Data Processing Agreement

This Data Processing Agreement ("Agreement") is made and entered into as of the Effective Date by and between:

1. Webrain OU, a company registered in Estonia, with its principal place of business at Harju maakond, Tallinn, Kesklinna linnaosa, Tuukri tn 19-315, 10120, Estonia ("Processor"), and
2. The Customer ("Controller"), who has agreed to the Terms of Use and engages the Processor to provide hosting and related services.

This Agreement is an integral part of the Processor’s Terms of Use and applies to all processing of personal data undertaken in the course of providing services to the Controller.

1. Definitions

1.1. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council

1.2. "Personal Data" means any information relating to an identified or identifiable natural person as defined under Article 4(1) of the GDPR.

1.3. "Processing" means any operation performed on Personal Data, as defined under Article 4(2) GDPR.

1.4. "Subprocessor" means any third party engaged by the Processor to process Personal Data.

1.5. "Supervisory Authority" means the relevant data protection authority overseeing compliance with GDPR.

1.6. "Data Subject" means any identified or identifiable individual whose Personal Data is processed.

2. Purpose and Scope

2.1. The Processor shall process Personal Data only on behalf of and under the documented instructions of the Controller.

2.2. The Controller determines the purpose and means of processing, while the Processor provides hosting and related services as per the Terms of Use.

2.3. The processing activities covered include storage, retrieval, backup, deletion, and other operations necessary for service provision.

3. Processor's Obligations

3.1. The Processor shall:

• Process Personal Data only on documented instructions from the Controller.
• Implement appropriate technical and organizational measures to protect Personal Data.
• Ensure that all employees and subprocessors handling Personal Data are bound by confidentiality obligations.
• Assist the Controller in ensuring compliance with GDPR obligations, including responding to data subject requests.
• Notify the Controller without undue delay in the event of a data breach.
• Provide the Controller with audit rights to verify compliance with this Agreement.

4. Controller's Obligations

4.1. The Controller shall:

• Ensure that Personal Data is collected and processed lawfully.
• Provide Processor with documented instructions for processing Personal Data.
• Ensure that appropriate consents are obtained where required under GDPR.
• Be solely responsible for responding to data subject rights requests under GDPR.

5. Security Measures

5.1. The Processor shall implement appropriate technical and organizational security measures, including:

• Encryption of Personal Data in transit and at rest.
• Access controls ensuring only authorized personnel can access Personal Data.
• Regular security testing and audits.
• Incident detection and response plans to mitigate security risks.

6. Data Breach Notification

6.1. The Processor shall notify the Controller without undue delay and no later than 72 hours upon becoming aware of a personal data breach.
6.2. The notification shall include:

• The nature of the breach.
• The categories and approximate number of affected Data Subjects.
• The likely consequences of the breach.
• Measures taken to mitigate the breach.

7. Subprocessors

7.1. The Processor is authorized to engage subprocessors for service-related functions. 7.2. The Processor shall:

• Ensure that subprocessors comply with GDPR obligations.
• Maintain a public list of subprocessors and notify the Controller of any changes.
• Remain fully liable for the actions of subprocessors.

8. International Data Transfers

8.1. Personal Data shall only be processed within the European Economic Area (EEA) unless otherwise agreed.
8.2. If Personal Data is transferred outside the EEA, the Processor shall ensure:

• The recipient country has adequate data protection laws (per the European Commission’s adequacy decision), OR
• Appropriate Standard Contractual Clauses (SCCs) are in place, OR
• Other GDPR-compliant safeguards are implemented.

9. Data Subject Rights

9.1. The Processor shall assist the Controller in handling requests related to:

• Access to Personal Data
• Rectification or erasure requests
• Objections to processing
• Data portability requests

10. Data Retention and Deletion

10.1. The Processor shall retain Personal Data only for the duration required to provide services.
10.2. Upon termination of services, the Processor shall delete or return all Personal Data, unless otherwise required by law.

11. Audits and Compliance

11.1. The Controller may request evidence of compliance with this Agreement.
11.2. The Processor shall provide necessary documentation and, if required, allow independent audits (subject to confidentiality and operational constraints).

12. Liability and Indemnification

12.1. The Processor shall only be liable for breaches caused by its own negligence or non-compliance with GDPR.
12.2. The Controller shall indemnify the Processor against claims arising from unlawful processing or failure to comply with GDPR obligations.

13. Term and Termination

13.1. This Agreement remains in effect for the duration of the Controller’s use of the Processor’s services.
13.2. Upon termination, the Processor shall delete or return Personal Data unless legal retention obligations apply.

14. Governing Law and Dispute Resolution

14.1. This Agreement shall be governed by the laws of Estonia.
14.2. Any disputes shall be resolved by the competent courts of Estonia, unless alternative dispute resolution is agreed upon.

15. Miscellaneous

15.1. If any provision of this Agreement is found invalid, the remainder shall remain in full force.
15.2. This Agreement supersedes any prior data processing terms.
15.3. The Processor reserves the right to update this Agreement to reflect changes in legal requirements.