Data Processing Agreement

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalized terms not defined here have the meanings given in the Agreement or the GDPR.

• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") as defined in Article 4(1) GDPR
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, restriction, erasure, or destruction, as defined in Article 4(2) GDPR
• "Controller" means the Customer who determines the purposes and means of the Processing of Personal Data by using the Services
• "Processor" means DIGITAL SPECIALISTS s.r.o. (Conseto), which processes Personal Data on behalf of the Controller
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data
• "Services" means the Conseto Site Growth Platform, including analytics, compliance, security, marketing, and AI features as described in the Agreement
• "Standard Contractual Clauses" ("SCCs") means the standard contractual clauses adopted by the European Commission under Commission Implementing Decision (EU) 2021/914

2. Scope and Duration

2.1 Scope

This DPA applies to all Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Services. This DPA does not apply to data that Conseto processes as a data controller in its own right (covered by the Privacy Policy).

2.2 Duration

This DPA shall remain in effect for the duration of the Agreement between the parties. The obligations of the Processor regarding data return and deletion (Section 13) shall survive termination of this DPA.

2.3 Precedence

In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

3. Nature and Purpose of Processing

The Processor processes Personal Data on behalf of the Controller for the following purposes:

• Web Analytics: Collecting, storing, and analyzing website visitor data including page views, events, sessions, e-commerce interactions, scroll depth, form interactions, file downloads, and outbound link clicks
• Consent Management: Recording, storing, and providing audit trails of cookie consent preferences and consent banner interactions for GDPR/CCPA compliance
• Security Scanning: Analyzing website security posture, third-party scripts, and potential vulnerabilities using automated scanning tools
• Marketing Attribution: Tracking campaign performance, UTM parameters, conversion paths, and customer journey data
• AI Insights: Generating automated insights, anomaly detection, and recommendations using anonymized and aggregated analytics data
• Reporting: Generating dashboards, scheduled email reports, and data exports for the Controller

4. Types of Personal Data Processed

The following categories of Personal Data may be processed under this DPA:

The Processor does not intentionally collect special categories of data (Article 9 GDPR) such as health data, biometric data, or data revealing racial or ethnic origin. The Controller must not configure the Services to collect such data without explicit prior written agreement.

5. Categories of Data Subjects

The Data Subjects whose Personal Data is processed under this DPA include:

• Website Visitors: Individuals who visit the Controller's websites where the Conseto SDK is installed
• E-commerce Customers: Individuals who make purchases or interact with e-commerce features on the Controller's website
• App Users: Users of the Controller's web applications where Conseto tracking is implemented

6. Obligations of the Processor

The Processor (Conseto) shall:

• Process Personal Data only on documented instructions from the Controller, unless required to do so by EU or Czech law (in which case the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such information)
• Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (as detailed in Section 10)
• Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller (see Section 8)
• Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Controller's obligation to respond to Data Subject requests
• Assist the Controller in ensuring compliance with obligations under Articles 32 to 36 GDPR (security, breach notification, DPIA, prior consultation)
• At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless EU or Czech law requires storage (see Section 13)
• Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections (see Section 12)
• Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes GDPR or other EU or Czech data protection provisions

7. Obligations of the Controller

The Controller (Customer) shall:

• Ensure there is a lawful basis for the processing of Personal Data through the Services (e.g., consent, legitimate interest) and maintain records of processing activities
• Provide a clear and compliant privacy notice to Data Subjects that discloses the use of Conseto and the categories of data collected
• Configure the Conseto consent banner and SDK appropriately for the jurisdictions in which their website operates
• Obtain and manage necessary consents from Data Subjects where required by applicable law
• Respond to Data Subject requests (access, deletion, portability) relating to their website visitors, using the tools provided by Conseto
• Not instruct the Processor to process Personal Data in violation of GDPR or other applicable data protection laws
• Not configure the Services to collect special categories of Personal Data without prior written agreement
• Provide documented processing instructions to the Processor (the Agreement and SDK configuration constitute documented instructions)

8. Sub-processors

8.1 General Authorization

The Controller grants the Processor general written authorization to engage sub-processors to process Personal Data on behalf of the Controller. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, providing the Controller an opportunity to object within 30 days.

8.2 Current Sub-processors

The following sub-processors are authorized as of the effective date of this DPA:

8.3 Sub-processor Obligations

The Processor shall impose on each sub-processor, by way of a written contract, the same data protection obligations as set out in this DPA. The Processor remains fully liable to the Controller for the performance of the sub-processor's obligations.

8.4 Right to Object

If the Controller has reasonable grounds to object to a new sub-processor, the Controller may notify the Processor in writing within 30 days of being informed. The parties shall discuss the objection in good faith. If no resolution is reached, the Controller may terminate the Agreement with respect to the Services that cannot be provided without the objected-to sub-processor.

9. International Data Transfers

9.1 Primary Processing Location

All primary data processing and storage occurs within the European Economic Area (EEA), specifically in Frankfurt, Germany, through our hosting provider Railway. The PostgreSQL database and Redis instance are located in the EU region.

