Data Processing Agreement (DPA).

Where you are not a consumer, you confirm that you have authority to bind the business on behalf of which you are accepting the terms of this agreement.

Please read these terms carefully, as they contain legal obligations and important terms which we will rely upon.

This Data Processing Agreement (“DPA”) forms part of the agreement between the customer identified in the applicable order form or terms (“you", “yours”, “Controller” or “Customer”) and Chromaport Sp. z o. o., Iwaszkiewicza 81/9, 70-786 Szczecin, Poland (“we”, “us”, “Processor” or “Chromaport”) and applies to the processing of Personal Data under the European General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC - “GDPR”), the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., as amended, and its implementing regulations (“CCPA”), all other applicable U.S. federal and state consumer privacy laws and regulations, Canada’s Federal Personal Information Protection and Electronic Documents Act, Brazil’s Lei Geral de Proteção de Dados Pessoais (Law No. 13,709/2018) (“LGPD”) (collectively, “Applicable Data Protection Laws”). In the event of a conflict between Applicable Data Protection Laws, the law applicable to the relevant Personal Data and data subject shall prevail.

The Customer and Chromaport entered into agreement (“Terms of Service” or “Main Agreement”) for the provision and use of Chromaport services (“Chromaport Offerings”) that may require Chromaport to process Personal Data on behalf of the Customer.

The DPA does not apply if the Customer is a natural person using Chromaport Offerings in the course of a purely personal or family activity (cf. Art. 2(2)(c) EU General Data Protection Regulation (EU 2016/679), (GDPR)).

This DPA is intended to satisfy the requirements of Article 28(3) of the GDPR.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given in the GDPR, and where not defined therein, the Terms of Service agreement between the parties.

Personal Data: means any information relating to an identified or identifiable natural person that is processed by Chromaport as a result of, or in connection with, the provision of the services under the Terms of Service; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data Subject: means an individual who is the subject of Personal Data
Personal Data Breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Processing: means either any activity that involves the use of Personal Data or as the GDPR may otherwise define processing, processes or process. It includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to third parties.
Standard Contractual Clauses (SCC): means the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at the European Commission website (https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en) and completed as described in Annex I.

2. Agreed terms

This DPA is subject to the Terms of Service and is incorporated into the Terms of Service. Unless otherwise specified in this DPA, the definitions of the Terms of Service also apply to this DPA. In the event of any contradictions in the area of data protection, the DPA shall take precedence over the provisions of Terms of Service.

The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.

This Data Processing Agreement ("DPA"):

sets out the additional terms, requirements and conditions on which Chromaport will process Personal Data on behalf of the Customer;
contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) for contracts between Controllers and Processors; and
contains the SCCs (available in full here https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en) and completed as described in Annex I, as well as additional supplementary measures in connection with the SCCs which the parties have included to take account of the recommendations provided by the European Data Protection Board in June 2021.

3. Roles of the Parties

The Controller is the entity that determines the purposes and means of the Processing of Personal Data

The Processor processes Personal Data solely on behalf of and on the documented instructions of the Controller. The Processor shall notify the Controller if, in its opinion, an instruction infringes GDPR or other applicable data protection law. You hereby undertake and warrant that all Personal Data provided under this DPA to Chromaport was collected lawfully, in compliance with GDPR, and without infringement of any right or freedom of any Data Subject.

4. Scope, Application and duration

This Agreement applies to the Processing of Personal Data by Processor on behalf of Controller in connection with the performance of the Terms of Service, and for no other purpose unless agreed in writing by the Controller.

The subject-matter, nature, purpose, duration of Processing, categories of Data Subjects, and types of Personal Data are described in Annex 1 (Details of Processing) attached hereto. Annex 1 may be updated from time to time by mutual written agreement of the parties to reflect changes in the processing activities.

Duration: For the term of Terms of Service, unless otherwise required by law.

5. Types of Personal Data and Data Subjects

Types of Personal Data may include, without limitation:

Identifiers (name, email address, username)
Technical data related to the use of the services, including logs, device information, IP addresses, and usage metrics
Customer-generated content

Categories of Data Subjects may include, without limitation:

Controller’s end users
Employees, contractors, or customers of the Controller

Full details of the types of Personal Data and Data Subjects are described in Annex 1.

6. Compliance with Laws and Controller Instructions

Processor shall process Personal Data only:

in compliance with the GDPR and other Applicable Data Protection Laws;
and on documented instructions from the Controller, which shall be considered the complete, exclusive and final instructions regarding the processing of Personal Data by Chromaport, and no additional instructions that deviate from the listed herein, or which impose any additional liability or expenses shall be introduced

If the Processor believes any Controller instruction violates applicable law, the Processor must immediately notify the Controller without undue delay.

7. Processor Personnel and Confidentiality

The Processor shall ensure that personnel authorized to process Personal Data are bound by confidentiality obligations that survive the termination of employment or engagement.

The Processor shall take reasonable steps, including appropriate vetting, training, and monitoring, to ensure the reliability of its personnel authorized to process Personal Data

8. Technical and Organizational Measures

The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data, taking into account the state of the art, the nature of the Personal Data, and the risks involved, to ensure the confidentiality, integrity, availability, and resilience of processing systems and services.

A description of these measures is set out in Annex 2 (Technical and Organizational Measures). Annex 2 may be updated from time to time to reflect improvements or changes in the technical and organizational measures.

9. Assistance with compliance with Art. 32 - 36 GDPR

Taking into account the type of processing and the information available to Chromaport, Chromaport shall assist the Controller with appropriate technical and organizational measures, to the extent necessary, to enable compliance with the obligations under Articles 32–36 GDPR, including, in particular, the security of processing, the notification of personal data breaches, data protection impact assessments, and consultations with supervisory authorities.

Upon request, the Controller shall remunerate Chromaport reasonable compensation, documented in writing, for the effort resulting from such assistance, to the extent permitted by applicable data protection laws.

9. Rights of Data Subjects

The Processor shall, to the extent legally permitted and appropriate, assist the Controller with responding to requests from Data Subjects exercising their rights under Chapter III of the GDPR (including access, rectification, erasure, restriction, portability, and objection).

Should a Data Subject contact Chromaport directly to exercise their rights regarding Personal Data processed on behalf of the Controller, for data that is identifiable as belonging to the requesting Data Subject, Chromaport shall immediately forward the request to the Controller.

Upon request, the Controller shall remunerate Chromaport reasonable and documented compensation for the effort resulting from such assistance, to the extent permitted by applicable data protection laws.

10. International Data Transfers

If an adequate protection measure for the international transfer of Personal Data is required under applicable data protection legislation (and has not otherwise been arranged by the parties) the Standard Contractual Clauses, available at EU Commission website (https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en) shall be considered a part of this DPA as if set out in full.

Where Personal Data is transferred outside the EU or the European Economic Area (EEA), the Processor shall ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission and any supplementary measures necessary to ensure adequate protection.

The Processor shall ensure that any Sub-processor engaged in a third country complies with Articles 28 and 44–46 GDPR, including implementing appropriate safeguards for international data transfers.

Chromaport shall be entitled to utilize Sub-processors in a third country to process Personal Data, provided that the requirements of Art. 44 GDPR are met and the Controller is informed in accordance with the Sub-processor provisions of this DPA.

11. Sub-processors

The Controller grants general authorization for the Processor to engage Sub-processors listed in Annex 3 (Sub-processors), including updates notified in accordance with this DPA.

The Processor shall ensure that any Sub-processor enters into a written agreement imposing data protection obligations no less protective than those set out in this DPA, including obligations relating to confidentiality, security, and compliance with Applicable Data Protection Laws. The Processor remains fully liable to the Controller for the acts and omissions of any Sub-processor.

The Processor shall notify the Controller of any changes to Sub-processors, and the Controller may reasonably object to proposed changes within [10] days of notification.

Sub-processors located in third countries may only be engaged if the requirements of Articles 44 et seq. GDPR are fulfilled, including the implementation of appropriate safeguards such as Standard Contractual Clauses, and the Controller is informed in accordance with this DPA.

12. Personal Data Breaches

The Processor shall notify the Controller without undue delay, and in any event as soon as reasonably possible, after becoming aware of a Personal Data Breach. The Processor shall provide the Controller with relevant information to enable the Controller to comply with its obligations under Articles 33 and 34 GDPR, including, where possible:

The nature of the Personal Data Breach;
The categories and approximate number of Data Subjects concerned;
The categories and approximate number of Personal Data records concerned;
The likely consequences of the Personal Data Breach; and
Measures taken or proposed by the Processor to mitigate the breach and prevent further breaches.

