Data Processing Agreement

Parties

This Data Processing Agreement ("DPA") is entered into between:

This DPA forms part of and is incorporated into the Terms of Service between the parties. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the subject matter of data protection.

By accepting the Terms of Service, the Agency agrees to the terms of this DPA on behalf of itself and, where applicable, on behalf of its affiliated entities.

1.Definitions

In this DPA, the following definitions apply in addition to those in the Terms of Service:

2.Scope and Purpose of Processing

This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Service described in the Terms of Service.

Schedule 1 to this DPA sets out the subject matter, duration, nature, and purpose of the processing, the types of Personal Data processed, and the categories of Data Subjects.

The Processor shall process Personal Data only to the extent necessary to provide the Service and shall not process Personal Data for any other purpose unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing unless prohibited by law.

3.Controller Obligations

The Controller represents, warrants, and undertakes that:

• It has a valid legal basis under Applicable Data Protection Law for all processing of Personal Data it instructs the Processor to carry out.
• It has provided all required privacy notices to Data Subjects, including notices regarding call recording where required by applicable law.
• It has obtained all necessary consents from Data Subjects where consent is the relied-upon legal basis for processing.
• It will ensure that its instructions to the Processor comply with Applicable Data Protection Law at all times.
• It is solely responsible for determining the purposes and means of processing Agency Client Data and for ensuring its own compliance with Applicable Data Protection Law as a data controller.
• It will notify the Processor promptly of any changes to its instructions that may affect the Processor's ability to comply with this DPA.

4.Processor Obligations

4.1Processing on Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries. The Terms of Service and this DPA constitute the Controller's documented instructions as of the effective date.

If the Processor believes that an instruction from the Controller would violate Applicable Data Protection Law, the Processor shall promptly refuse to carry out the instruction. The Processor shall not be required to provide reasons for such refusal beyond indicating that the instruction appears to violate applicable law.

4.2Confidentiality

The Processor shall ensure that all personnel authorised to process Personal Data under this DPA are subject to appropriate confidentiality obligations and have received adequate training on data protection requirements.

4.3Security

The Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures shall take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to Data Subjects.

Security measures implemented by the Processor include:

• Encryption of Personal Data in transit using TLS 1.2 or higher
• Encryption of Personal Data at rest
• Access controls and role-based permissions limiting access to Personal Data to authorised personnel only
• Regular security assessments and monitoring of the platform
• Pseudonymisation of Personal Data where technically practicable
• Procedures for regularly testing and evaluating the effectiveness of security measures

4.4Sub-processing

The Controller grants the Processor general authorisation to engage the Sub-processors listed in Schedule 2 to this DPA. The Processor shall:

• Enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA.
• Remain fully liable to the Controller for the acts and omissions of its Sub-processors as if they were the Processor's own acts and omissions.
• Notify the Controller of any intended changes to the list of Sub-processors by updating Schedule 2 and providing at least 14 days' prior written notice. The Controller may object to the engagement of a new Sub-processor within that period by notifying the Processor in writing. If the Processor proceeds with the engagement despite objection, the Controller may terminate the relevant services on written notice without penalty.

4.5Assistance with Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection) by:

• Providing the Controller with access to relevant data held within the platform through the Agency's account dashboard.
• Enabling the Controller to permanently delete an Agency Client and all associated Personal Data through the platform. Upon deletion, Personal Data will be suppressed immediately and permanently deleted within 30 days. A timestamped audit log entry will be created in the Agency's account confirming the deletion request, the scheduled suppression date, and the permanent deletion date.
• Providing reasonable additional technical assistance upon written request where platform tools are insufficient to fulfil a Data Subject rights request, subject to the Processor's standard professional services rates.

The Controller acknowledges that the Processor cannot respond directly to Data Subjects and that all Data Subject communications must be handled by the Controller.

4.6Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller in carrying out data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, to the extent that such assessments relate to the processing carried out by the Processor under this DPA.

