Data Processing Addendum

The agreement that governs data processing activities for personal data.

1. Definitions

This Data Processing Agreement (“DPA”) forms an integral part of and is subject to the provisions of the Terms and Conditions ("Agreement") concluded between lightenbody™, with its registered office at al. Zwycięstwa 241/13, 81-521 Gdynia, Poland, NIP 7532294721, REGON 362814110, email: [email protected] ("Service Provider"), and the other party referred to herein as the “Client,” being the individual or entity that has created a business account on Fitssey in order to use the Services provided by the Service Provider.

All capitalized terms not defined herein shall have the meaning assigned to them in the Agreement. This DPA applies exclusively to the extent that the processing of Personal Information is subject to Data Protection Law applicable within the European Economic Area (“EEA”).

2. Definicje

  • Agreement – the contract for the provision of Services entered into electronically or through one of the Websites managed by the Service Provider, between the Service Provider and the Client,

  • Personal Information – refers to personal data processed by the Service Provider on behalf of the Client as the data processor during the use of the Services, as described in this Data Processing Agreement,

  • Data Protection Law – refers to all laws regarding the protection and privacy of data applicable during the processing of Personal Information for the performance of the Agreement, including the EU Data Protection Law,

  • EU Data Protection Law – refers to Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016, on the protection of natural persons in relation to the processing of personal data and the free movement of such data (General Data Protection Regulation - GDPR) and Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector,

  • EEA – for the purposes of this Data Processing Agreement, refers to the European Union, the European Economic Area, and/or member states,

  • Standard Contractual Clauses – refers to the standard data protection clauses approved by the European Commission,

  • Data Protection Breach – refers to a single or series of undesirable or unexpected events related to the security of the Client’s Personal Information managed by the Service Provider,

  • Sensitive Data – refers to:

    • – identification number, passport number, ID card, driver’s license, student ID, or other identifying documents, including scans or copies of such documents;

    • – payment or credit card number;

    • – employment information, financial information, genetic, biometric, or health-related data;

    • – information about racial or ethnic origin, political views, religious or philosophical beliefs, union membership, sexual orientation or sexuality;

    • – account access information (password);

    • – other data falling within the definition of special categories of personal data as defined by GDPR or other applicable data protection laws.

  • Subprocessor – refers to another entity processing data on behalf of the Service Provider in order to fulfill obligations under the Agreement and this Data Processing Agreement.

3. Role and Scope of Responsibility

  1. Roles of the Parties
    The Client is the administrator of the Personal Information of its clients, while the Service Provider processes the Personal Information as the data processor on behalf of the Client, in accordance with Annex A ("Details of Data Processing") attached to the Data Processing Agreement.

  2. Scope of Processing
    The Service Provider processes Personal Information solely within the scope defined in this Data Processing Agreement, in compliance with the EU Data Protection Law. The parties agree that the Agreement explicitly and conclusively defines the scope of Personal Information processing.

  3. Prohibited Data
    The Client shall not introduce any Sensitive Data for processing under this Agreement. The Service Provider shall not be liable for any Sensitive Data introduced in the event of a Data Protection Breach or otherwise. This Data Processing Agreement does not apply to Sensitive Data.

  4. Client's Obligations
    The Client represents and warrants that:

    • it will process Personal Information in compliance with all applicable Data Protection Laws;

    • it holds and will obtain all necessary consents and rights, in accordance with Data Protection Laws, to allow the Service Provider to process the Personal Information for the purposes described in the Agreement. The Client is solely responsible for the accuracy, compliance, and legality of the Personal Information and the manner in which it was obtained. The Client represents that it will comply with Data Protection Laws regarding content created, sent, or managed using the Service Provider's Services, including obtaining consents for sending marketing content.

4. Further Subprocessing of Data

  1. Authorized Subprocessors
    The Client acknowledges that the Service Provider may delegate the Personal Information covered by this Data Processing Agreement to a subprocessors for further processing of Personal Information in order to fulfill the provisions of the Agreement. A list of subprocessors currently cooperating with the Service Provider is available in Annex C. The Service Provider will inform the Client of any changes to the list of subprocessors.

  2. Client's Objection to a Subprocessor
    The Client may object in writing to the designation of a new subprocessor by the Service Provider within 5 calendar days from receiving the notification, provided that the objection is justified for data protection reasons. In such a case, the Service Provider may allow the Client to suspend or terminate the Service in accordance with the provisions of the Agreement, without liability to either party.