13. Deletion of Data

At the choice of the Customer, Chromaport shall delete or return the Personal Data processed on behalf of the Customer at the end of the provision of services. Requests by the Customer to return Personal Data must be made prior to deletion. Once Personal Data has been deleted in accordance with this DPA, it cannot be returned.

The following exceptions apply:

Any Personal Data that must be retained to comply with applicable law of the European Union or its member states; and
Any Personal Data retained in Chromaport’s automatic backup systems, which will be securely deleted after regular backup retention intervals.

All deletion shall be performed in a manner that ensures the confidentiality and irrecoverability of the Personal Data.

14. Audit and Records

Upon reasonable written request, at reasonable intervals (no more than once every 12 months), and subject to confidentiality and security requirements, the Processor shall provide the Controller with information reasonably necessary to demonstrate compliance with this DPA and the GDPR, including information regarding processing activities, Sub-processors, technical and organizational measures, and international data transfers.

To the extent such documentation cannot fully satisfy the Controller’s legal obligations under the GDPR, the Processor shall allow the Controller to conduct an independent audit using reasonable methods, including questionnaires, interviews with relevant personnel, or other mutually agreed methods. Audits shall be conducted with reasonable notice and at the Controller’s expense, unless otherwise mutually agreed.

The Processor shall maintain records of all categories of processing activities carried out on behalf of the Controller, including details of Sub-processors, technical and organizational measures, and international transfers, for the duration necessary to comply with applicable data protection laws.

15. US State Laws Specific Terms

The following terms apply to Personal Data originating from the United States:

For clarity, the definitions of “Personal Data”, “Data Subject”, “Controller”, and “Processor” in this DPA include the corresponding definitions under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), specifically: “Personal Information”, “Consumer”, “Business”, and “Service Provider”, respectively. In addition, “Sell” and “Share” shall have the meaning ascribed under the CCPA/CPRA.

The Processor may not:

Sell or Share Personal Data;
Use Personal Data for any purpose other than the business purposes specified in this DPA or outside the data processing activities specified in this DPA;
Combine the Personal Data it receives from or on behalf of the Controller with any other information collected by the Processor not in respect of the Services; or
Engage any other party to process Personal Data without notifying the Controller in accordance with this DPA.

The Controller has the right to:

Verify that the processing of Personal Data is consistent with this DPA;
Take reasonable steps (as defined in Section 14, Audit) to ensure the Processor uses Personal Data in a manner consistent with its obligations under this DPA or the CCPA/CPRA; and
Upon unauthorized use of Personal Data, terminate this DPA, provide written notice to the Processor, and delete the Controller’s account and Personal Data.

The Processor acknowledges and agrees that it understands and complies with all applicable U.S. data protection laws, including the binding restrictions under CCPA/CPRA, when processing Personal Data originating in the United States.

16. Changes to this DPA

Chromaport may amend the provisions of this DPA to reflect changes in Applicable Data Protection Laws, regulatory guidance, or the services (Chromaport Offerings) provided.

Chromaport shall inform the Controller of the planned changes and provide the content of the amended DPA at least twenty-eight (28) days before such changes become effective. The change will be considered approved if the Controller does not object in writing within fifteen (15) days of receiving this notification.

If the Controller objects to the change, this DPA shall continue under the existing conditions. Chromaport reserves the right to terminate the Main Agreement if continued compliance requires the change and the Controller does not agree. Upon termination, Chromaport shall comply with its data return or deletion obligations as set out in this DPA.

17. Liability

Liability under this DPA shall follow the allocation of liability set out in the Terms of Service, subject to applicable data protection law, including GDPR, CCPA/CPRA, and other applicable privacy laws.

18. Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable under any applicable law, such provision shall be severed from the DPA, and the remaining provisions shall continue in full force and effect.

19. Governing Law

This DPA shall be governed by the law specified in the Terms of Service, provided that nothing in this DPA shall reduce or limit any rights or obligations under applicable data protection law. Where applicable data protection law requires otherwise, such law shall prevail.

20. Term and Termination

This DPA shall remain in effect for the duration of the Main Agreement. Upon termination or expiration of the Main Agreement, the Processor shall, at the choice of the Controller, return or securely delete all Personal Data processed on behalf of the Controller, except for any Personal Data that must be retained to comply with applicable law or that is retained in backup systems in accordance with Section 13.

