sub-Processors Customer consents to Holistics engaging affiliates and third party sub-processors to process data in Customer Database for the purpose as described in the Terms. Holistics will maintain an up-to-date list of its sub-processors. For avoidance of doubt, the above consent constitutes Customer's prior written consent to the sub-Processing by Holistics (Annex 3) Holistics will impose data protection terms on any sub-processor it appoints as required to protect Customer Data to the standard required by the Data Protection Laws. If Holistics intends to instruct sub-Processors other than the companies listed in Annex 3, Holistics will notify the Customer thereof in writing (email to the email address(es) on record in Processor's account information for Customer is sufficient) and will give the Customer the opportunity to object to the engagement of the new sub-Processors within 30 days after being notified. The objection, if raised, must be based on reasonable grounds (e.g. if the Customer proves that significant risks for the protection of its Customer Data exist at the sub-Processor). In such an event, Holistics will either not appoint or replace the sub-processor or, if this is not possible, Customer may suspend or terminate the Terms (without prejudice to any fees incurred by Customer prior to suspension or termination). **Data Transfers** Customer acknowledges and agrees that Holistics may access and process Customer Data on a global basis as necessary to provide the Subscription Service in accordance with the Agreement, and in particular that Customer Data may be transferred to the data centre location(s) that Holistics operates in. Holistics may store and process (i) Holistics Metadata and Usage Data and (ii) Temporary Cached Query Results anywhere Holistics or its Sub-processors maintain facilities, subject to Sections on Additional Provisions for European Data, Additional Provisions for California Personal Information, or other jurisdictions where Holistics operates in. The physical data records residing in Customer Database will not be stored permanently by Holistics application servers outside of the purpose set in the Terms. Temporary Cached Query Results needed to visualize the dashboard data will be temporarily stored in Holistics, and will automatically expire after a specific time duration. Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws. ### Provisions Specific for European Data The parties acknowledge and agree that European Data Protection Law will apply to the processing of Customer Data if: The processing is carried out in the context of the activities of an establishment of Customer in the territory of the EEA or the UK; and/or Customer Personal Data is personal data relating to data subjects who are in the EEA or the UK and the processing relates to the offering to them of goods or services in the EEA or the UK, or the monitoring of their behavior in the EEA or the UK. Definitions: "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. "Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller. Relationship between Customer and Holistics: Holistics is the Processor of the Customer Database for the purposes described in the Terms. If Customer: is the Controller of data (which may include Personal Data and Data Subjects) stored in the Customer Database, then SCC Module 2 applies (Annex 4A - Controller to Processor); is the Processor of data stored in the Customer Database, then SCC Module 3 applies (Annex 4B - Processor to Processor). Holistics and the Customer shall be separately responsible for conforming with such statutory data protection regulations as are applicable to them. Legacy MCCs: The SCCs will, as of the Transition Date, supersede and terminate any Model Contract Clauses approved under Directive 95/46/EC and previously entered into by Customer and Holistics. The Transition Date means: October 27, 2021, if (a) Customer’s billing address is outside EMEA, and (b) the processing of Customer Personal Data is subject to European Data Protection Law. Otherwise, September 27, 2021. Data Protection Impact Assessments and Consultation with Supervisory Authorities: Holistics will (taking into account the nature of the processing and the information available to Holistics) assist Customer in ensuring compliance with its (or, where Customer is a processor, the relevant controller's) obligations under Articles 35 and 36 of the GDPR, by: Providing and updating our public documentation on technical security measures (see: /docs/security-compliance/data-security); Providing public documentation on how Holistics caching and job queuing mechanism work (see: /docs/performance/data-caching); Providing the Security Measures (Annex 2) contained in the Agreement including these Terms; and if the above subsections are insufficient for Customer (or the relevant controller) to comply with such obligations, upon Customer's request, providing Customer with additional reasonable cooperation and assistance. Transfer Mechanism for Data Transfers: Permitted Transfers: The parties acknowledge that European Data Protection Law does not require SCCs or an Alternative Transfer Solution in order for Customer Personal Data to be processed in or transferred to an Adequate Country ("Permitted Transfers"). Restricted Transfers: If the processing of Customer Personal Data is not processed in an Adequate Country, and European Data Protection Law applies to those transfers, then The EU SCCs (EU Controller-to-Processor) will apply with respect to Restricted Transfers between Customer and Holistics that are subject to the EU GDPR and/or the Swiss FDPA; and the UK SCCs (UK Controller-to-Processor) will apply (regardless of whether Customer is a controller and/or processor) with respect to Restricted Transfers between Customer and Holistics that are subject to the UK GDPR. Holistics agrees to abide by and process European Data in compliance with the Standard Contractual Clauses. Although Holistics does not rely on the Singapore Personal Data Protection Act 2012 ("PDPA") as a legal basis for transfers of Personal Data, Holistics will inform Customer if it is unable to comply with this requirement if any conflicts arise. The parties agree that for the purposes of the Standard Contractual Clauses: Holistics will be the "data importer" and Customer will be the "data exporter" (on behalf of itself and Permitted Affiliates); the Annexes of the Standard Contractual Clauses shall be populated with the relevant