  3. Obligations of Subprocessors
    The Service Provider will enter into a written agreement with each subprocessor that includes obligations concerning the protection of Personal Information, ensuring at least the same level of protection as provided in this Data Processing Agreement, in accordance with the nature of the services provided by the respective subprocessor. The Service Provider remains responsible for ensuring that the subprocessor complies with the obligations set forth in this Data Processing Agreement and for any actions or omissions of the subprocessor that result in the Service Provider violating any obligations under this Data Processing Agreement.

5. Security

  1. Security Measures
    The Service Provider employs appropriate organizational and technical measures to protect Personal Information from Data Breaches and to maintain the security and confidentiality of Personal Information in accordance with the security standards defined in Annex B ("Security Measures").

  2. Confidentiality of Processed Data
    The Service Provider ensures that any person authorized by the Service Provider to process Personal Information (including employees and subprocessors) is obliged to maintain full confidentiality. Personal Information will not be used, disclosed, or made available without the Client's consent, unless disclosure is required by applicable law.

  3. Updating Security Measures
    The Client is responsible for reviewing the information provided by the Service Provider regarding data security and determining whether the Service meets the Client’s requirements and legal obligations under data protection laws. The Client acknowledges that security measures are subject to technical advancements and development, and the Service Provider may occasionally update or modify the security measures, provided such updates and modifications do not diminish the overall security of the Service provided to the Client.

  4. Data Breach
    In the event of a Data Breach, the Service Provider commits to:

    • promptly notify the Client of the breach, no later than 48 hours after becoming aware of the incident;

    • provide the Client with the necessary information regarding the breach in electronic form;

    • promptly take steps to contain and investigate the breach.

  5. Client’s Responsibilities
    The Client is responsible for securely using the Service, including securely storing login credentials, maintaining security measures when entering Personal Information, and providing access to data only to authorized persons.

6. Security Reports and Audits

  1. Right to Audit
    The Service Provider provides the Client with all reasonable information necessary to confirm that the security measures taken by the Service Provider comply with the provisions of the Agreement and are in accordance with the GDPR.

  2. Security Reports
    The Client acknowledges that the Service Provider undergoes regular audits regarding PCI standards organized by an independent entity, as well as internal security controls.

  3. Security Status
    Additionally, the Service Provider will respond to any reasonable inquiries from the Client regarding security to confirm compliance with this Data Processing Agreement. These inquiries should be submitted in writing to [email protected]. The Client is entitled to exercise this right no more than once per calendar year.

7. Data Transfers

  1. Data Center Location
    The Service Provider may transfer Personal Information to other locations where the Service Provider or its Sub-processors carry out data processing operations. The Service Provider ensures that, in all such cases, the transfer will be carried out in accordance with applicable Data Protection Law.

8. Deletion or Return of Data

  1. Data Deletion
    Upon termination or cancellation of the Agreement, the Service Provider shall, at the Client’s request, either permanently delete or return all Personal Information (including existing copies), unless European Union law or the law of a Member State requires the storage of the Personal Information or backup copies thereof. In such a case, the Service Provider commits to isolate and secure the data against further processing, and to ultimately delete it in accordance with the Service Provider’s data retention policy.

9. Right of Access and Cooperation

  1. Data Subject Requests
    The Service Provider provides the Client with a range of functionalities that the Client may use to search for, correct, delete, or restrict the processing of Personal Information, which may assist the Client in fulfilling obligations under the GDPR, including responding to requests from data subjects or relevant data protection authorities. If the Client is unable to access the relevant Personal Information through the Service, the Service Provider shall, at the Client’s expense, provide reasonable assistance in responding to any inquiries from individuals or data protection authorities regarding the processing of Personal Information subject to the Agreement. If such a request is addressed directly to the Service Provider by a data subject, the Service Provider shall not respond directly without the Client’s consent, unless it is to direct the data subject to contact the Client or where legally required. If the Service Provider is obligated to respond, it shall promptly inform the Client and provide a copy of the request, unless prohibited by law in that specific case. For the avoidance of doubt, nothing in the Agreement (including this Data Processing Agreement) shall restrict or prevent the Service Provider from responding to data subject or regulatory authority requests regarding Personal Information for which the Service Provider is the data controller.

  2. Law Enforcement Requests and Court Orders
    If the Service Provider receives a law enforcement request relating to Personal Information (e.g., a subpoena or court order), the Service Provider will attempt to redirect the request to the Client. As part of this process, the Service Provider may share the Client’s basic contact information with the authorities. If the Service Provider is compelled to disclose Personal Information to law enforcement, it shall notify the Client in an appropriate manner to allow the Client to seek a protective order or other appropriate remedy, unless legally prohibited from doing so.

