Book a Call
Home/Data Processing (DPA)

Data Processing Agreement

Last updated: June 24, 2026

This page summarizes the Data Processing Agreement (DPA) that governs how Gigabit processes personal data on behalf of clients during an engagement. The executed DPA attached to your master services agreement is the binding version.

01Roles

When we deliver an engagement, the client is the data controller and Gigabit is the data processor. We process personal data only on documented instructions from the client, except where law requires otherwise.

02Scope of processing

The subject matter, duration, nature, and purpose of processing, the types of personal data, and the categories of data subjects are defined in the relevant order or statement of work. Processing is limited to what is needed to deliver the agreed services.

03Security measures

We apply appropriate technical and organizational measures — encryption, access control, logging, and secure development practices — to protect personal data. See our Security page for an overview.

04Sub-processors

We use vetted sub-processors (e.g. infrastructure and tooling providers) under contracts that impose data-protection obligations equivalent to ours. We maintain a current list and give clients advance notice of changes so they can object.

05Data-subject requests

We assist the client, taking into account the nature of processing, in responding to requests from data subjects exercising their rights, and in meeting the client’s security, breach-notification, and impact-assessment obligations.

06Regulated workloads

For healthcare engagements that touch protected health information, we sign a Business Associate Agreement (BAA) and build HIPAA-aware from day one. For regulated and confidential work generally, we execute mutual NDAs before any data is shared, and we honor PCI-aware controls on fintech engagements.

07Breach notification

We notify the client without undue delay after becoming aware of a personal-data breach affecting their data, and we provide the information reasonably needed to meet their notification obligations.

08Return and deletion

On termination of the services, we return or delete personal data at the client’s choice, except where law requires retention. To request the current DPA, a BAA, or our sub-processor list, email hello@gigabit.agency.