The Processor shall continue to comply with its obligations under this DPA that survive termination, including confidentiality, security, and any applicable legal retention obligations.

21. Entire Agreement and Precedence

This DPA, together with its Annexes, constitutes the entire agreement between the parties regarding the processing of Personal Data under the Terms of Service and supersedes any prior agreements or understandings, whether written or oral, relating to such processing.

In the event of any contradiction between the provisions of this DPA and the Terms of Service concerning data protection, the provisions of this DPA shall prevail.

22. Execution

This DPA is executed by the authorized representatives of the parties as of the Effective Date set forth in the Main Agreement.

Annex 1 – Details of Processing

Subject

The subject of processing is the provision, operation, and support of Chromaport Offerings (as described in the Terms of Service), including any activities necessary to fulfill the Controller’s instructions and provide technical, customer, and operational support.

Nature and Purpose of Processing

Purpose	Description
Provision of Services	Providing access to and operation of the Chromaport Offerings, including features and support functionality.
Acting on Controller Instructions	Processing Personal Data only upon documented instructions from the Controller, including professional assistance or configuration changes.
Security & Risk Mitigation	Preventing, investigating, and mitigating data security risks, fraud, errors, and illegal or prohibited activities.
Legal Compliance	Processing necessary to comply with applicable laws and regulations.

All processing is proportionate, respects user privacy rights, and is performed only as instructed by the Controller.

Type of processing

Collection, recording, storage, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, restriction, erasure, or destruction of Personal Data.
Transfer to Sub-processors in accordance with Section 11 and Annex 3.
Backup and recovery operations as part of normal service provision.

Duration of Processing

Processing duration corresponds to the duration of the Terms of Service.

Upon termination or expiration of the Terms of Service, Personal Data will be deleted or returned according to Section 13 of the DPA.

Backup data will be automatically deleted according to the Processor’s retention schedule (typically 30 days after the last backup cycle, unless otherwise required by law).

Type of Personal Data

Data Category	Examples	Notes
Access Data	Login credentials, times, IP addresses	Required to establish secure access
Device & Session Info	Device type, OS, RAM/CPU/GPU, screen resolution, session IDs, session start/end, session duration, online status	Helps optimize service performance and diagnostics
Customer Support Data	Support tickets, configuration info, technical issue data	Only processed for troubleshooting and service provision
Account & App Data	User status, email, optional name, user roles and permissions, license information	Includes imported employee lists from authentication systems (e.g., Entra ID) with names, email, roles, and groups
Application Data	Workspace names, computer names, app names, configuration and app settings, usage information	Used to enable service functionality, optimize performance, and manage configurations
Optional Sensitive Data	Any data specifically provided by Controller that may be special category or sensitive	Must be explicitly instructed and authorized by Controller

The type of data processed depends on the type of use and the configurations made by the Controller and the users.

Responsibility for the type and content of data entered into Chromaport lies with the Controller and users. Users must ensure data is processed in compliance with Applicable Data Protection Laws.

Categories of Data Subjects

Category	Description
Employees & Candidates	Existing/prospective employees, consultants, freelancers, agents, contractors, and their associated contacts
Customers & End Users	Existing/prospective customers and end users, and their associated contacts
Other Third Parties	Any individual engaged by the Controller through the Chromaport Offerings

Sub-processors

Sub-processor	Purpose	Duration
See Annex 3	To assist Chromaport in providing the Chromaport Offerings	Only for the duration necessary to provide the Chromaport Offerings

Sub-processors are bound by data protection obligations equivalent to this DPA, including security, deletion, and audit requirements.

Notes on Backup and Deletion

All Personal Data retained in backups will be deleted automatically after the retention period (30 days), unless retention is required by law.

In case of a Controller request to return Personal Data, Chromaport will provide the data prior to deletion if feasible.

Automated deletion workflows comply with Section 13 of the DPA.

Compliance

All processing is carried out only on Controller instructions and in accordance with Applicable Data Protection Laws, including GDPR, CCPA/CPRA, LGPD, and other relevant regulations.

Annex 2 – Technical and Organizational Measures

Chromaport implements and maintains appropriate technical and organizational measures to protect Personal Data in accordance with GDPR Art. 32 and other Applicable Data Protection Laws. The measures are designed to ensure confidentiality, integrity, availability, and resilience of the processing systems.

