Data Processing Agreement (DPA)
This Data Processing Agreement (hereinafter – the “Agreement”) is an integral part of the Einpix Terms & Conditions and applies to all clients using Einpix services (hereinafter – the “Controller”).
In this Agreement, UAB “Epicus IT”, company code 304459986, registered address Italų g. 12A-1, LT-11329 Vilnius, Lithuania, acts as the data processor (hereinafter – the “Processor”).
By using Einpix services, the Controller confirms that it has familiarized itself with this Agreement and agrees to its terms.
This Agreement establishes the conditions for the processing of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and other applicable legal acts.
1. SUBJECT MATTER OF THE AGREEMENT
1.1. This Agreement regulates the rights and obligations of the Parties related to the processing of personal data (hereinafter – the “Data”, “Personal Data”) (collection, recording, sorting, systematisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination with other data, restriction, erasure or destruction, or any combination of such operations), which is carried out by the Processor on behalf of the Controller in the performance of the service agreement concluded between the Parties or the Einpix Terms & Conditions (hereinafter – the “Main Agreement”).
1.2. This Agreement ensures that the Processor implements appropriate technical and organisational measures in such a way that processing complies with the requirements of the GDPR and ensures the protection of the rights of data subjects.
1.3. The Data processed by the Processor is specified in Annex No. 1 to this Agreement.
1.4. This Agreement does not regulate the processing of personal data that is carried out not on behalf of the Controller.
2. OBLIGATIONS OF THE PROCESSOR
2.1. Scope of Processing
2.1.1. The Processor shall process only the Data specified in Annex No. 1 to this Agreement. The Data shall be processed exclusively only to the extent necessary for the performance of the Main Agreement. The Processor shall process the Data only in accordance with this Agreement, the Main Agreement, and other written instructions and guidelines provided by the Controller, ensuring the confidentiality of the Data. If the Processor considers that the instructions provided to it contradict national and/or European Union legal acts regulating personal data protection, it must immediately inform the Controller.
2.1.2. It shall be considered that the Controller’s use of the system and services provided by the Processor under the Main Agreement constitutes documented data processing instructions within the meaning of Article 28 of the GDPR. The Processor shall process personal data only in accordance with these instructions, except where processing is required by applicable legal acts.
2.2. Data Confidentiality
2.2.1. The Processor shall not disclose the Data to third parties, except in cases established by law.
2.2.2. The Processor shall ensure that its employees or other persons who have access to the Data will comply with the requirements of this Agreement, including the requirement to ensure the confidentiality of the Data, and are bound by confidentiality obligations or are subject to an appropriate statutory obligation of confidentiality.
2.2.3. The Processor shall be responsible for the confidentiality and security of the processed Data from the moment of receipt of the Data. If a threat is identified or reasonable suspicions arise regarding a threat to the confidentiality of the processed Data and/or if the Processor cannot adequately ensure the security of the processed Data, the Processor shall inform the Controller and shall have the right to suspend the processing of the Data, unless the Agreement provides otherwise.
2.2.4. The Processor shall not transfer the Data to third countries (outside the EU/EEA) or international organizations, except where such transfer is carried out in accordance with the conditions set out in Section 2.6 of this Agreement or where such transfer is required by EU or Member State law applicable to the Processor. In such a case, the Processor undertakes to inform the Controller of such a legal obligation before starting to process the Data, unless such notification is prohibited by applicable law due to important public interest reasons.
2.2.5. The obligation of confidentiality shall remain in force even after the Processor has completed the specific assignment given to it.
2.3. Security of Processing
2.3.1. The Processor undertakes, before starting the processing of Data, at its own expense to implement technical and organizational measures intended to protect the Data against accidental or unlawful destruction, alteration, disclosure or other unlawful processing. Such measures must ensure a level of security appropriate to the nature of the Data to be protected and the risks arising from such processing.
2.3.2. The Processor must carry out a risk analysis of activities related to the processing of Personal Data. Based on the assessment results, the Processor must ensure appropriate security measures, i.e. technical and organizational measures necessary to ensure the security of Personal Data, as well as ensure the security of premises, equipment, systems and software in order to reduce the identified risk. The Processor ensures that the measures applied comply with standard market practice and GDPR requirements, including:
2.3.2.1. The use of appropriate access control systems enabling the prompt granting and revocation of access rights to Personal Data;
2.3.2.2. Ensuring that access rights to Personal Data are granted only to authorized persons;
2.3.2.3. Ensuring that any processing of Personal Data is carried out in accordance with the Controller’s instructions.
2.3.3. The Processor must restrict access to Personal Data in such a way that only properly trained personnel are responsible for the processing of Personal Data and that Personal Data is accessible only to those persons who need to know such Personal Data. The Processor must ensure that persons who have access to Personal Data comply with confidentiality obligations.