information set out in Annex 1 and Annex 2 of this DPA; if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA, the Standard Contractual Clauses will prevail to the extent of such conflict. To the extent that and for so long as the Standard Contractual Clauses as implemented in accordance with this DPA cannot be relied on by the parties to lawfully transfer Personal Data in compliance with the GDPR, the applicable standard data protection clauses issued, adopted or permitted under the GDPR shall be incorporated by reference, and the annexes, appendices or tables of such clauses shall be deemed populated with the relevant information set out in Annex 1 and Annex 2 of this DPA. Demonstration of Compliance: Holistics will make all information reasonably necessary to demonstrate compliance with this DPA available to Customer and allow for and contribute to audits, including inspections conducted by or an auditor appointed by Customer in order to assess compliance with this DPA. Customer acknowledges and agrees to exercise audit rights under this DPA and Clause 8 of the Standard Contractual Clauses by instructing Holistics to comply with the audit measures described in this 'Demonstration of Compliance' section. Customer acknowledges that the Subscription Service is hosted by our data center partners (listed in our sub-processors) who maintain independently validated security programs. Holistics may charge a fee (based on Holistics' reasonable costs) for any audit under Demonstration of Compliance. Holistics will provide the Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. Holistics may object in writing to an auditor appointed by Customer to conduct any audit under Demonstration of Compliance if the auditor is, in Holistics' reasonable opinion, not suitably qualified or independent, a competitor of Holistics, or otherwise manifestly unsuitable. Any such objection by Holistics will require the Customer to appoint another auditor or conduct the audit itself. Processing Records: Holistics will keep appropriate documentation of its processing activities. To the extent the GDPR requires Holistics to collect and maintain records of certain information relating to Customer, Customer will, where requested, supply such information to Holistics and keep it accurate and up-to-date. Holistics may make any such information available to the Supervisory Authorities if required by the GDPR. No Modification of SCCs: Nothing in the Agreement (including these Terms) is intended to modify or contradict any SCCs or prejudice the fundamental rights or freedoms of data subjects under European Data Protection Law. ### Provisions Specific for California Personal Information This section will apply only with respect to California Personal Information residing in Customer Database. When processing California Personal Information in accordance with Customer's Instructions, the parties acknowledge and agree that Customer is a Business and Holistics is a Service Provider for the purposes of the CCPA. Both parties agree that Holistics will Process California Personal Information as a Service Provider strictly for the purpose of performing the Subscription Services or as otherwise permitted by the CCPA, including as described in our Terms. ### Limitation of Liability Each party's liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Customer and Holistics, whether in contract, tort or under any other theory of liability, is subject to the 'Limitation of Liability' section of the Terms, and any reference in such section to the liability of a party means the aggregate liability of that party under the Agreement and all DPAs together. For the avoidance of doubt, Holistics' total liability for all claims from the Customer arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement by the Customer. ### Governing Law and Disputes This DPA will be governed by and construed in accordance with the laws of the Singapore, unless otherwise required by EU Data Protection Law, in which case this DPA will be governed by the laws of the Member State in which the Customer is established. CCPA, in which case this DPA will be governed by the laws of California, USA. the Data Protection Laws of each jurisdiction the Customer operates in If Holistics becomes aware that Customer Data cannot be processed in accordance with the Customer's Instructions due to a legal requirement under any applicable law, Holistics will promptly notify Customer that legal requirement to the extent permitted by the applicable law; and where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Customer Data) until such time as the Customer issues new Instructions with which Holistics is able to comply. If this provision is invoked, Holistics will not be liable to the Customer under the Agreement for any failure to perform the applicable Subscription Services until such time as Customer issues new lawful Instructions with regard to the Processing. Arb-Med-Arb: Any dispute arising out of or in connection with this contract, including any question regarding its existence, validity or termination, shall be referred to and finally resolved by arbitration administered by the ("SIAC") in accordance with the Arbitration Rules of the Singapore International Arbitration Centre ("SIAC Rules") for the time being in force, which rules are deemed to be incorporated by reference in this clause. The seat of the arbitration shall be Singapore. The Tribunal shall consist of one (1) arbitrator(s) The language of the arbitration shall be English ### Core documents and annexes These documents always form part of this DPA: - This Data Processing Agreement (DPA), as defined in [https://docs.holistics.io/legal/dpa](https://docs.holistics.io/legal/dpa) - Holistics Terms of Service (Terms), as defined in [https://holistics.io/terms](https://holistics.io/terms) - [Annex 1: Subject Matter and Details of Data Processing](/legal/annex-subject-matter) - [Annex 2: Security Measures](/legal/annex-security-measures) (Technical and Organisational Measures to ensure the security of the data) - [Annex 3: List of Holistics Sub-Processors](/legal/annex-sub-processors) ### Selective annexes These annexes apply to the Customer where relevant: - [Annex 4A: EU SCC Module 2 (Controller to Processor)](/legal/annex-eu-scc-controller-to-processor) - [Annex 4B: EU SCC Module 3 (Processor to Processor)](/legal/annex-eu-scc-processor-to-processor) - [Annex 5: UK SCC (Controller to Processor)](/legal/annex-uk-scc) %%SIGNATORY%%