PERSONAL DATA PROCESSING AGREEMENT (Current Version) 

This Personal Data Processing Agreement (hereinafter the ‘Agreement’) has entered into force and shall be applicable as of 30 april 2024. This Agreement has been concluded between the Zebrasign Platform administrator AB Zebracloud (hereinafter the ‘Data Processor’) and the Customer (User or Consumer) (hereinafter the ‘Data Controller’).

  1. SUBJECT MATTER OF THE AGREEMEN
    1. This Agreement forms an integral part of the General Terms of Service of Zebrasign Platform (hereinafter the ‘Terms of Service’) and sets out the terms and conditions applicable in cases where the Data Processor processes the Data Controller’s Personal Data on behalf of the Data Controller in accordance with the procedure laid down in the Terms of Service.
    2. The Data Processor undertakes to process Personal Data in accordance with the requirements set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter the ‘GDPR’) and the Data Controller’s instructions.
    3. Capitalised terms used in the Agreement shall be understood as defined in the GDPR and other applicable personal data protection legislation, the Privacy Policy and the Terms of Service. Personal Data in the context of this Agreement shall be understood as data uploaded by the Data Controller to the Account as described in Clause 2.3 of the Agreement.
  2. PURPOSES, SCOPE AND DURATION OF DATA PROCESSING
    1. The Data Processor shall provide services to the Data Controller in accordance with the Terms of Service. The Data Controller shall instruct the Data Processor to process the Personal Data of the Data Controller to the extent necessary for the implementation and execution of the Terms of Service.
    2. The purpose of the data processing is the implementation and execution of the Terms of Service insofar as the data uploaded by the Data Controller to the Account are concerned.
    3. Categories of data subjects are employees of the Data Controller using the Account of the Data Controller (legal person) and/or Data Controllers (natural persons) who have an Account, and other third parties whose Personal Data the Data Controller uploads to its Account. Personal Data processed by the Data Processor to which the Data Processor has or may have access are data uploaded to the Data Controller’s Account, as defined in the Privacy Policy. These data may include, but are not limited to, name, surname, position, date of birth, personal identification number, telephone number, etc., and may vary from case to case depending on the nature and content of the data uploaded by the Data Controller to the Account. The Parties agree that, within the scope of this Agreement, the processing of Personal Data by the Data Processor relates only to the data uploaded by the Data Controller to the Account. In all other respects, as provided for in the Privacy Policy, the Data Processor acts as a Data Controller, as it itself determines the purposes and means of the processing.
    4. Where the Data Processor has not received any documented instructions regarding the processing of Personal Data necessary for the fulfilment of its obligations under the Agreement, the Data Processor shall immediately notify the Data Controller thereof and act in the best interests of the Data Controller until such instructions are provided.
    5. Personal Data shall be processed for as long as the Data Controller uses the Account. If the Data Controller removes the Account, the Account and the Personal Data contained therein shall be deleted without the possibility to restore them after 14 calendar days as of the date of removal of the Account. Inactive free Accounts and the Personal Data of the Data Controller contained therein shall be deleted without the possibility to restore them if the Data Controller has not used the Account and/or the Services provided on the Platform for a two-year period, counting from the date of the last visit of the Data Controller to the Account. If the Data Controller requires Personal Data to be stored for a certain period after the termination of the Services, the Parties must agree in advance on the terms of such processing.