2.3.4. The Processor must ensure at least the proper implementation of the following measures:
2.3.4.1. Pseudonymization and encryption of Personal Data, if such requirements are established by the Controller in the service agreement or if this is required due to the nature and scope of the processed Personal Data;
2.3.4.2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
2.3.4.3. The ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident;
2.3.4.4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.
2.3.5. The Processor must also implement the following measures:
2.3.5.1. Physical access control to computer equipment and removable data storage devices containing Personal Data, for example by locking equipment in the Processor’s premises and not granting access when it is not supervised, thereby ensuring protection against unauthorized use, impact or theft;
2.3.5.2. Processes ensuring reliable restoration of Personal Data from backups;
2.3.5.3. Access control, whereby permissions to process Personal Data are managed through a dedicated system. Access rights must be granted only to those persons for whom Personal Data is necessary for the performance of their job functions. Usernames and passwords must be personal and may not be transferred to anyone else. The Processor must also establish procedures for transferring and revoking access rights;
2.3.5.4. The ability to log access to Personal Data. The Processor must ensure the possibility to monitor access history to databases or software and provide such information upon a justified request of the Controller, while ensuring confidentiality and security requirements;
2.3.5.5. Secure communication through external data transmission channels and technical measures ensuring restricted remote access to Personal Data, including encryption of data transmitted through external channels;
2.3.5.6. Processes ensuring the destruction of unused stationary and mobile data storage media containing Personal Data;
2.3.5.7. Standard automated or manual procedures for deleting data and its backups (including audit logs) from all operating systems;
2.3.5.8. Standard procedures for entering into confidentiality agreements with suppliers providing maintenance and repair services for equipment used to store Personal Data;
2.3.5.9. Standard supervision procedures for services provided by suppliers on the Processor’s premises.
2.3.6. At the request of the Controller, the Processor must provide information in writing about the applied Personal Data protection measures to the extent reasonably necessary for the Controller to verify compliance with GDPR requirements. Such information shall be provided subject to confidentiality and protection of commercial secrets and may include information about where Personal Data is stored, who has access rights to it, and how such access rights are granted and managed. The Processor must notify the Controller of significant changes related to the applied protection measures that may have a material impact on the security of Personal Data.
2.3.7. The Processor shall immediately inform the Controller of any circumstances that may prevent the processing of Data in accordance with this Agreement. In such a case, the Controller has the right to prohibit further processing of Data.
2.4. Cooperation with the Controller and Supervisory Authority
2.4.1. The Processor undertakes to cooperate with the Controller in the event that a data subject expresses a wish to exercise their rights, including but not limited to the right of access to Data, rectification or erasure of Data, restriction of processing, the right to data portability, and the right to object to processing. If the Processor receives a request from a data subject related to the processing of Data, the Processor must immediately forward such request to the Controller. The Processor shall act on such requests only in accordance with the Controller’s instructions.
2.4.2. The Processor undertakes to cooperate with the Controller in ensuring the security of Data processing, as well as in cases where there is an obligation to notify the supervisory authority of a personal data breach, to notify data subjects of such a breach, or to carry out a data protection impact assessment.
2.4.3. The Processor undertakes to notify the Controller without undue delay (no later than within 72 hours from becoming aware of the breach) in writing or by email of any Personal Data breach.
2.4.4. The Processor’s notification shall include at least:
2.4.4.1. The nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
2.4.4.2. A description of the likely consequences of the personal data breach;
2.4.4.3. A description of the measures taken or proposed to be taken by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
2.4.5. Where the information cannot be provided at the same time, it may be provided in phases without undue delay.
2.4.6. The Processor undertakes to document all personal data breaches, including the facts relating to the breach, its effects, and the remedial actions taken.
2.4.7. The Processor shall provide the Controller with information necessary to demonstrate compliance with the obligations set out in this Agreement and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor authorized by the Controller. Audits shall be carried out upon prior written notice of at least 30 calendar days, during working hours, no more than once per year, unless required by a supervisory authority or in the event of a personal data breach. Audits must be conducted in a manner that does not unreasonably disrupt the Processor’s operations and ensures the protection of confidential and commercial information. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable law.