Governance and policy

Control	Description
Information Security Policy	Documented security policy aligned with industry standards, reviewed at least annually.
Responsible Personnel	Security policy and implementation managed by trained personnel with expertise in information security.
Policy Review	Policies and measures are reviewed and updated at least annually or upon significant change to services or regulatory requirements.

Personnel Security and Training

Control	Description
Access & User Accounts	Each personnel member has a unique account with individual access rights based on role.
Security Training	Annual mandatory security training for all personnel.
Termination Procedures	Immediate revocation of access credentials, keys, and codes upon termination.
Confidentiality	All personnel bound by confidentiality obligations.
Antivirus / Protective Software	All personnel computers are updated with antivirus software or equivalent protective mechanisms.
Automatic Screen Lock	Screens automatically lock after a short period of inactivity to prevent unauthorized access.
Background Checks (Optional)	Personnel accessing Personal Data undergo vetting according to internal policies.

Access Control

Control	Description
Role-Based Access	Access rights limited to the minimum required for job responsibilities (least privilege).
Authentication	Strong passwords, two-factor authentication, or equivalent mechanisms for all access.
Access Review	Permissions reviewed at least annually.
Logging	All access, data creation, modification, deletion, and transfer are logged with timestamps.

Data Integrity and Availability

Control	Description
Backup	Regular backups of Personal Data; automatic deletion of backups at defined intervals.
Vulnerability Management	Regular review of software to detect and remediate vulnerabilities; patching of critical issues in a timely manner.
Penetration Testing	Annual penetration testing and remediation in line with internal security policies.
Default Configuration	All default passwords and accounts changed prior to deployment.
Encryption	Personal Data encrypted at rest and in transit using strong encryption standards (AES-256, TLS 1.2/1.3).
Monitoring	Systems monitored for anomalies, unauthorized access, or suspicious activity.

Secure development practices

Control	Description
Version Control	Source code, documentation, and configuration changes managed through version control systems.
Code Review	All code changes reviewed by someone other than the developer before production deployment.
Production Access	Only authorized personnel can push changes to production environments.
Data Minimization	Personal Data collection limited to what is necessary for each processing purpose.
Segregation	Development/test and production environments are logically separated; data processing systems separated by purpose.

Transfer Control/Transmission Control

Control	Description
Encryption in Transit	All Personal Data transmitted via secure channels (e.g., TLS).
Data Minimization	Only required Personal Data transmitted.
Media Destruction	Secure destruction of data media in a data protection-compliant manner.

Deletion

Control	Description
Data Deletion	Personal Data deleted or returned to Controller upon request or termination of the Main Agreement, per DPA Section 13.
Backup Deletion	Backups automatically deleted according to retention schedule, unless legal retention obligations apply.

Third-Party Risk Management

Control	Description
Risk Assessment	Prior to engaging Sub-processors or third-party providers with access to Personal Data, Chromaport conducts security and risk assessments.
Data Protection Obligations	Sub-processors bound by contractual obligations equivalent to this DPA (see Annex 3).

Law Enforcement Request Policy

Control	Description
Valid Requests Only	Personal Data disclosed to authorities only when legally required and valid.
Notification	Controller notified of requests where legally permissible.
Human Rights	All requests assessed to ensure alignment with human rights and applicable law.

Annex 3 – Sub-processors

The following Sub-processors are engaged by Chromaport to provide specific services related to the Chromaport Offerings. All Sub-processors are bound by data protection obligations no less protective than this DPA.

Sub-processor	Purpose	Legal Entity / Address	Location of Processing	Duration of Processing
Amazon Web Services (AWS)	Infrastructure Hosting	Amazon Web Services, 38 Avenue John F. Kennedy, L-1855, Luxembourg	European Union	Only as long as required to provide and maintain services
Sentry	Error Reporting	Sentry / Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA	European Union	Only as long as required to provide error monitoring services

Notes

All Sub-processors engaged in third countries comply with Articles 28 and 44–46 GDPR, including implementation of appropriate safeguards for international transfers (see Section 10 of the DPA).
The Controller may reasonably object to changes or additions to Sub-processors as per Section 11 of the DPA.
The purpose and scope of processing by each Sub-processor is limited to the services listed above and necessary activities to provide the Chromaport Offerings.
For EU/EEA users, Controllers must ensure cookie and tracking consents are obtained when using Google Ads, Meta/Facebook, or Cookiebot/Usercentrics.

Accepted and agreed as of the effective date of Terms of Service.