Data Processing Agreement (DPA)

Reporfy, S.L.U

This Agreement pertains to the contractual relationship between Reporfy, S.L.U, located at Calle Pascual y Genis, 20-3. 46002 Valencia, Spain (referred to as the "Processor") and the customer (referred to as the "Customer"). The Parties, which include the Processor and the Customer, have entered into an agreement (referred to as the "Contract") for the provision of the Processor's software to the Customer. Within the scope of this Contract, it is possible that the Processor may handle personal data as defined in Article 4, Paragraph 1 of the General Data Protection Regulation ("GDPR"). Personal data includes any information related to identified or identifiable natural persons (such as names, addresses, or phone numbers of individuals who are customers of the Customer). The Customer, in this context, acts as a data controller under data protection law. This Agreement outlines the respective data protection obligations and rights of the Parties concerning the Processor's utilization of Customer Data to deliver services as stipulated in the Contract.

3.1. The Processor is responsible for processing Customer Data in accordance with the instructions provided by the Customer, unless there is a legal obligation to do otherwise. If the Processor is legally required to deviate from the Customer's instructions, the Processor will inform the Customer of this legal requirement before proceeding, unless such notification is prohibited by law for significant public interest reasons.

3.2. The instructions given by the Customer are primarily defined and documented in the terms of this Agreement. Any individual instructions that differ from the terms of this Agreement or impose additional requirements will require the explicit consent of the Processor.

3.3. The Processor is obligated to ensure that Customer Data is processed in accordance with the instructions provided by the Customer. If the Processor believes that a Customer instruction contradicts the terms of this Agreement or applicable data protection laws, the Processor has the right, after notifying the Customer, to suspend the execution of the instruction until the Customer confirms it. Both Parties acknowledge that the ultimate responsibility for the processing of Customer Data in line with the instructions rests with the Customer.

4.1. The Customer bears full responsibility for ensuring that the processing of Customer Data is conducted in compliance with legal requirements and for safeguarding the rights of data subjects in the relationship between the Parties. In the event that third parties make claims against the Processor related to the processing of Customer Data in accordance with this Agreement, the Customer shall promptly indemnify the Processor against all such claims upon first request.

4.2. It is the Customer's responsibility to provide the Processor with Customer Data in a timely manner for the provision of services under the Contract, and the Customer is accountable for the quality of the Customer Data. If, during the examination of the results provided by the Processor, the Customer identifies errors or irregularities related to data protection provisions or Customer instructions, the Customer must promptly and fully inform the Processor.

4.3. Upon request, the Customer must furnish the Processor with the information specified in Article 30, paragraph 2 of the GDPR, to the extent that such information is not already available to the Processor.

4.4. In cases where the Processor is obliged to provide information to a government authority or individual regarding the processing of Customer Data or to cooperate with such entities in any manner, the Customer is obligated to assist the Processor in fulfilling such information requests and other appropriate cooperation obligations upon the Processor's first request.

The Processor is obligated to require all individuals involved in the processing of Customer Data to maintain confidentiality regarding the handling of Customer Data.

6.1. Security of the processing of Customer Data is ensured through the implementation of necessary and appropriate technical and organizational measures as specified in Article 32 of the GDPR. These measures take into consideration the current state of technology, the costs of implementation, the nature, scope, context, and purposes of the Customer Data processing, as well as the varying risks to the rights and freedoms of data subjects. The aim is to guarantee an appropriate level of protection for Customer Data in line with the associated risks. The specific technical and organizational measures are detailed in Annex 6.1 of this Agreement.

6.2. The Processor reserves the right to modify these technical and organizational measures during the term of this Agreement, provided that such modifications continue to align with the legal requirements for data protection.