  3. OBLIGATIONS OF THE PARTIES
    1. By processing Personal Data on behalf of the Data Controller, the Data Processor undertakes as follows:
      1. to process Personal Data only in accordance with documented written instructions provided by the Data Controller, including the instructions set out in this Agreement, unless otherwise provided for by the applicable legislation. In such a case, before starting the processing of Personal Data, the Data Processor must, to the extent permitted by the legislation, notify the Data Controller of such legal requirement, and which are known to the Data Processor;
      2. when processing Personal Data, to act in accordance with the requirements of the GDPR and other applicable personal data protection regulations;
      3. taking into account the state of technical development, the costs of implementation and the nature, scope, context and purposes of the processing, the Data Processor undertakes to implement appropriate technical and organisational measures to ensure a level of security of Personal Data appropriate to the risk. To ensure this, the Data Processor has also implemented the ISO/IEC 27001 standard for information security management systems. Upon receipt of a written request from the Data Controller, the Data Processor undertakes to provide information on the technical and organisational security measures applied to ensure the security of Personal Data;
      4. to ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; The Data Processor must obligate its employees who will process Personal Data in writing to treat all Personal Data as confidential information and not to use Personal Data for any purpose other than processing thereof on behalf of the Data Controller, to the extent necessary for the provision of the Services;
      5. taking into account the nature of the processing of Personal Data, to assist, by applying appropriate technical and organisational measures, the Data Controller in fulfilling the Data Controller’s obligation to respond to requests to exercise all rights of the Data Subject. Having received the Data Subject’s request to exercise the Data Subject’s rights, the Data Processor must immediately forward such request to the Data Controller. The Data Processor shall provide the Data Controller with all necessary information or perform other actions related to the Data Subject’s request, when these actions are necessary for the proper execution of the request to exercise the Data Subject’s rights;
      6. to assist the Data Controller in ensuring compliance with the obligations related to data security, data protection impact assessment and prior consultation (Articles 32 to 36 of the GDPR), taking into account the nature of the processing of Personal Data and the information available to the Data Processor.
    2. The Data Controller undertakes as follows:
      1. to provide the Data Processor with instructions on the processing of Personal Data in general cases in writing, unless the circumstances of the situation require a different form. Instructions submitted in a form other than in writing shall be approved in writing by the Data Controller, if so requested by the Data Processor;
      2. to submit to the Data Processor only lawful instructions compliant with the requirements of the GDPR and to have a legal basis for the processing of Personal Data;
      3. to ensure the accuracy, integrity and legality of the Personal Data disclosed to the Data Processor.
    3. The Data Controller understands that any restriction on the processing of Personal Data not caused through the fault of the Data Processor may affect the Data Processor’s ability to comply with its obligations under the Terms of Service. Therefore, in the event that the Data Controller decides to impose restrictions on the processing of Personal Data, the following steps must be taken:
      1. the Data Controller shall notify the Data Processor in writing of specific restrictions planned reasonably in advance in order to enable the Data Processor to take the necessary actions as set out below;
      2. within 5 business days after the Data Controller has notified the Data Processor of the specific restrictions, the Data Processor shall analyse the intended restrictions and provide the Data Controller with a reasoned written explanation of the possible consequences for the Data Processor’s ability to fulfil its obligations under the Terms of Service;
      3. if the Data Controller, having received a reasoned explanation from the Data Processor of the possible consequences, nevertheless decides to maintain the restrictions, the Data Controller shall assume all the relevant risks and negative consequences of such a decision.
  4. THE DATA PROCESSOR’S RIGHT TO ENGAGE DATA SUB- PROCESSORS
    1. The Data Processor shall have the right to engage third parties for the processing of Personal Data (hereinafter the ‘Sub-Processors’).
    2. The Data Controller shall grant the general permission to engage new Sub-Processors going forward. The Data Processor shall notify the Data Controller of any planned changes in relation to the engagement or changes of the Sub-Processors to which the Data Controller may object. The Data Controller shall be notified when the Data Processor updates the list of Sub-Processors on its website. If the Data Controller has not raised such an objection within thirty (30) days as of the date of update on the website, the Data Controller shall be deemed not to have objected. In the event of an objection by the Data Controller, the Data Processor shall have the right to disregard the objection of the Data Controller by submitting a reasoned written explanation.
    3. The Data Processor shall ensure that the Sub-Processors assume responsibility in accordance with the obligations set out in this Agreement and Article 28 of the GDPR.
  5. COMMUNICATION OF A PERSONAL DATA BREACH TO THE DATA CONTROLLER
    1. In the event of a possible Personal Data breach, the Data Processor shall be obligated to take the actions set out in Clauses 5.2 to 5.4 of the Agreement.
    2. The Data Processor shall notify the Data Controller without delay, but no later than 48 hours as of the moment of detection of the possible breach, by giving written notice as provided for in Sub-Clause 5.2.1. The notice must contain the information provided for in Article 33(3) of the GDPR.
