Skip to content
Corpshore Philippines

Legal

Data processing agreement

Last updated: 3 July 2026

This data processing agreement (DPA) sets out the terms on which Corpshore Philippines, as processor, handles personal data on behalf of a client, as controller, when providing outsourcing services. It forms part of, and is subject to, the parties' services agreement. A signed, engagement-specific DPA is provided on request; this version is a comprehensive template for review.

This document is provided in good faith and reviewed by qualified legal counsel before it is relied upon. If any part conflicts with a signed agreement between us, that agreement prevails.

1. Definitions and roles

Terms such as personal data, processing, controller, processor, data subject and personal data breach have the meanings given in the Data Privacy Act and, where it applies, the GDPR. The client is the controller and Corpshore Philippines is the processor, except where stated otherwise.

2. Scope and details of processing

We process personal data only to provide the agreed services and only on the controller's documented instructions, unless required by law. The subject matter, duration, nature and purpose of processing, the types of personal data, and the categories of data subjects are set out in the engagement schedule (Annex 1).

3. Our obligations as processor

  • Process personal data only on documented instructions from the controller.
  • Ensure persons authorized to process personal data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (Annex 2).
  • Assist the controller, so far as possible, in responding to data subject requests.
  • Assist the controller with security, breach notification, and data protection impact assessments.
  • At the controller's choice, delete or return personal data at the end of the services, and delete existing copies unless retention is required by law.
  • Make available information needed to demonstrate compliance and allow for audits.

4. Sub-processors

The controller authorizes the use of sub-processors listed in the engagement documentation. We impose data protection terms on sub-processors no less protective than this DPA, and we remain responsible for their performance. We inform the controller of intended changes and give an opportunity to object.

5. Security

We maintain measures appropriate to the risk, which may include access controls, encryption, network security, secure development practices, logging and monitoring, staff training, and physical security at delivery centers. These are described in Annex 2 and reviewed periodically.

6. Personal data breach

We notify the controller without undue delay after becoming aware of a personal data breach affecting the controller's data, and provide the information reasonably needed for the controller to meet its own notification obligations to authorities such as the National Privacy Commission and to data subjects.

7. International transfers

We do not transfer the controller's personal data outside the Philippines except as instructed or permitted by the controller, and subject to appropriate safeguards required by applicable law, including Standard Contractual Clauses where the GDPR applies.

8. Audits

We make available information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, conducted by the controller or an auditor it mandates, on reasonable notice and subject to confidentiality.

9. Liability and term

Liability under this DPA is governed by the services agreement. This DPA takes effect on the start of processing and continues until all of the controller's personal data has been deleted or returned in accordance with it.

Annexes

Annex 1 sets out the details of processing for the engagement. Annex 2 sets out the technical and organizational security measures. Annex 3 lists authorized sub-processors. These annexes are completed for each engagement.