Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Service and applies where personal data is processed by the Processor on behalf of the Controller in connection with the Software and Services.

1. Parties

Controller: The customer using the Software and Services.

Processor:
SZYMON DUKLA
ul. Jagiellońska 32/36
03-719 Warszawa
Poland
NIP: 6692544511
REGON: 369688789
(“Festivo”, “Processor”)

2. Definitions

Terms such as “personal data”, “processing”, “controller”, “processor”, “data subject” and “supervisory authority” shall have the meaning given to them under Regulation (EU) 2016/679 (“GDPR”).

3. Subject Matter and Scope

The Processor shall process personal data solely for the purpose of providing the Software and Services to the Controller, in accordance with this DPA, the Terms of Service, and the documented instructions of the Controller.

4. Details of Processing (Article 28(3) GDPR)

4.1 Subject Matter

Provision of a web-based API and related software services.

4.2 Duration

For the duration of the agreement between the parties and, where applicable, until deletion or return of personal data in accordance with this DPA.

4.3 Nature and Purpose of Processing

Processing operations include hosting, storage, transmission, access control, monitoring, logging, support, and maintenance necessary to provide and operate the Software and Services.

4.4 Categories of Personal Data

Identification data (name, email address), account credentials, billing and tax data, usage and telemetry data, IP addresses, and any other personal data submitted by or on behalf of the Controller.

4.5 Categories of Data Subjects

Employees, contractors, representatives, and end users of the Controller.

5. Processor Obligations

The Processor shall:

• process personal data only on documented instructions from the Controller;
• ensure that persons authorized to process personal data are bound by confidentiality;
• implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
• assist the Controller in responding to data subject rights requests;
• assist the Controller in complying with Articles 32–36 GDPR;
• notify the Controller without undue delay after becoming aware of a personal data breach;
• delete or return personal data upon termination of the Services, unless retention is required by law.

6. Controller Obligations

The Controller warrants that it has a valid legal basis for processing personal data and that its instructions comply with applicable data protection laws.

7. Sub-Processors

The Processor may engage sub-processors to provide parts of the Services. Sub-processors shall be bound by written agreements imposing data protection obligations no less protective than those set out in this DPA.

The Controller may object to the appointment of a new sub-processor within ten (10) business days of notification.

8. International Data Transfers

Personal data is primarily processed within the European Economic Area (EEA). Where data is transferred outside the EEA, such transfer shall be subject to appropriate safeguards, including Standard Contractual Clauses approved by the European Commission.

9. Audit Rights

The Controller may audit the Processor’s compliance with this DPA no more than once per calendar year. Audits shall be limited to documentation review and shall not unreasonably interfere with the Processor’s business operations.

10. Liability

Each party shall be liable for damages caused by its own breach of this DPA or applicable data protection law.

11. Governing Law and Jurisdiction

This DPA shall be governed by the laws of the Republic of Poland and applicable European Union law. Any disputes shall be subject to the exclusive jurisdiction of the courts of Poland.