7.1. The Customer grants the Processor general authorization to engage further processors for the processing of Customer Data. A list of further processors engaged at the time of this Agreement's conclusion is provided in Annex 2. Generally, no specific authorization is required for contractual relationships with service providers that involve the examination or maintenance of data processing procedures or systems by third parties or that entail other additional services, even if such relationships may involve access to Customer Data. However, the Processor is obligated to take reasonable steps to ensure the confidentiality of Customer Data in such cases. To receive notifications regarding the addition or replacement of existing subprocessors, the Customer may subscribe to a mailing list using the provided link. Notifications of subprocessor changes will be sent at least 14 days prior to any modifications, allowing the Customer the opportunity to raise objections. The Customer can only object to such changes for substantial reasons, which must be substantiated to the Processor. If the Customer does not raise objections within 14 days of receiving the notification, their right to object to the engagement of the subprocessor will expire. In the event of an objection, the Processor is entitled to terminate the Contract and this Agreement, with a notice period of three months effective until the end of a month.

7.2. Any agreement between the Processor and a further processor must impose obligations on the further processor that are equivalent to those imposed on the Processor by this Agreement. The Parties agree that this requirement is satisfied if the contract provides a level of protection equivalent to that outlined in this Agreement.

7.3. The provisions of this Section 7 also apply if a further processor in a third country is involved, provided that the requirements of Section 2.5 of this Agreement are met. The Customer authorizes the Processor to enter into an agreement with another processor on behalf of the Customer, based on the standard contractual clauses for the transfer of personal data to processors in third countries, as per the decision of the European Commission dated June 5th, 2021. The Customer expresses its willingness to cooperate in fulfilling the requirements of Article 49 of the GDPR as necessary.

8.1. The Processor shall reasonably assist the Customer in fulfilling the Customer's obligations to respond to requests for exercising data subjects' rights.

8.2. If a data subject submits a request directly to the Processor to exercise their rights, the Processor will promptly forward this request to the Customer.

8.3. The Processor shall inform the Customer about any information related to the stored Customer Data, recipients of Customer Data to whom the Processor may disclose it as per the Customer's instructions, and the purpose of storage, provided the Customer does not already possess this information and cannot collect it independently.

8.4. Within reasonable and necessary limits, the Processor shall facilitate the Customer in correcting, deleting, or restricting the further processing of Customer Data, or the Processor will carry out such actions at the Customer's instruction if the Customer is unable to do so. In such cases, the Processor shall be entitled to reimbursement for expenses and costs incurred, substantiated to the Customer.

8.5. If a data subject has a right to data portability vis-à-vis the Customer regarding Customer Data as per Article 20 of the GDPR, the Processor shall assist the Customer within reasonable and necessary bounds in providing the Customer Data in a structured, commonly used, and machine-readable format if the Customer is unable to obtain the data elsewhere. In such cases, the Processor shall be entitled to reimbursement for expenses and costs incurred, substantiated to the Customer.

9.1. The Processor shall promptly inform the Customer of any reportable security breaches regarding Customer Data that fall under the Processor's responsibility. If the Customer has a legal obligation to notify authorities or data subjects of such breaches (particularly under Articles 33 and 34 of the GDPR), the Processor shall support the Customer in fulfilling these notification obligations upon the Customer's request, to the extent that it is reasonable and necessary. The Processor shall be entitled to reimbursement for the expenses and costs incurred in providing such support, which shall be substantiated to the Customer.

9.2. The Processor shall also assist the Customer, as necessary and reasonable, in conducting data protection impact assessments and any subsequent consultations with the supervisory authority, as required by Articles 35 and 36 of the GDPR. In such cases, the Processor shall be entitled to reimbursement for the expenses and costs incurred in providing assistance, which shall be substantiated to the Customer.

10.1. Upon termination of this Agreement, the Processor shall, at the Customer's discretion:

a) Either delete or return the Customer Data to the Customer.
b) Delete any existing copies of the Customer Data.

10.2. However, the Processor may retain documentation that serves as evidence of the proper and accurate processing of Customer Data, even after the termination of this Agreement. This retention may be necessary for compliance with legal obligations.

11.1. The Processor is obligated to furnish the Customer, upon request, with all necessary information to demonstrate adherence to the obligations specified in this Agreement.