2.4.8. If the Processor considers that the processed Data is incorrect, insufficient or inaccurate, the Processor shall inform the Controller no later than within five working days.
2.5. Engagement of Third Parties
2.5.1. The Controller grants a general prior authorization to the Processor to engage sub-processors. The current list of sub-processors is published on the Processor’s website at: https://einpix.com/en/subprocessors/. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 10 working days in advance by updating the list and/or providing notice via email or other customary means. The Controller has the right to object within 10 working days. If no objection is raised, consent is deemed granted. If the Controller objects and no solution is found, the Controller may terminate the Main Agreement. The Processor ensures that each sub-processor is bound by a contract ensuring at least the same level of data protection.
2.5.2. The Processor shall remain fully liable for the actions and omissions of its sub-processors as for its own. The Processor ensures that each sub-processor is bound by written obligations no less protective than those set out in this Agreement, including implementation of appropriate security measures in accordance with Article 28 GDPR.
2.6. Transfer of Data to Third Countries
2.6.1. If the Processor engages a Sub-processor located outside the European Union or the European Economic Area (EU/EEA), the transfer of Personal Data shall be carried out only where there is a lawful basis in accordance with Chapter V of the GDPR, including the Standard Contractual Clauses (SCC) approved by the European Commission, a valid adequacy decision, or another lawful data transfer mechanism.
For the avoidance of doubt, the same requirement shall also apply where the Data is stored within the EU/EEA but may be accessed from outside the EU/EEA.
The engagement of such a Sub-processor shall be subject to the general prior authorization and notification procedure set out in Section 2.5 of this Agreement.
2.6.2. If the Controller approves such transfer of Data, the Processor undertakes to cooperate with the Controller to ensure that the transfer complies with the requirements of applicable legal acts.
2.7. Data Subject Information and Disclosure
2.7.1. The Controller undertakes to provide data subjects with all necessary information regarding the processing of their Data for the purposes of this Agreement.
2.7.2. If data subjects, supervisory authorities or any third parties request information from the Processor regarding the processing of Data described in this Agreement, the Processor shall immediately forward such request to the Controller. The Processor shall not act on behalf of the Controller or in any capacity as its representative, nor disclose the Data to any third parties.
2.8. Exercise of Data Subject Rights
2.8.1. Where a data subject submits a request to the Processor regarding the exercise of their rights, the Processor shall immediately forward such request to the Controller.
2.8.2. The Processor undertakes to assist the Controller in the exercise of data subject rights to the extent that such rights are related to the processing of Data carried out by the Processor.
2.9. Data Protection Officer
2.9.1. Where a Data Protection Officer is appointed, if required under Article 37 of the GDPR, the Processor shall inform the Controller in writing of the name (or business name) and contact details of the appointed Data Protection Officer.
2.9.2. The Processor shall inform the Controller without undue delay of any changes to the Data Protection Officer or their contact details.
2.10. Records of Processing Activities
2.10.1. The Processor undertakes to maintain records of all categories of processing activities carried out on behalf of the Controller, which shall include:
2.10.1.1. The name and contact details of the Controller on whose behalf the Processor is acting, as well as, where applicable, the name and contact details of the Controller’s Data Protection Officer;
2.10.1.2. The categories of processing carried out on behalf of the Controller;
2.10.1.3. Where applicable, transfers of Personal Data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in Article 49(1), second subparagraph of the GDPR, documentation of appropriate safeguards;
2.10.1.4. Where possible, a general description of the technical and organizational security measures.
2.10.2. Upon request of the Controller, the Processor shall, without undue delay, provide a copy of the records of processing activities carried out under this Agreement.
2.11. Duration of Processing
2.11.1. The Processor shall process the Data for as long as the Main Agreement is in force and to the extent necessary for the provision of services under it. Upon termination of the Main Agreement or this Agreement, the processing of Data shall cease, and the procedure for Data export and deletion shall be carried out in accordance with Clauses 5.2–5.4 of this Agreement.
2.11.2. After the expiry of the 30 calendar day Data export period set out in Clause 5.2, the Processor shall cease processing and delete or anonymize the Data in accordance with Clauses 5.3 and 5.4 of this Agreement, except where applicable legal acts require longer retention or where Data is stored in backups in accordance with standard backup policies, subject to appropriate technical and organizational safeguards.
3. OBLIGATIONS OF THE CONTROLLER
3.1. The Controller guarantees to the Processor that:
3.1.1. It has an appropriate legal basis for processing the Data;
3.1.2. It has the right to engage the Processor for the processing of Data;
3.1.3. It has provided data subjects with the information required under applicable law.
3.2. The Controller undertakes to:
3.2.1. Provide the Processor with the Data specified in this Agreement and necessary for the provision of services under the Main Agreement;
3.2.2. Ensure the accuracy, reliability, and lawfulness of the Data provided;
3.2.3. Provide any instructions applicable to the Processor in writing;
3.2.4. Ensure that only Data which is lawfully processed and may be lawfully transferred to the Processor is transferred under this Agreement.
4. LIABILITY AND DISPUTE RESOLUTION
4.1. Each Party shall be liable for breaches of its obligations under this Agreement in accordance with applicable legal acts. The Processor’s liability for breaches related to this Agreement shall be limited to the liability cap set out in the Main Agreement, except in cases where damage is caused intentionally or through gross negligence. Neither Party shall be liable for indirect or consequential damages, except where such liability cannot be limited under applicable law.
4.2. All disputes arising out of or in connection with the performance, amendment, or termination of this Agreement shall be resolved through negotiations.
4.3. If the Parties fail to reach an agreement through negotiations, disputes shall be resolved in the competent court of the Republic of Lithuania, in accordance with the laws of the Republic of Lithuania, unless applicable legal acts provide for mandatory jurisdiction otherwise.
5. BREACH OF OBLIGATIONS AND TERMINATION
5.1. Where the Controller becomes aware that the Processor processes Data in breach of this Agreement or violates its obligations under data protection laws, the Controller shall have the right to require the Processor to immediately cease any further processing of Data. In such case, the Processor shall inform the Controller how it complies with the data protection requirements set out in this Agreement and applicable legal acts. The Controller, having assessed the information provided by the Processor, may resume the provision of Data. If the Processor fails to inform the Controller how the data protection requirements are complied with, the Controller shall have the right to unilaterally terminate the Agreement in accordance with Clause 6.3.3.
5.2. Upon termination of this Agreement or the Main Agreement, the Controller shall be given the possibility to export the Data using system functionality within 30 calendar days from the date of termination.
5.3. After the expiry of the period set out in this Clause, the Processor shall delete or anonymize the Data, except where applicable legal acts require longer retention.
5.4. The Processor may retain minimal backup copies to the extent necessary to comply with legal obligations or to implement backup policies, subject to appropriate technical and organizational safeguards.
6. VALIDITY OF THE AGREEMENT
6.1. This Agreement shall enter into force from the moment the Controller starts using Einpix services and shall remain in force for the entire period of service use.
6.2. This Agreement is concluded for an indefinite period and shall remain valid as long as the Main Agreement is in force.
6.3. This Agreement shall terminate when:
6.3.1. It is terminated upon termination of the Main Agreement;
6.3.2. The Controller unilaterally terminates the Agreement by providing written notice to the Processor at least 30 working days prior to the intended termination date;
6.3.3. Either Party unilaterally terminates the Agreement where the other Party breaches the provisions of this Agreement and fails to remedy the breach within 15 working days from the date of receipt of the notice requiring remedy;
6.3.4. Either Party loses the right to process Data (for example, no longer has a legal basis for processing Data or a public authority adopts a decision to suspend Data processing).
7. FINAL PROVISIONS
7.1. The Processor shall have the right to update this Agreement by publishing the current version on its website. The Processor shall inform the Controller of material changes by email or other customary means. If the Controller does not submit a reasoned objection within 30 calendar days from receipt of the notice and continues to use the services under the Main Agreement, it shall be deemed that the Controller agrees to the updated version of the Agreement. From the moment this Agreement is published on the website, the version published on the website shall be considered the official and valid version.
7.2. This Agreement is published in electronic form and shall be valid as an official part of Einpix services.
8. ANNEXES TO THE AGREEMENT
8.1. The following form an integral part of this Agreement (which may be published on separate Einpix web pages):
8.1.1. Annex No. 1 – Description of Personal Data Processed and Processing Conditions;
8.1.2. Annex No. 2 – Description of Technical and Organizational Security Measures;
8.1.3. List of Sub-processors published at: https://einpix.com/en/subprocessors/.
Annex No. 1 – Description of Personal Data Processed and Processing Conditions
1. Purpose of processing – performance of the Main Agreement.
2. Data subjects:
| 2.1. Employees, clients, suppliers of the Controller or other persons whose data is uploaded by the Controller into the system. |
3. Categories of Personal Data processed:
| 3.1. Data of system users and other persons whose data is uploaded by the Controller into the system:
3.1.1. Name; 3.1.2. Surname; 3.1.3. Workplace; 3.1.4. Phone number; 3.1.5. Email address; 3.1.6. Other information related to the purchased product or service. |
4. Processing operations:
- The Processor accesses and/or processes Personal Data to the extent specified by the Controller or necessary to properly provide services to the Controller under the Main Agreement.
