Skip to content
Back to Trust Center

Data Processing Agreement

Last Updated: May 2026

English legal version controls

This legal page is maintained in English as the authoritative version. Localized routes may include summaries for visitor convenience, but the English text controls unless a separately signed agreement says otherwise.

This public Data Processing Agreement ("DPA") template is provided for transparency and procurement review. It applies only when incorporated into, referenced by, or executed with a Master Service Agreement, Statement of Work, or other written agreement between ShiftNode Digital s.r.o. and the Client. This DPA is drafted with reference to Regulation (EU) 2016/679 (GDPR), including Article 28, and applicable Czech data protection law as supervised by the Úřad pro ochranu osobních údajů (ÚOOÚ).

1. Definitions

  • "Controller" means the Client, who determines the purposes and means of processing Personal Data.
  • "Processor" means ShiftNode Digital s.r.o. (IČO: 249 06 123), Nové sady 988/2, Staré Brno, 602 00 Brno, Czech Republic, which processes Personal Data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
  • "Sub-Processor" means any third party engaged by the Processor to carry out specific processing activities on behalf of the Controller.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Scope and Purpose of Processing

The Processor shall process Personal Data only to the extent necessary to provide the services specified in the Agreement. The scope of processing is as follows:

Subject Matter:Provision of AI Growth Audit support, AI-assisted diagnostics, lead and form processing, website or workflow implementation, hosting, and related digital services as agreed in the signed engagement.
Duration:For the duration of the Agreement, plus any legally mandated retention period.
Nature and Purpose:Website hosting, form data processing, analytics aggregation where enabled, AI-assisted audit or diagnostic report generation, lead management, implementation support, and operational support on behalf of the Controller.
Categories of Data Subjects:End users, website visitors, prospective clients, audit applicants, tool users, client personnel, and client contacts where relevant to the engagement.
Types of Personal Data:Names, business email addresses, corporate contact information, company context, submitted form content, website URLs, tool inputs, chatbot messages, technical logs, and website interaction data.

3. Obligations of the Processor

In accordance with GDPR Article 28(3), the Processor shall:

  • a

    Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law.

  • b

    Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

  • c

    Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which may include HTTPS/TLS in transit, provider security controls, access limitation, confidentiality obligations, logging, backup or recovery practices where applicable, and commercially reasonable security review.

  • d

    Not engage another processor (Sub-Processor) without prior specific or general written authorization of the Controller. Where general authorization is given, the Processor shall inform the Controller of any intended changes and provide the Controller with an opportunity to object.

  • e

    Assist the Controller by appropriate technical and organizational measures, insofar as possible, to fulfill the Controller's obligation to respond to requests for exercising data subject rights (access, rectification, erasure, portability, objection).

  • f

    Assist the Controller in ensuring compliance with obligations relating to security of processing, notification of data breaches, data protection impact assessments, and prior consultation with supervisory authorities (GDPR Articles 32-36).

  • g

    At the choice of the Controller, delete or return all Personal Data and delete existing copies after the end of the provision of services, unless Union or Member State law requires storage of the Personal Data.

  • h

    Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

4. Sub-Processors

Depending on the engagement and configuration, the Processor may use the following categories of Sub-Processors. A current engagement-specific list should be confirmed before execution of a binding DPA. The Processor shall impose equivalent data protection obligations on applicable Sub-Processors by way of contract.

Processor CategoryPurposeLocation
Hosting and deployment providerEdge hosting, CDN, serverless functionsUSA (EU SCCs)
Analytics and AI service providersAI-assisted diagnostics, calculator outputs, chatbot responses, analytics where enabledMay include EEA/USA safeguards depending on provider configuration
CRM, workflow, and operational toolingLead management, fit review, internal workflow, and client communication where configuredDepends on engagement and provider configuration
Transactional email providerTransactional email deliveryUSA (EU SCCs)
Professional advisers and accounting providersLegal, tax, accounting, and compliance support where neededEEA or other lawful location with appropriate safeguards

The Processor shall confirm the engagement-specific processor list before execution and notify the Controller of material intended changes according to the signed agreement.

5. International Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor shall ensure such transfers are protected by one of the following safeguards:

  • European Commission Standard Contractual Clauses (SCCs) as adopted in Commission Implementing Decision (EU) 2021/914.
  • EU-US Data Privacy Framework (DPF) where the Sub-Processor is certified under the framework.
  • An adequacy decision by the European Commission under GDPR Article 45.

6. Data Breach Notification

In the event of a Data Breach, the Processor shall:

  • 1
    Notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach.
  • 2
    Provide the Controller with sufficient information to enable the Controller to meet its own obligations to notify the supervisory authority (ÚOOÚ) within 72 hours under GDPR Article 33.
  • 3
    Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Data Breach.

7. Audit Rights

The Controller or its designated auditor shall have the right to conduct audits and inspections to verify the Processor's compliance with this DPA, subject to the following conditions:

  • Audit requests shall be made in writing with at least 30 days prior notice.
  • Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.
  • The Controller shall bear its own costs of any audit unless the audit reveals a material breach of this DPA.

8. Term and Data Return

This DPA shall remain in effect for the duration of the Agreement. Upon termination:

  • The Processor shall, at the Controller's choice, return all Personal Data in a commonly used, machine-readable format or securely delete all copies within 30 days of termination.
  • The Processor shall provide written certification of deletion upon request.
  • Data retained for compliance with legal obligations (e.g., Czech tax law — 10-year retention for invoicing data) is exempt from the deletion obligation.

9. Liability

Each party's liability under this DPA shall be subject to the limitations of liability set out in the Agreement. Nothing in this DPA shall limit either party's liability for breaches of applicable data protection law that cannot be limited under mandatory law.

10. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Czech Republic. Disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of the Czech Republic, without prejudice to the rights of data subjects to lodge complaints with a supervisory authority under GDPR Article 77.

Contact for DPA Execution

This DPA template is provided for transparency and procurement review. To execute a binding DPA tailored to your specific engagement, please contact:

ShiftNode Digital s.r.o.

Data Protection Contact: privacy@shiftnodedigital.com

Legal Inquiries: legal@shiftnodedigital.com

Registered Office: Nové sady 988/2, Staré Brno, 602 00 Brno | IČO: 249 06 123

Ready to choose the first AI growth moves before you build?

Use the 5-business-day AI Growth Audit to decide what to fix first before funding tools, campaigns, automation, or implementation.

Apply for AI Growth Audit