11.2. The Customer holds the right to conduct audits, including inspections, of the Processor's operations to ensure compliance with the terms outlined in this Agreement, especially pertaining to the implementation of technical and organizational measures.

11.3. For audit purposes in accordance with Section 11.2, the Customer is authorized to access the Processor's business premises where Customer Data is processed during regular business hours (from Monday to Friday, 10 am to 6 pm). This access must be preceded by timely notification, as described in Section 11.5, and it will be at the Customer's expense. The audit should not disrupt the Processor's normal business operations and must be conducted with strict confidentiality regarding the Processor's business practices and proprietary information.

11.4. The Processor, at its discretion, may choose not to disclose sensitive information about its business, especially if such disclosure would breach statutory regulations or other contractual obligations. The Customer's access during the audit is limited to information directly related to the agreed audit objectives and does not extend to data about the Processor's other clients, financial details, quality control, contract management reports, or any other confidential information not relevant to the audit.

11.5. The Customer is responsible for informing the Processor well in advance, typically at least two weeks beforehand, of all circumstances related to the audit. The Customer may perform one audit per calendar year, not exceeding this limit.

11.6. In cases where the Customer engages a third party to conduct the audit, the Customer is required to impose the same obligations on the third party as those imposed on the Customer concerning the Processor, as detailed in this Section. Furthermore, a written agreement must obligate the third party to maintain confidentiality, unless they are subject to a professional obligation of secrecy. Upon request from the Processor, the Customer must promptly provide the Processor with copies of the commitments and confidentiality agreements with the third party. The Customer is prohibited from commissioning any of the Processor's competitors to carry out the audit.

11.7. At the Processor's discretion, instead of conducting an audit, proof of compliance with the obligations under this Agreement may be provided by submitting a current opinion or report from an independent authority (e.g., auditor, audit department, data protection officer, IT security department, data protection auditors, or quality auditors) or a relevant certification in IT security or data protection audit (referred to as the "Audit Report"). The Audit Report should sufficiently demonstrate the Processor's adherence to the contractual obligations defined in this Agreement, allowing the Customer to be reasonably assured of compliance.

The duration and termination of this Agreement align with the term and termination provisions established in the Contract. If the Contract is terminated, this Agreement is automatically canceled. Terminating this Agreement in isolation is not possible.

13.1. The Processor's liability as defined in this Agreement adheres to the disclaimers and liability limitations as outlined in the Contract. In cases where third parties assert claims against the Processor due to the Customer's culpable breach of this Agreement or any of the Customer's obligations as the data controller under data protection regulations, the Customer is obligated to indemnify and absolve the Processor from these claims upon initial request.

13.2. Furthermore, the Customer commits to indemnify the Processor upon initial request for any potential fines imposed on the Processor, which are proportionate to the Customer's share of responsibility for the violation that led to the imposition of the fine.

14.1. If any individual provisions of this Agreement are found to be ineffective, become ineffective, or contain gaps, the remaining provisions shall remain valid and unaffected. The Parties commit to replacing the ineffective provision with a legally permissible provision that best serves the purpose of the ineffective provision and satisfies the requirements of Art. 28 GDPR.

14.2. In the event of conflicts between this Agreement and other agreements between the Parties, especially the Contract, the provisions of this Agreement shall take precedence.

Further Information on the Processing of Customer Data

Technical and Organizational Measures according to Art. 32 GDPR
In compliance with Art. 32 of the General Data Protection Regulation (GDPR), both the data controller and the data processor are obliged to implement technical and organizational measures (TOM) to guarantee the security and data protection requirements. Technical measures encompass all safeguarding actions that can be physically implemented, including physical security measures like securing physical access points such as doors and windows, as well as software and hardware measures such as enforcing user account and password requirements. Organizational measures, on the other hand, consist of protective measures that are established through instructions, protocols, and procedures. These measures are essential to ensure the security and privacy of personal data in accordance with GDPR regulations.

Further Processors