5. Source of Personal Data:
- The Processor receives Personal Data from the Controller as follows: the Processor may access and process Personal Data when performing its functions under the Main Agreement.
6. Processing activities:
- Activities necessary for providing services as defined in the Main Agreement.
7. Processing period or schedule:
- Each time the Processor performs actions or provides services to the Controller under the Main Agreement.
Annex No. 2 – Description of Technical and Organizational Security Measures
This Annex forms an integral part of the Einpix Data Processing Agreement and describes the technical and organizational security measures applied by the Processor.
The Processor may periodically update the security measures described in this Annex to reflect technological developments, infrastructure changes, or improvements in security practices, provided that such changes do not reduce the overall level of protection of Personal Data.
1. Infrastructure and Data Hosting
1.1. The Einpix service operates on Amazon Web Services (AWS) infrastructure. The service is currently primarily hosted in the European Union region eu-central-1 (Frankfurt, Germany) or in other AWS European Economic Area regions if required to ensure infrastructure or service operation.
1.2. Production resources are isolated within a virtual network (VPC), applying network segmentation and access restrictions.
1.3. Data transmission between the client and Einpix is carried out using encrypted connections (TLS 1.2 or higher).
1.4. Data at rest may be encrypted using AWS-provided encryption mechanisms (e.g., AWS managed encryption mechanisms), where applicable to specific infrastructure configurations.
1.5. Physical security, network protection, and data center security measures are ensured by the infrastructure provider in accordance with its security policies and shared responsibility model.
2. Access Control
2.1. Access to administrative functions and infrastructure is restricted to authorized persons only.
2.2. Multi-factor authentication (MFA) is applied to administrative accounts where technically feasible.
2.3. Individual user accounts are used where technically possible. The use of shared accounts is limited.
2.4. Access rights may be periodically reviewed and updated based on roles.
3. Backups and Business Continuity
3.1. Backup copies of data are created automatically on a daily basis.
3.2. The retention period for backups is 7 days.
3.3. Backup and infrastructure measures allow restoration of system operations in case of technical or physical incidents.
4. Incident Management and Monitoring
4.1. Einpix may log, investigate, and assess security incidents in accordance with internal practices.
4.2. System events and errors may be monitored using system logs and software monitoring tools.
4.3. Specialized tools (e.g., Sentry) may be used for monitoring software errors and incidents.
4.4. The Controller shall be informed of a personal data breach without undue delay in accordance with Clause 2.4.3 of this Agreement.
5. Sub-processor Security and Data Transfers
5.1. Einpix engages only reliable and widely used technology providers for infrastructure or communication services.
5.2. Where applicable, data transfers outside the European Union or European Economic Area are carried out using lawful transfer mechanisms under Chapter V of the GDPR (e.g., Standard Contractual Clauses or other lawful bases).
5.3. Einpix aims to transfer to sub-processors only the data necessary for service provision (data minimization principle).
6. Controller Responsibilities
6.1. The Controller is responsible for configuring user access rights within its organization in the Einpix system.
6.2. The Controller is also responsible for:
- its user authentication policies (where applicable);
- the security of end-user devices;
- the lawfulness of data content and lawful uploading of data into the system.
7. Principle of Security Measures
The Processor applies the technical and organizational measures described in this Annex taking into account:
- the state of the art;
- implementation costs;
- the nature, scope, and purposes of processing;
- the risk to the rights and freedoms of natural persons;
as provided for in Article 32 of the GDPR.
8. Provision of Security Information
The Processor may provide the Controller with reasonable information about the security measures described in this Annex to the extent necessary to demonstrate compliance with GDPR requirements.
To protect confidential information and system security, the Processor is not required to disclose:
- detailed infrastructure architecture diagrams;
- security configurations;
- internal security procedures;
- vulnerability testing results (e.g., penetration testing);
- other documentation or information the disclosure of which could pose a risk to system security.
The Processor may, at its discretion, provide general security information or descriptions reasonably demonstrating the existence of applied technical and organizational measures.
The Processor is not required to complete individual security questionnaires or provide additional documentation unless required by law or reasonably necessary to demonstrate compliance with GDPR requirements.