Data Processing Agreement (DPA)

This Agreement (including its Annexes) is incorporated into the Terms & Conditions of this Licensing Agreement entered into between the parties (hereinafter the “Main Agreement”), forming an integral part thereof and being subject to its terms.

Within the framework of the Main Agreement, the Company shall process personal data on behalf of the User, which (data) fall under the categories of personal data specified in Annex 1 of this Agreement (hereinafter the “Personal Data”).

For the purposes of this Agreement, the terms “personal data”, “data subject”, “processing”, “controller”, “processor”, “personal data breach”, and “supervisory authority” shall have the meanings assigned to them in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the “Regulation” or “GDPR”).

Where terms defined in the Regulation are used in this Annex, those terms shall have the same meaning as in the respective Regulation.

1.1. The Parties agree that the Company shall process, as a Processor on behalf of the Customer acting as a Controller, specific categories of the Customer’s personal data (hereinafter “Personal Data”) related to the Main Agreement for the purposes of its execution.

1.2. This DPA exclusively governs any processing of personal data taking place in connection with the Main Agreement.

1.3. The processing of personal data by the Processor shall consist of the necessary and appropriate processing activities for the purposes of the Main Agreement, such as limited access, storage, recording, organization, structuring, disclosure by transmission, dissemination or otherwise making available, alignment, restriction, erasure, or destruction of personal data required for the provision of services under the Main Agreement, in accordance with Annex 1 herein.

1.4. The data subjects whose personal data will be processed by the Processor are the subjects listed in Annex 1 (hereinafter “Data Subjects”).

1.5. The processing of Personal Data by the Processor on behalf of the Controller may be carried out throughout the duration of this DPA and the Main Agreement.

2.1. The Controller instructs the Processor to process Personal Data on its behalf and in accordance with its written instructions.

2.2. The Controller has the right to issue instructions regarding the processing of Personal Data. Each instruction must be issued in writing and comply with the Regulation and the generally applicable legislation on personal data protection (as in force from time to time, such as Greek Law 4624/2019) [hereinafter collectively “Applicable Legislation”].

2.3. The Controller shall provide the Processor with access to the Personal Data.

2.4. The Controller bears the sole responsibility for assessing whether and how, under Applicable Legislation, the Personal Data may be lawfully processed, as well as for ensuring the rights of the data subjects.

2.5. The Controller represents and warrants that it is fully compliant with Applicable Legislation, that it has lawfully collected the Personal Data, and that it lawfully assigns the processing of Personal Data to the Processor.

3.1. The Processor shall process Personal Data in accordance with Applicable Legislation, the provisions of this DPA, and the documented orders/instructions of the Controller, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes Applicable Legislation and shall not be obliged to execute it. The Controller is solely responsible for the legality of its orders and instructions and represents and warrants that it will fully indemnify the Processor for any type of damage (direct, indirect, consequential, etc.) caused to the Processor due to the Controller’s instructions/orders and will hold the Processor harmless against any third party.

3.2. The Processor shall not process personal data for any purposes other than the provision of the Services under the Main Agreement.

3.3. The Processor shall take reasonably appropriate measures in accordance with Article 32 of the GDPR to ensure the security of Personal Data. Should the Controller require, per its written instructions, the use of specific measures for the processing of Personal Data, the Controller shall bear the cost of their implementation exclusively.

3.4. The Processor shall take reasonable steps to ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.5. At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of Services.

3.6. The Controller is solely responsible for assessing and implementing the terms for lawful processing of Personal Data and warrants that the processing assigned to the Processor meets every applicable legal requirement of lawfulness (e.g., that the Controller has informed the data subjects according to Section 2 of the Regulation, has obtained lawful prior consent, etc.).

3.7. The Controller represents, acknowledges, and warrants that:

• (i) It will comply throughout the duration of this agreement with every applicable legal provision of the Applicable Legislation.
• (ii) It will provide the information required by Applicable Legislation to the data subjects regarding the processing of their personal data by the Processor.
• (iii) It will address instructions and/or orders to the Processor that fully comply with Applicable Legislation. In case of suspicion that an instruction infringes the law, the Controller must provide any necessary written clarification regarding its legality. The Controller acknowledges the Processor’s right not to follow instructions contrary to the law.
• (iv) It bears sole responsibility for the accuracy, quality, integrity, and legality of the Personal Data provided to the Processor and guarantees to hold the Processor harmless and fully indemnified.

The Processor shall notify the Controller, promptly and without undue delay upon becoming aware, of any request received from a Data Subject regarding the processing of Personal Data. The Processor shall provide reasonable assistance to the Controller, whenever requested by the latter and to the extent possible, for the fulfillment of the Controller’s obligation to respond to Data Subjects’ requests.

The Processor shall not respond to any request, inquiry, or complaint unless it has a written order from the Controller to do so or is required by Applicable Legislation. Sole responsibility for responding to and satisfying Data Subject requests always rests with the Controller.

5.1. The Processor shall make available to the Controller, upon request, all information reasonably required and necessary for the Controller to demonstrate compliance with the obligations laid down in Article 28 of the Regulation.

5.2. If the Controller, despite reviewing the provided information, has doubts regarding the Processor’s compliance, the Processor shall, upon reasonable prior written notice (at least ten working days), allow for and contribute to audits conducted by the Controller at the Processor’s premises and records used for the Services. The Processor reserves the right to deny access to confidential information, intellectual property, or third-party information (e.g., other clients).

5.3. The Controller shall bear the burden and be exclusively liable for the payment of all costs incurred by the Processor in the context of and for the needs of conducting such an audit.

