DATA PROCESSING ADDENDUM

(hereinafter: “DPA”)

1      Introduction

1.1       The Client will provide SKOZAR with personal data of its customers or third parties (hereinafter: »personal data«) for the provision of services under the Digital Services Order Agreement.

1.2       The Parties agree that:

1.2.1   concerning the processing of personal data based on the Digital Services Order Agreement, SKOZAR is the processor of personal data, and the Client is the controller of personal data. The processing of personal data where SKOZAR acts as the controller of personal data (i.e. processing personal data for the purpose of providing access to its services) is governed by the DocuWise Privacy Policy (accessible at: https://docuwise.eu/en/privacy-policy) and is not subject of this DPA.

1.2.2   SKOZAR provides sufficient guarantees to implement appropriate technical and organizational measures in a manner that the processing meets the requirements of applicable regulations in the field of personal data protection and ensures the protection of the rights of individuals to whom the personal data relates.

1.3       The Parties accept this DPA to define the rights and obligations related to the processing of data that SKOZAR will provide for the Client within the scope and under the conditions specified in this agreement.

2      Subject of the DPA

2.1       The content and duration of the processing, the nature and purpose of the processing, the types of personal data, and the categories of individuals to whom the personal data relates are defined in Table 1 below.

3      Purpose of processing

3.1       The Client determines the purposes of processing personal data by SKOZAR.

3.2       SKOZAR will process personal data received from the client solely for the purpose of providing services, to the extent and in the manner specified in this DPA.

3.3       SKOZAR may process personal data for another purpose only if required by applicable regulations.

4      Obligations of SKOZAR

4.1       SKOZAR shall:

4.1.1   process personal data only based on documented instructions from the Client;

4.1.2   take all measures in accordance with articles 6 and 7 of this DPA;

4.1.3   assist the Client, considering the nature of the processing, with appropriate technical and organizational measures, to the extent possible, in fulfilling its obligations to respond to requests for the exercise of the rights of the individual to whom the personal data relates;

4.1.4   assist the Client in fulfilling obligations related to the security of personal data, considering the nature of the processing and information available to SKOZAR;

4.1.5   in accordance with the decision of the Client, delete or return all personal data to the Client upon the conclusion of services related to processing and destroy existing copies, unless applicable regulations require the retention of personal data;

4.1.6   provide the Client with all necessary information to demonstrate compliance with its data protection obligations, and allow the Client or another auditor authorized by the Client to conduct audits and inspections, cooperating with them;

4.1.7   in connection with point 4.1.6, promptly inform the Client if, in its opinion, the instruction violates regulations in the field of personal data protection (for the avoidance of doubt, SKOZAR does not assume responsibility for the Client’s general obligations and compliance as the data controller).

5      Obligations of the Client

5.1       The Client is responsible for providing an appropriate legal basis for obtaining and processing personal data that is transmitted to SKOZAR.

5.2       The Client shall inform SKOZAR about any specificities and potential known risks related to ensuring the rights of individuals whose personal data is being processed.

6      Security of processing

6.1       The Parties shall:

6.1.1   collaborate in ensuring adequate organizational and technical measures to protect personal data and mitigate risks associated with the security of personal data.

6.1.2   throughout the performance of this DPA, ensure proper protection of personal data, regardless of how they become acquainted with the personal data.

6.2       SKOZAR shall perform services in accordance with personal data protection regulations and shall:

6.2.1   handle received personal data with care and provide appropriate organizational and technical security measures for secure acquisition, processing, and transmission of personal data;

6.2.2   ensure that authorized individuals for the processing of personal data covered by this DPA are bound to confidentiality throughout the data processing and even after the processing ceases.

6.2.3   monitor the security of personal data, promptly inform the Client in case of identified reasons for increased risk or a breach, and take all necessary measures to rectify or reduce damage and risks to the minimum possible extent.

6.2.4   in the event of a personal data security breach (e.g. data destruction, intrusion into the information system or premises, unauthorized access, etc.), immediately notify the Client and take all possible measures to stop the breach and eliminate damages.

7      Security measures

7.1       SKOZAR shall ensure the security of processing by:

7.1.1   Protecting the areas where personal data carriers, equipment, and system software are located, including input-output devices, to prevent unauthorized access to personal data (e.g., through appropriate locking);

7.1.2   safeguarding the software used for processing personal data, primarily by using passwords for access by authorized individuals;

7.1.3   ensuring a reliable and efficient method of data storage, destruction, and deletion of personal data according to the Client’s instructions;

7.1.4   ensuring the security of data processing during data transfers, particularly by using cryptographic methods;

7.1.5   ensuring only individuals authorized by SKOZAR, that require access for the perfomance of the services, have access to personal data;

7.1.6   providing procedures for regular testing, assessment, and evaluation of the effectiveness of security measures.

8      Subprocessing

8.1       The Client authorizes SKOZAR to engage subprocessors listed in Table 2 below in the processing of personal data.

8.2       The Client grants SKOZAR general permission for the engagement of other subprocessors or their replacement. SKOZAR will inform the Client of all intended changes regarding the engagement of additional subprocessors or their replacement.

8.3       Subprocessors are bound by the same obligations of personal data protection as the data processor, which SKOZAR is obliged to inform them about.

9      Transfer of personal data to third countries

9.1       The Client hereby grants permission for SKOZAR to transfer personal data to subprocessors located outside of the European Union (»third countries«), provided that such transfers comply with the Standard Contactual Clauses adopted by the European Comission or any other mechanisms ensuring an adequate level of data protection.

9.2       SKOZAR shall maintain the necessary safeguards and meet the requirements of the applicable regulations for the protection of personal data during such transfers.

10   Limitation of liability

10.1    SKOZAR does not accept any liability, in respect of the data processing, in favour of anyone other than you.

10.2    SKOZAR shall be liable only for direct damages caused by SKOZAR to the client during or as a result of the performance of its obligations under this DPA, and provided that they are caused by gross negligence or intentionally. Any liability for indirect damages or other damages (for example, for resulting damages including loss of profit, loss of saving and damages as a result of loss of data) as well as for damage caused by third parties, are expressly excluded.

11   Governing law and jurisdiction

11.1    Governing law. This DPA shall be governed by the laws of Slovenia.

11.2    Disputes. If the parties fail to amicably settle any dispute arising out of or in connection with this DPA, the court in Ljubljana shall have jurisdiction.

12   Final provisions

12.1    This DPA comes into effect and is valid for the duration of the Digital Services Agreement.

 

TABLE 1: Specification of data processing

Subject-matter Recording, storing, transmitting, and other processing necessary for providing services, i.e., for document storage and generation.
Duration Duration of Service provision, unless applicable regulations require the retention of personal data.
Purpose Service provision.
Type of personal data Identification data entered by the Client into the document generation system (e.g., name, address, tax number, personal identification number, date of birth, etc.).
Categories of data subjects Customers and contractual partners of the customer, or persons whose data the Client enters into the system for the generation of documents.

 

TABLE 2: Subprocessors

Subprocessor Location Services
zerodays, razvoj celostnih programskih rešitev, d.o.o. Ljubljana, Slovenia Programming and technical support services, software development, maintenance, troubleshooting, etc.
Amazon Web Services EMEA SARL, German Branch Frankfurt, Germany Storage services
Supabase, Inc., a Delawar Frankfurt, Germany Storage services, authentication services, database management system
Vercel Inc. Frankfurt, Germany Hosting
Render Inc.

Frankfurt, Germany

San Francisco, USA

Hosting