Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between DanubeData (operated by IFAS Consult SRL, "Processor", "we", "us") and you ("Controller", "Customer") for the provision of cloud infrastructure services.

This DPA reflects the parties' agreement regarding the processing of personal data in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR.
• Processing: Any operation performed on personal data as defined in Article 4(2) GDPR.
• Data Controller: The entity that determines the purposes and means of processing personal data (you, the Customer).
• Data Processor: The entity that processes personal data on behalf of the Controller (DanubeData).
• Sub-processor: Any third party engaged by the Processor to process personal data.

3. Scope and Purpose of Processing

3.1 Subject Matter

The Processor provides cloud infrastructure services including virtual private servers (VPS), managed databases, cache instances, object storage, and serverless containers. In providing these services, the Processor may process personal data on behalf of the Controller.

3.2 Nature of Processing

Processing activities include:

• Storage of data on infrastructure provided by the Processor
• Transmission of data through the Processor's network
• Backup and recovery operations
• Technical operations necessary to maintain the services

3.3 Categories of Data Subjects

The categories of data subjects are determined by the Controller and may include employees, customers, suppliers, or any other individuals whose data the Controller stores in the services.

4. Processor Obligations

The Processor shall:

• Process personal data only on documented instructions from the Controller
• Ensure that persons authorized to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to data subject requests
• Assist the Controller in ensuring compliance with security, breach notification, and impact assessment obligations
• Delete or return all personal data upon termination of services
• Make available all information necessary to demonstrate compliance

5. Security Measures

The Processor implements and maintains the following technical and organizational measures:

5.1 Technical Measures

• Encryption of data in transit using TLS 1.2 or higher
• Encryption at rest for sensitive data
• Network security with firewalls and intrusion detection
• Regular security updates and patch management
• Automated backup systems with encrypted storage
• Access logging and monitoring

5.2 Organizational Measures

• Role-based access control
• Employee confidentiality agreements
• Regular security training for personnel
• Incident response procedures
• Business continuity planning

6. Sub-processors

The Controller authorizes the Processor to engage the following categories of sub-processors:

• Hetzner Online GmbH: Data center infrastructure (Germany)
• Stripe, Inc.: Payment processing
• Postmark (ActiveCampaign): Transactional email delivery

The Processor shall notify the Controller of any intended changes to sub-processors, giving the Controller an opportunity to object.

7. Data Transfers

All personal data is processed within the European Union. Our data centers are located in Germany (Falkenstein, Nuremberg). Should any transfer outside the EU become necessary, the Processor shall ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses, adequacy decisions).

8. Data Breach Notification

In the event of a personal data breach, the Processor shall:

• Notify the Controller without undue delay (within 24 hours of becoming aware)
• Provide all relevant information about the nature of the breach
• Assist the Controller in meeting its notification obligations under GDPR
• Document the breach and remedial actions taken

9. Data Subject Rights

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

10. Audits and Inspections

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or an authorized auditor.

11. Duration and Termination

This DPA shall remain in effect for the duration of the service agreement. Upon termination:

• The Processor shall delete all personal data within 30 days
• Upon request, provide certification of deletion
• Return data in a portable format if requested before deletion

12. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. The Processor shall be liable for damages caused by processing that does not comply with GDPR or this DPA.

13. Contact Information

14. Governing Law

This DPA shall be governed by the laws of Romania and the European Union. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Satu Mare, Romania.

By using DanubeData services, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement.