Data Processing Agreement

1.1. "Data Transfer" means a transfer of the Personal Data from the Controller to the Processor, or between two establishments of the Processor, or with a Sub-processor by the Processor.

1.2. "EU GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

1.3. "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

1.4. "Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

1.5. "Sub-processor" means a processor/sub-contractor appointed by the Processor for the provision of all or parts of the Services and Processes the Personal Data as provided by the Controller.

6.1. The Data Controller shall warrant that it has all necessary rights to provide the Personal Data to the Data Processor for the Processing to be performed. The Controller is responsible for ensuring appropriate legal basis for processing and obtaining necessary Data Subject consents.

6.2. The Data Controller shall provide all natural persons from whom it collects Personal Data with the relevant privacy notice.

6.3. The Data Controller shall request the Data Processor to purge Personal Data when required by the Data Controller or any Data Subject unless the Data Processor is required to retain the Personal Data by applicable law.

6.4. The Data Controller shall immediately advise the Data Processor in writing if it receives or learns of any:

• Complaint indicating a violation of Data Privacy Laws regarding Personal Data
• Request from individuals seeking to access, correct, or delete Personal Data
• Inquiry or complaint relating to the collection, processing, use, or transfer of Personal Data
• Regulatory request or legal process seeking Personal Data

7.1. The Processor will follow written and documented instructions received from the Controller with respect to the Processing of Personal Data.

7.2. The Processing described in the Agreement and relating documentation shall be considered as Instruction from the Controller.

7.3. The Data Processor will provide reasonable assistance to the Data Controller in responding to requests by Data Subjects exercising their rights or regulatory authorities regarding Personal Data processing.

7.4. The Processor shall inform the Controller if, in its opinion, a processing instruction infringes applicable legislation or regulation.

7.5. The Data Processor shall assist the Data Controller in conducting any necessary Data Protection Impact Assessments (DPIAs), as required under GDPR.

8.1. The Processor will use personnel who are informed of the confidential nature of the Personal Data and perform the Services in accordance with the Agreement.

8.2. The Processor will regularly train individuals having access to Personal Data in data security and data privacy and ensure that all Personal Data is kept strictly confidential.

8.3. The Processor will maintain appropriate technical and organizational measures for protection of the security, confidentiality, and integrity of Personal Data, including:

• Encryption of data in transit and at rest
• Access controls and authentication mechanisms
• Regular security assessments and monitoring
• Incident response procedures
• Secure data backup and recovery systems

9.1. Upon Controller's reasonable request, the Processor will make available information necessary to demonstrate compliance with obligations under EU GDPR.

9.2. When the Controller wishes to conduct an audit at Processor's site, it shall provide at least fifteen (15) days' prior written notice. The Processor will provide reasonable cooperation and assistance.

9.3. The Controller shall bear the expense of such an audit.

10.1. The Controller acknowledges that the Processor may engage third-party Sub-processors in connection with the performance of Services. Current Sub-processors include:

• Cloud hosting providers (AWS, Google Cloud, etc.)
• Analytics services (Google Analytics)
• Communication platforms (email services)
• Payment processors (Stripe, PayPal)
• Customer support tools

10.2. The Processor shall notify the Controller at least thirty (30) calendar days in advance of any intended changes or additions to Sub-processors.

10.3. The Processor shall remain liable to Controller for any failure by a Sub-processor to fulfill its data protection obligations.

11.1. The Processor shall maintain defined procedures for Personal Data Breaches and notify the Controller without undue delay upon becoming aware of any breach unless unlikely to result in risk to rights and freedoms of natural persons.

11.2. The Processor shall provide reasonable assistance to comply with breach notification requirements to Supervisory Authorities and Data Subjects.

11.3. Processor's notification of or response to a breach will not be construed as an acknowledgement of fault or liability.

12.1. Upon termination of the Agreement, the Processor shall return to the Controller all Personal Data or delete it as instructed by the Controller within thirty (30) days.

12.2. The Processor shall delete Personal Data including all copies as soon as reasonably practicable following the end of the Agreement, unless retention is required by applicable law.