9.2 Transfers Outside the EEA

Where transfers of Personal Data outside the EEA are necessary (e.g., for AI processing via Anthropic in the US, or global CDN processing via Cloudflare), the following safeguards are in place:

• Standard Contractual Clauses (SCCs) as adopted by the European Commission under Implementing Decision (EU) 2021/914, Module Two (Controller to Processor) or Module Three (Processor to Processor) as applicable
• Transfer Impact Assessments conducted for each non-EEA sub-processor
• Supplementary technical measures including data minimization, pseudonymization, and encryption in transit (TLS 1.3)
• For AI processing specifically: only anonymized and aggregated data is transferred; no raw Personal Data is sent to AI sub-processors

9.3 Adequacy Decisions

Where the European Commission has issued an adequacy decision for the recipient country, transfers may rely on such decision. The Processor shall monitor the validity of any relied-upon adequacy decisions.

10. Technical and Organizational Security Measures

The Processor implements the following security measures in accordance with Article 32 GDPR, taking into account the state of the art, costs of implementation, nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of Data Subjects:

10.1 Encryption

• Data in transit: TLS 1.3 for all connections (API, SDK, dashboard)
• Data at rest: AES-256 encryption for database storage
• Passwords: bcrypt hashing (never stored in plaintext)
• API keys: SHA-256 hashing for stored keys

10.2 Access Control

• Role-based access control (RBAC) for all internal and customer access
• JWT-based authentication with 7-day token expiration
• Principle of least privilege for all system access
• Multi-factor authentication for administrative access to infrastructure
• Regular access reviews and prompt deprovisioning

10.3 Network Security

• DDoS protection via Cloudflare
• Web Application Firewall (WAF) rules
• Rate limiting: 1000 req/15min (general), 200 req/15min (auth), 30 req/min (audit), 10 req/hr (AI)
• Bot filtering with 50+ detection patterns
• HTTP security headers via Helmet.js (HSTS, CSP, X-Frame-Options)

10.4 Data Integrity and Availability

• Regular automated database backups with point-in-time recovery capability
• Input validation and sanitization on all API endpoints (Zod schema validation)
• Parameterized database queries to prevent SQL injection
• Structured logging with no PII in log files

10.5 Organizational Measures

• Confidentiality obligations for all personnel with access to Personal Data
• Security incident response procedures documented and tested
• Regular dependency vulnerability scanning (npm audit)
• Secure development lifecycle with code review

11. Personal Data Breach Notification

11.1 Notification to Controller

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting the Controller's data. The notification shall be sent via email to the Controller's registered account email address and shall include:

• A description of the nature of the breach, including categories and approximate number of Data Subjects and records affected
• The name and contact details of the Processor's data protection contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its adverse effects

11.2 Cooperation

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. The Processor shall also assist the Controller in fulfilling its obligations to notify the supervisory authority (Article 33 GDPR) and Data Subjects (Article 34 GDPR) where applicable.

11.3 Record Keeping

The Processor shall maintain a record of all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken.

12. Audit Rights

12.1 Information and Documentation

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA. This includes providing documentation of security measures, sub-processor agreements, and breach records upon reasonable request.

12.2 Audits and Inspections

The Controller may conduct audits or appoint a qualified third-party auditor (subject to reasonable confidentiality obligations) to verify the Processor's compliance with this DPA. Audits shall be conducted:

• With at least 30 days' written notice to the Processor
• During normal business hours (CET/CEST)
• No more than once per calendar year (unless a Personal Data Breach has occurred)
• In a manner that does not unreasonably disrupt the Processor's operations
• At the Controller's expense, unless the audit reveals a material breach by the Processor

12.3 Certifications

The Processor may satisfy audit requests by providing relevant certifications, audit reports, or summaries of independent security assessments, where available.

13. Return and Deletion of Data

13.1 Data Export

During the term of the Agreement and for 30 days following termination, the Controller may export their data using the export functionality available in the Conseto dashboard (CSV and JSON formats) or via the API.

13.2 Deletion

Upon termination of the Agreement and after the 30-day export period, the Processor shall:

• Delete all Personal Data from active production systems within 90 days
• Delete Personal Data from backup systems according to the regular backup rotation schedule (maximum 30 additional days)
• Provide written confirmation of deletion upon the Controller's request

13.3 Exceptions

The Processor may retain Personal Data beyond the deletion schedule where required by EU or Czech law (e.g., tax records must be retained for 10 years under Czech law). The Processor shall inform the Controller of any such legal retention requirement and ensure the data is only processed for the legally required purpose.

14. Liability

14.1 GDPR Liability

Each party shall be liable for damages caused by processing that infringes the GDPR in accordance with Article 82 GDPR. The Processor shall be liable for damage caused by processing only where it has not complied with obligations specifically directed to processors under the GDPR, or where it has acted outside or contrary to the lawful instructions of the Controller.

14.2 Limitation

The total liability of each party under this DPA shall be subject to the limitations of liability set out in the Agreement, except that neither party's liability for breaches of data protection law, obligations of confidentiality, or indemnification obligations shall be limited where prohibited by applicable law.

14.3 Indemnification

Each party shall indemnify the other against all costs, claims, damages, and expenses incurred as a result of the indemnifying party's material breach of this DPA or applicable data protection law, subject to the limitations set out in the Agreement.

15. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the Czech Republic, without regard to its conflict of law provisions. Any disputes arising from or relating to this DPA shall be submitted to the exclusive jurisdiction of the courts of Ostrava, Czech Republic, unless mandatory provisions of the Controller's local law provide otherwise.

For matters related to GDPR enforcement, the competent supervisory authority shall be the Úřad pro ochranu osobních údajů (UOOU), Czech Republic, without prejudice to the Controller's right to lodge a complaint with their local supervisory authority.

Contact

For questions about this DPA or to exercise rights under it: