Data Processing Agreement
GDPR Compliant
Meets Art. 28 requirements
EU Data Residency
Data stored in Frankfurt
SCCs Included
Standard Contractual Clauses
Download the full DPA document for your records or to sign.
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between DIGITAL SPECIALISTS s.r.o. ("Processor") and the Customer ("Controller") for the provision of analytics and consent management services.
This DPA reflects the parties' agreement with regard to the processing of personal data in accordance with the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data.
- "Data Subject" means the individual to whom Personal Data relates.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data.
3. Scope of Processing
3.1 Subject Matter
The Processor processes Personal Data on behalf of the Controller to provide web analytics and consent management services as described in the Terms of Service.
3.2 Duration
Processing shall continue for the duration of the service agreement between the parties.
3.3 Nature and Purpose
The nature and purpose of processing is to collect, store, and analyze website visitor data and consent preferences to provide analytics insights and ensure GDPR compliance.
3.4 Types of Personal Data
- IP addresses (anonymized or full, based on configuration)
- Device and browser information
- Page view and event data
- Consent preferences
- Visitor identifiers (pseudonymous)
- Optional: User IDs provided by the Controller
3.5 Categories of Data Subjects
Website visitors and users of the Controller's online properties.
4. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure persons authorized to process Personal Data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Not engage another processor without prior authorization from the Controller
- Assist the Controller in responding to Data Subject requests
- Assist the Controller in ensuring compliance with Articles 32-36 GDPR
- Delete or return all Personal Data upon termination of services
- Make available information necessary to demonstrate compliance
- Allow for and contribute to audits conducted by the Controller
5. Controller Obligations
The Controller shall:
- Ensure there is a lawful basis for processing
- Provide appropriate privacy notices to Data Subjects
- Obtain necessary consents where required
- Provide documented instructions for processing
- Ensure compliance with applicable data protection laws
6. Security Measures
The Processor implements the following technical and organizational measures:
- Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.3)
- Access controls and authentication mechanisms
- Regular security testing and vulnerability assessments
- Incident detection and response procedures
- Regular backups and disaster recovery capabilities
- Employee security training and confidentiality agreements
- Physical security for data center facilities (via cloud provider)
7. Sub-processors
The Controller authorizes the use of the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Railway | Application hosting | EU region |
| Cloudflare | CDN and security | Global (EU processing) |
The Processor shall notify the Controller of any intended changes to sub-processors, giving the Controller an opportunity to object.
8. International Transfers
All Personal Data is processed within the European Economic Area. Where transfers outside the EEA are necessary (e.g., for certain sub-processors), appropriate safeguards are in place, including Standard Contractual Clauses adopted by the European Commission.
9. Data Subject Rights
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR, including rights of access, rectification, erasure, restriction, portability, and objection. The Processor shall respond to such requests within 72 hours.
10. Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach affecting Controller data. The notification shall include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed.
11. Data Retention and Deletion
Upon termination of the service agreement, the Processor shall, at the Controller's choice, delete or return all Personal Data within 90 days, unless retention is required by applicable law. Backups will be deleted according to the regular backup rotation schedule.
12. Audit Rights
The Controller may conduct audits to verify compliance with this DPA. The Processor shall provide reasonable cooperation and access to relevant documentation. Audits shall be conducted with reasonable notice and during normal business hours.
13. Liability
Each party shall be liable for damages caused by processing that infringes GDPR or this DPA. Liability shall be governed by the Terms of Service and applicable law.
14. Governing Law
This DPA shall be governed by the laws of Slovakia, without regard to its conflict of law provisions. Any disputes shall be resolved in the courts of Prešov, Slovakia.