  3. Data Protection Impact Assessment
    To the extent required under Data Protection Law, the Service Provider shall, at the Client’s expense, provide all reasonably requested information about the Service to enable the Client to carry out a data protection impact assessment.

10. Limitation of Liability

  1. The liability of the parties arising from or related to this Data Processing Agreement (including the Standard Contractual Clauses) shall be subject to the exclusions and limitations of liability set forth in the Agreement.

11. Term of the Agreement

  1. This Data Processing Agreement shall remain in effect for the entire duration in which the Service Provider processes Personal Information on behalf of the Client, until the Agreement is terminated or cancelled (when all Personal Information has been deleted or returned in accordance with Clause 8.1).

  2. The parties agree that this Data Processing Agreement supersedes any existing documents or prior arrangements relating to data processing previously entered into by the parties in connection with the use of the Services.

  3. In the event of any conflict or inconsistency between this Data Processing Agreement and the Terms of Service, the following documents shall prevail in the order listed:

    • The Standard Contractual Clauses;

    • This Data Processing Agreement;

    • The Agreement.

  4. Notwithstanding any other provisions of the Agreement (including this Data Processing Agreement), the Service Provider shall have the right to collect, use, and disclose data relating to the use, support, and/or operation of the Service (“Service Data”) for the purpose of business operations, such as billing, account management, technical support, and product development. To the extent Service Data is considered Personal Information under Data Protection Law, the Service Provider shall be responsible for such data and shall process it in accordance with its Privacy Policy and applicable data protection regulations. For the avoidance of doubt, this Data Processing Agreement does not apply to Service Data.

12. Final Provisions

  1. In matters not regulated by this document, the provisions of EU Data Protection Law and the relevant provisions of Polish law shall apply.

  2. Any disputes between the parties shall be resolved amicably. However, if an amicable resolution is not possible, the competent court for resolving the dispute shall be the court having jurisdiction over the registered office of the Service Provider.

Annex A – Details of Data Processing

  1. Subject Matter of the Processing
    The subject matter of this Data Processing Agreement is Personal Information.

  2. Duration
    The data referred to in this Data Processing Agreement will be processed until the termination or cancellation of the Agreement, in accordance with its provisions.

  3. Purpose
    The Service Provider will process Personal Information solely for the following purposes:

    • for the performance of the Agreement concluded with the Client;

    • at the request of the Client during the use of the Services;

    • to comply with other legitimate instructions of the Client in accordance with the provisions of the Agreement.

  4. Nature and Purpose of the Processing
    The Service Provider will process Personal Information in order to provide the Services in accordance with this Data Processing Agreement.

  5. Categories of Data
    Data relating to individuals provided to the Service Provider via the Services by the Client.

  6. Types of Personal Information
    The Client may input or otherwise transmit certain Personal Information into the Service, the scope of which is typically determined and controlled by the Client at its sole discretion, and which may include the following types of personal data:

    • Employees: Identification and contact data (name and surname, address, title, contact details, username); employment-related data (job title, area of responsibility, salary information);

    • Contacts: Identification and contact data (name and surname, date of birth, gender, general data, address, contact details including email address); personal interests or preferences (including purchase history, marketing preferences, and publicly available social media data); IT information (IP addresses, usage data, cookie data, location data, browser data); payment information.

  7. Sensitive Personal Information
    The Service Provider does not intend to, and does not knowingly, collect or process any Sensitive Personal Information as part of the Services offered.

  8. Scope of the Processing
    Personal Information will be processed by the Service Provider in accordance with the Agreement (including this Data Processing Agreement) and may involve the following processes:

    • recording, storage, and other processes necessary for providing, maintaining, and improving the Services offered to the Client under the Agreement;

    • sharing of data in accordance with the Agreement and/or where required by applicable law.

Annex B – Security Measures

The technical and organizational measures implemented by the Service Provider are described here (as updated in accordance with Section 5.3 of this Data Processing Agreement).

Annex C – Fitssey Sub-processors

Name and location of the entity:

EntityLocation
Amazon Web ServicesWarsaw, Poland
CloudflareSan Francisco, USA
dcs.plWarsaw, Poland
GoogleDublin, Ireland
Google CloudWarsaw, Poland
VimeoNew York, USA

Updated February 20, 2024