Version 1.1 · Effective 2026-06-11

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Byte Imagination Roger Zacharczyk ("Processor", "we") and you ("Controller", "you") for the provision of the Service. It governs the processing by us of personal data contained in Customer Data on your instructions.

This DPA reflects the parties' agreement on the terms governing the processing of personal data under Regulation (EU) 2016/679 ("GDPR") and, where applicable, the United Kingdom General Data Protection Regulation as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR").

1. Definitions

Terms used in this DPA have the meanings given in the GDPR. In particular: "personal data", "processing", "controller", "processor", "data subject", "personal data breach", "supervisory authority".

"Customer Personal Data" means personal data contained in Customer Data processed by us on your behalf.

"Sub-processor" means any third party engaged by us to process Customer Personal Data.

2. Scope, roles, and instructions

  • You are the controller and we are the processor with respect to Customer Personal Data.
  • We process Customer Personal Data only on your documented instructions, including with regard to transfers of personal data to a third country, unless required to do so by EU or Member State law to which we are subject. In such a case we will inform you of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
  • The Terms of Service, this DPA, your configuration of the Service, and any subsequent documented instructions you provide constitute your complete and final instructions to us in respect of the processing of Customer Personal Data.

3. Subject matter, duration, nature, and purpose

ItemDescription
Subject matterProvision of the Service to you under the Terms of Service
DurationThe term of the Terms of Service, plus the retention periods set out in the Privacy Policy
NatureHosting, storage, transmission, retrieval, organisation, deletion, and other processing necessary to provide the Service
PurposeTo enable you to use the Service's features for your own business purposes
Categories of data subjectsAs determined by you; typically your end users, employees, and any other individuals whose personal data you choose to submit
Categories of personal dataAs determined by you; the Service does not require any specific category of personal data to function. See the Additional Terms for the data this Service typically processes

4. Confidentiality

We ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations and have received training on personal-data protection.

5. Security of processing (Article 32)

Taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those described in Section 7 of the Privacy Policy and in Annex II of this DPA.

We assist you in ensuring compliance with your obligations under Articles 32 to 36 GDPR, taking into account the nature of the processing and the information available to us.

6. Sub-processing

  • You provide a general written authorisation for us to engage Sub-processors, subject to the conditions in this Section.
  • The current list of Sub-processors is published alongside this DPA on the Service's domain.
  • We will inform you of any intended addition or replacement of a Sub-processor at least 30 days before that change takes effect, by email and by updating the list. You may object on reasonable grounds related to data protection within that period. If we cannot accommodate your objection, you may terminate the affected Subscription as your sole remedy and Section 14 of the Terms applies, except that no notice period is required for termination on this basis.
  • We impose on each Sub-processor data-protection obligations no less protective than those in this DPA. We remain liable to you for the performance of each Sub-processor's obligations.

7. Assistance with data-subject requests

Taking into account the nature of the processing, we assist you, by appropriate technical and organisational measures and insofar as possible, in fulfilling your obligation to respond to data-subject requests under Chapter III of the GDPR. We will forward to you without undue delay any data-subject request we receive that relates to your Customer Personal Data, and will not respond to it ourselves except on your instruction or as required by law.

8. Personal-data breaches

We notify you without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting Customer Personal Data. The notification will, to the extent then known, describe the nature of the breach, the categories and approximate number of data subjects and personal-data records concerned, the likely consequences, and the measures taken or proposed to address the breach.

9. Data Protection Impact Assessments

We provide reasonable assistance to you, taking into account the nature of the processing and the information available to us, in carrying out data-protection impact assessments under Article 35 GDPR and prior consultations with supervisory authorities under Article 36 GDPR, where you reasonably consider this necessary in respect of the processing of Customer Personal Data.

10. International transfers

Where processing of Customer Personal Data involves a transfer to a third country or international organisation that is not subject to an adequacy decision, the parties enter into the Standard Contractual Clauses adopted by the European Commission in Decision 2021/914 ("SCCs") which are incorporated into this DPA by reference, with:

  • Module Two (controller-to-processor) applying for the transfer from you to us where you are established outside the EEA and we are established within the EEA;
  • Module Three (processor-to-processor) applying for onward transfers from us to a Sub-processor;
  • Clause 7 (docking clause) included;
  • Clause 9 option 2 (general written authorisation for Sub-processors) selected, with a 30-day notice period;
  • Clause 11(a) optional language not included;
  • Clause 17 option 1 selected, governed by the law of Poland;
  • Clause 18(b) selecting the courts of Poland.

For transfers subject to the UK GDPR, the parties incorporate the UK International Data Transfer Addendum to the SCCs published by the UK Information Commissioner.

11. Audits

We make available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you, subject to the following:

  • you give us at least 30 days' written notice;
  • audits take place during regular business hours, no more often than once per twelve-month period unless required by a supervisory authority or following a confirmed breach;
  • the auditor is bound by appropriate confidentiality obligations;
  • you bear the cost of the audit, except where the audit reveals our material non-compliance, in which case we bear our own costs;
  • we may satisfy this obligation by providing third-party audit reports (e.g. ISO/IEC 27001 certifications, SOC 2 reports) of our Sub-processors where reasonably available.

12. Return or deletion at termination

Upon termination of the Terms of Service we will, at your choice, delete or return all Customer Personal Data to you, and delete existing copies, unless EU or Member State law requires storage of the personal data. Without specific instruction from you within 30 days after termination we will delete Customer Personal Data, subject to the retention periods in the Privacy Policy.

13. Liability

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. The SCCs, where applicable, contain their own liability provisions which prevail in case of conflict to the extent required by the SCCs.

14. Order of precedence

In case of conflict between this DPA, the Terms of Service, and the SCCs, the SCCs prevail in respect of the matters they govern, then any applicable jurisdiction-specific Annex of this DPA in respect of the matters it governs, then the body of this DPA, then the Terms.

15. Other applicable data-protection law

Where mandatory data-protection requirements imposed by the law of a jurisdiction other than the European Union or the United Kingdom apply to the processing of Customer Personal Data under this DPA, those requirements are not displaced by this DPA, and this DPA does not restrict any right or obligation that you or we may have under such laws. Specific provisions for selected non-EU/UK jurisdictions are set out in the Annexes to this DPA.

Annex I — List of parties, description of processing, transfers

This Annex applies to the SCCs as incorporated by Section 10.

A. List of parties

Data exporter (Controller): the Customer identified in the account record for the Service.

Data importer (Processor): Byte Imagination Roger Zacharczyk, Ludwika Kondratowicza 59/21, Warsaw, Poland, privacy@byteimagination.com.

B. Description of transfer

  • Categories of data subjects: as described in Section 3 of the DPA.
  • Categories of personal data: as described in Section 3 of the DPA and in the Additional Terms.
  • Sensitive data: none intentionally; you must not submit special categories of data without a separate written agreement.
  • Frequency of transfer: continuous, for the duration of the Subscription.
  • Nature of processing: as described in Section 3 of the DPA.
  • Purpose: as described in Section 3 of the DPA.
  • Period of retention: as described in Section 6 of the Privacy Policy.
  • Transfers to (sub-)processors: as listed in the Sub-processor list published alongside this DPA.

C. Competent supervisory authority

Prezes Urzędu Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa.

Annex II — Technical and organisational measures

AreaMeasure
Access controlRole-based access; least privilege; named accounts only
AuthenticationStrong passwords with hashed storage; API keys stored as one-way cryptographic hashes; session cookies with secure attributes
Encryption in transitIndustry-standard transport encryption for all external connections
Encryption at restFilesystem-level encryption on the database host
Network securityFirewall restricting inbound traffic to required ports; reverse proxy with rate limiting
Logging and monitoringApplication logs with trace correlation; audit log of API access, authentication, and lifecycle events; request/response logging with redaction of authentication, authorization, and common secret fields
BackupPeriodic encrypted database backups; restore tested
Sub-processor managementDue-diligence review before engagement; contractual data-protection clauses; published list with notice of changes
PersonnelConfidentiality obligations; periodic security awareness training (sole proprietorship: applies to the proprietor)
Incident responseDefined incident response process with breach notification within 72 hours
Physical securityHosting in a provider data centre with industry-standard physical security
DisposalSecure deletion of personal data at end of retention or on request

Annex III — California Consumer Privacy Act addendum

This Annex applies in addition to the body of this DPA where you process Personal Information that is subject to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA"), and where we act for you as a "service provider" within the meaning of CCPA. In case of conflict between this Annex and the body of this DPA in respect of Personal Information subject to CCPA, this Annex prevails to the extent of the conflict.

1. Definitions

Capitalised terms used in this Annex without definition have the meaning given in CCPA, including: "personal information", "consumer", "sell", "share", "service provider", "business purpose", and "processing".

2. Service provider designation

We act as a service provider to you with respect to Personal Information processed on your behalf. Personal Information is provided to us only for the limited and specified business purpose of providing the Service to you under the Terms of Service.

3. Restrictions on processing

We will not:

  • (a) sell or share Personal Information;
  • (b) retain, use, or disclose Personal Information for any purpose other than the business purpose specified in this DPA, including a purpose other than that specified in our written contract with you, or as otherwise permitted by CCPA;
  • (c) retain, use, or disclose Personal Information outside of the direct business relationship between you and us; or
  • (d) combine Personal Information that we receive from you, or that we receive on your behalf, with personal information that we receive from another source, except as permitted by CCPA.

4. Compliance and cooperation

  • We will comply with applicable obligations under CCPA and provide the same level of privacy protection in respect of Personal Information processed on your behalf as is required of businesses under CCPA.
  • We will notify you promptly if we determine that we can no longer meet our obligations under CCPA.
  • We will cooperate with you in responding to verifiable consumer requests under CCPA, including requests to know, delete, correct, opt out of sale or sharing, and limit the use of sensitive personal information, to the extent applicable to the processing we perform on your behalf.
  • You retain the right to monitor our compliance with this Annex through reasonable measures, including the audit rights set out in Section 11 of this DPA.

5. Sub-processor flow-down

We will impose on each Sub-processor that processes Personal Information subject to CCPA contractual obligations no less protective than those in this Annex.