6.1. The Controller hereby provides a general authorization to the Processor to appoint sub-processors for the provision of Services and the execution of the Controller’s instructions (e.g., sub-processors at a 2nd or 3rd level). Sub-processors listed in Annex 2 are deemed approved by the Controller.

6.2. The Processor shall ensure that all sub-processors implement appropriate technical and organizational measures to protect Personal Data.

6.3. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes.

6.4. When the Processor engages another processor, the same data protection obligations as set out in this DPA shall be imposed on that other processor by way of a contract.

The Processor shall notify the Controller without delay of any Personal Data breach in accordance with Applicable Legislation. The Processor shall provide reasonable assistance as and when requested by the Controller, taking into account the nature of processing and available information.

The Processor shall provide reasonable assistance (taking into account the nature of processing and available information), as and when requested by the Controller, for the conduct of a Data Protection Impact Assessment (DPIA) and, depending on the outcome, assistance for consultation with the competent supervisory authority.

The Processor may transfer or cause the transfer of Personal Data to destinations and recipients outside the European Economic Area (EEA) by taking appropriate measures to ensure an adequate level of protection (e.g., signing Standard Contractual Clauses — SCCs).

This DPA shall last for as long as the Processor provides the Services under the Main Agreement.

11.1. The liability of the Processor towards the Controller and vice versa regarding breaches of this DPA shall be governed by Greek Law.

11.2. The Processor has no liability nor obligation to indemnify the Controller if acting according to the Controller’s instructions. The Processor shall indemnify the Controller only in cases of willful misconduct or gross negligence.

11.3. In cases of force majeure or events beyond the Processor’s control, the Processor shall have no liability or obligation to indemnify.

11.4. In case of breach of the law or this DPA by the Controller, the Controller is obliged to fully indemnify the Processor for any type of damage (including administrative fines or data subject compensations) and hold the Processor harmless.

The interpretation, validity, and performance of this DPA shall be governed by Greek Law. Conflict of law rules shall not apply. The Courts of Athens, Greece, shall have exclusive jurisdiction over any dispute, including interim measures.

13.1. This Agreement contains the entire agreement between the parties with respect to the subject matter hereof and supersedes and expressly cancels any prior agreement, oral or written, between the parties in relation to the purpose stated herein.

13.2. In the event that any term of this Agreement is deemed invalid or unenforceable by a competent court or authority due to amendments in the applicable legislation or its interpretation, the validity of the remaining terms of this Agreement shall not be affected. In such a case, the contracting parties shall negotiate in good faith the required amendments to this Agreement, so that it harmonizes with the applicable legislation.

13.3. The contracting parties may amend this Agreement from time to time in writing.

The Controller hereby accepts the following sub-processors engaged by the Processor:

The Processor, taking into account the latest developments, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons arising from processing, maintains appropriate security measures (technical and organizational) to ensure a level of security appropriate to the risks of processing. The Processor has the right to choose at its discretion the specific security measures it considers appropriate at any given time, taking into account the aforementioned factors.

The measures it implements include, indicatively:

• 1. Pseudonymization and Encryption Measures

  Appropriate encryption measures for personal data are applied both during transit, through the use of appropriate security protocols (TLS/HTTPS), and at rest, at the data storage infrastructure level. Credentials (API keys, tokens) are managed exclusively through secure execution environments (environment variables), without being embedded in the source code.

• 2. Measures to ensure confidentiality, integrity, availability, and reliability of processing systems and services on an ongoing basis and to prevent vulnerabilities

  The platform ensures continuous confidentiality, integrity, and availability of processing systems through strict access controls and the application of the “Least Privilege” model. System configurations follow “security by design” practices, while the infrastructure ensures reliability against common threats (e.g., SQL injection, SSRF) through input validation and parameterized queries. Furthermore, for secure content management, strict policies are applied during file uploads, including file type acceptance filters (MIME whitelist) and size limitations.

• 3. Measures to ensure the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident

  In the event of a physical or technical incident, procedures are applied that ensure the restoration of service availability and access to data in a timely manner, based on modern cloud infrastructures that provide high availability and resilience.

• 4. Measures for regular testing, assessment, and evaluation of effectiveness

  The Data Processor carries out regular monitoring of the effectiveness of security measures through systematic logging of security incidents (logging) and structured audits. Monitoring mechanisms are used to ensure immediate response to errors, while at the same time observing the principle of privacy protection through automated redaction of personal data from log files. In addition, error messages returned by the system are designed not to reveal technical details or code structures (stack traces), protecting the system’s security.

• 5. Measures for identification, authorization, and access restriction

  User identification and authorization measures are applied for every request to the platform (via API keys and tokens). All data transmitted or stored is protected from unauthorized access, with restrictions that prevent the exposure of internal system details. Additionally, Rate Limiting systems are applied at multiple levels to prevent abuse, as well as access control policies through a whitelist of allowed domains (CORS Whitelist) and enhanced verification for sensitive administrative actions.

• 6. Measures for ensuring data minimization and limited retention

  Data processing is governed by the principle of minimization. Data is processed as much as possible in memory (in-memory) without permanent storage on disk where not required. Measures are applied to ensure data quality, and it is ensured that their retention is limited to the strictly necessary time period.

• 7. Measures for ensuring accountability

  The Data Processor ensures accountability through the maintenance of audit logs for all critical administrative actions.

• 8. Personnel Management, Training, Confidentiality

  Personnel responsible for the supervision and control of the Application have defined organizational roles, duties, and responsibilities. Each member of such personnel receives access rights exclusively to data necessary for the performance of their specific duties, according to the role assigned to them. Personnel are selected based on their technical training, education, and practical experience in data protection matters, and are committed in writing to maintaining secrecy and confidentiality, in accordance with applicable law.