4.7Audit Rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Any audit shall be conducted: (a) on not less than 30 days' prior written notice; (b) during normal business hours; (c) in a manner that minimises disruption to the Processor's operations; and (d) no more than once per calendar year unless a Personal Data Breach has occurred. The Controller shall bear the costs of any audit unless the audit reveals a material breach of this DPA by the Processor.

5.Personal Data Breach

In the event of a Personal Data Breach affecting Personal Data processed under this DPA, the Processor shall:

• Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.
• Provide the Controller with sufficient information to enable the Controller to meet its own notification obligations to supervisory authorities and Data Subjects, including: (a) a description of the nature of the breach; (b) the categories and approximate number of Data Subjects affected; (c) the categories and approximate volume of Personal Data records affected; (d) the likely consequences of the breach; and (e) the measures taken or proposed to address the breach.
• Cooperate fully with the Controller and take such steps as are reasonably necessary to investigate, mitigate, and remediate the breach.

The Processor's notification of a Personal Data Breach does not constitute an admission of fault or liability.

6.International Transfers of Personal Data

The Processor may transfer Personal Data to countries outside the European Economic Area (EEA) where its Sub-processors are located, as listed in Schedule 2. The Processor shall ensure that all such transfers are made subject to appropriate safeguards under Applicable Data Protection Law, including:

• Standard Contractual Clauses adopted by the European Commission, where applicable.
• Reliance on adequacy decisions issued by the European Commission for the destination country.
• Other legally recognised transfer mechanisms under Applicable Data Protection Law.

Details of the transfer mechanisms in place for each Sub-processor are available from the Processor upon written request.

7.Data Retention and Deletion

The Processor shall retain Personal Data for the duration of the Agency's active subscription, in accordance with the Terms of Service and Privacy Policy.

Upon termination or expiry of the Terms of Service, the Processor shall permanently delete all Personal Data processed under this DPA within 90 days of the termination date, unless applicable law requires longer retention.

During the active subscription, the Controller may initiate deletion of specific Agency Client data through the platform. Upon such deletion:

• Personal Data will be immediately suppressed and made inaccessible within the platform.
• A 30-day retention window will apply to allow recovery in the event of accidental deletion.
• Permanent and irrecoverable deletion will be completed at the end of the 30-day window.
• A timestamped audit log entry will be recorded in the Agency's account confirming the deletion request and the permanent deletion date.

The Processor shall, upon written request and within a reasonable timeframe, provide the Controller with written confirmation that deletion has been completed.

8.Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits either party's liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot be excluded or limited under applicable law.

Where a Data Subject suffers damage as a result of a breach of Applicable Data Protection Law, the parties shall be liable in accordance with their respective roles as controller and processor under that law. Where both parties are liable, each party shall be responsible for the portion of damage attributable to its own breach.

9.Term and Termination

This DPA is effective from the date the Agency accepts the Terms of Service and shall remain in force for the duration of the Terms of Service. Termination of the Terms of Service automatically terminates this DPA, subject to the survival of obligations relating to data deletion (Section 7), confidentiality, and liability.

10.Governing Law and Disputes

This DPA shall be governed by and construed in accordance with the laws of the Republic of Cyprus. Any disputes arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution procedure set out in the Terms of Service, with arbitration seated in Nicosia, Cyprus.

Nothing in this clause affects the rights of Data Subjects to lodge complaints with a competent supervisory authority or to seek judicial remedies under Applicable Data Protection Law.

11.General

This DPA constitutes the entire agreement between the parties with respect to the subject matter of data processing and supersedes all prior agreements, representations, and understandings relating to such subject matter.

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

The Processor may update this DPA from time to time to reflect changes in Applicable Data Protection Law, Sub-processor arrangements, or processing activities. The Processor shall provide at least 14 days' written notice of any material changes. Continued use of the Service after the effective date of any update constitutes acceptance of the revised DPA.

The following Sub-processors are approved as of the effective date of this DPA:

Contact

For questions relating to this Data Processing Agreement, please contact: