Data Processing Agreement

1. Definitions

• "Controller" means the Client, who determines the purposes and means of processing Personal Data.
• "Processor" means ShiftNode Digital s.r.o. (IČO: 249 06 123), Nové sady 988/2, Staré Brno, 602 00 Brno, Czech Republic, which processes Personal Data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
• "Sub-Processor" means any third party engaged by the Processor to carry out specific processing activities on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Scope and Purpose of Processing

The Processor shall process Personal Data only to the extent necessary to provide the services specified in the Agreement. The scope of processing is as follows:

3. Obligations of the Processor

In accordance with GDPR Article 28(3), the Processor shall:

• a

  Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law.

• b

  Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

• c

  Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256), regular security assessments, and access controls.

• d

  Not engage another processor (Sub-Processor) without prior specific or general written authorization of the Controller. Where general authorization is given, the Processor shall inform the Controller of any intended changes and provide the Controller with an opportunity to object.

• e

  Assist the Controller by appropriate technical and organizational measures, insofar as possible, to fulfill the Controller's obligation to respond to requests for exercising data subject rights (access, rectification, erasure, portability, objection).

• f

  Assist the Controller in ensuring compliance with obligations relating to security of processing, notification of data breaches, data protection impact assessments, and prior consultation with supervisory authorities (GDPR Articles 32-36).

• g

  At the choice of the Controller, delete or return all Personal Data and delete existing copies after the end of the provision of services, unless Union or Member State law requires storage of the Personal Data.

• h

  Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

4. Sub-Processors

The Controller provides general written authorization for the Processor to engage the following Sub-Processors. The Processor shall impose equivalent data protection obligations on all Sub-Processors by way of contract.

The Processor shall notify the Controller of any intended changes to this list at least 14 days in advance. The Controller may object to such changes within 14 days of notification.

5. International Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor shall ensure such transfers are protected by one of the following safeguards:

• European Commission Standard Contractual Clauses (SCCs) as adopted in Commission Implementing Decision (EU) 2021/914.
• EU-US Data Privacy Framework (DPF) where the Sub-Processor is certified under the framework.
• An adequacy decision by the European Commission under GDPR Article 45.

6. Data Breach Notification

In the event of a Data Breach, the Processor shall:

• 1
  Notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach.
• 2
  Provide the Controller with sufficient information to enable the Controller to meet its own obligations to notify the supervisory authority (ÚOOÚ) within 72 hours under GDPR Article 33.
• 3
  Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Data Breach.

7. Audit Rights

The Controller or its designated auditor shall have the right to conduct audits and inspections to verify the Processor's compliance with this DPA, subject to the following conditions:

• Audit requests shall be made in writing with at least 30 days prior notice.
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.
• The Controller shall bear its own costs of any audit unless the audit reveals a material breach of this DPA.

8. Term and Data Return

This DPA shall remain in effect for the duration of the Agreement. Upon termination:

• The Processor shall, at the Controller's choice, return all Personal Data in a commonly used, machine-readable format or securely delete all copies within 30 days of termination.
• The Processor shall provide written certification of deletion upon request.
• Data retained for compliance with legal obligations (e.g., Czech tax law — 10-year retention for invoicing data) is exempt from the deletion obligation.

9. Liability

Each party's liability under this DPA shall be subject to the limitations of liability set out in the Agreement. Nothing in this DPA shall limit either party's liability for breaches of applicable data protection law that cannot be limited under mandatory law.

10. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Czech Republic. Disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of the Czech Republic, without prejudice to the rights of data subjects to lodge complaints with a supervisory authority under GDPR Article 77.