    3. If the information cannot be provided to the Data Controller within the time limits set out in Clause 5.2 of the Agreement, it may be provided in stages without undue delay. In cases where the Data Processor is unable to provide certain information to the Data Controller, the Data Processor shall notify the Data Controller thereof.
  6. TRANSFER OF PERSONAL DATA
    1. The Data Processor will not transfer Personal Data to anyone (including outside the European Economic Area) without the prior written permission of the Data Controller. If such a transfer takes place, the Data Processor undertakes to comply with the requirements laid down in Chapter V of the GDPR.
  7. LIABILITY
    1. The Data Controller shall be responsible for ensuring the lawfulness of the legal basis on which the Data Processor processes Personal Data when providing the Services.
    2. The Data Processor shall not be liable for the actions of the Data Controller that are in violation of the Personal Data protection legislation.
    3. In any case, the Data Processor’s liability for damages shall be limited and may not exceed the remuneration received by the Data Processor in the last 12 (twelve) months for the services provided to the Data Controller in accordance with the Terms of Service, unless such limitation is prohibited by the legislation.
    4. The Data Processor shall not inspect, control or monitor the data uploaded by the Data Controller to the Account. This can only be done in the exceptional cases provided for in the Privacy Policy.
  8. PERFORMANCE OF AUDIT
    1. Provided that the Data Processor will not be required to provide or give access to information about (i) other customers of the Data Processor, (ii) other external or internal non-public reports of the Data Processor, the Data Controller and/or an independent auditor appointed by the Data Controller shall have the right to carry out audits and inspections of the Data Processor during the term of this Agreement in accordance with the terms and conditions set out in the Agreement. The Parties shall agree in writing on the terms and conditions, scope and other details of such audit no later than 14 business days in advance. Audits carried out on the basis of this Agreement shall be limited to the assessment of the fulfilment of the Data Processor’s obligations under this Agreement. Such audits may be carried out no more frequently than once per 12 months.
    2. The audit shall be carried out in such a way as not to disrupt the operations and obligations of the Data Processor.
    3. The representative of the Data Controller and/or the third party auditor must sign appropriate confidentiality agreements with the Data Processor.
    4. The Data Controller undertakes to reimburse the Data Processor for any expenses incurred and the time spent by the Data Processor in providing assistance in accordance with Section 8 of this Agreement (for the time spent on internal resources and measures taken to assist the Data Controller in carrying out the audit), including the expenses and time of the Sub-Processors in providing assistance as specified above, under a separate fee agreed by the Parties in writing.
  9. FORCE MAJEURE
    1. A Party shall be released from liability for non-fulfilment of obligations under the Agreement if the failure to fulfil the obligations is due to force majeure circumstances that the Party could not control or reasonably foresee at the time of conclusion of the Agreement and the occurrence of which or the consequences of which could not be prevented. A lack of financial resources of the Party concerned or a breach of obligations by its contractors shall not be considered force majeure.
    2. If the circumstances that make it impossible to perform the Agreement are temporary, the Party may be released from liability for a period that is reasonable taking into account the impact of those circumstances on the performance of the Agreement.
  10. VALIDITY AND TERMINATION OF THE AGREEMENT
    1. This Agreement shall enter into force upon the entry into force of the Terms of Service and shall remain in force for as long as the latter remain in force.
    2. If any provision of the Agreement becomes or is declared invalid in whole or in part, this shall not affect the validity of other provisions of the Agreement. In such a case, the Parties undertake to replace the invalid provision with a valid one in such a way that it is as close as possible in legal and economic terms to the invalid provision.
    3. The Parties expressly acknowledge that the validity of this Agreement is necessary for the proper performance of the Terms of Service, and therefore, upon termination or otherwise expiry of this Agreement, the Terms of Service shall automatically expire.
  11. FINAL PROVISIONS
    1. Any disagreements or disputes arising between the Parties in connection with the Agreement shall be settled by negotiation, and if the disputes cannot be so resolved, they shall be settled in the competent court of the Republic of Lithuania in Vilnius city in accordance with the laws or other regulations of the Republic of Lithuania.
    2. The Agreement and other mutual relations not covered by this Agreement shall be governed by the law of the Republic of Lithuania.