Data Processing Addendum

Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") is incorporated into and forms part of the Commercial Agreement or Terms of Service ("Main Agreement") entered into between the Customer (as defined in the Main Agreement), acting as the "Controller", and Packguru Sp. z o.o., acting as the "Processor".

1. Definitions

a) "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under the Main Agreement, including but not limited to the GDPR.

b) "GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).

c) The terms "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" shall have the meanings ascribed to them in the GDPR.

d) "User Content" means any data, information, videos, images, or audio recordings uploaded to the Service by the Controller or its authorized users.

2. Scope and Details of Processing

a) Role of the Parties

The Parties acknowledge and agree that for the purpose of this DPA, the Customer is the Controller and Packguru is the Processor of Personal Data.

b) Subject-Matter

The subject-matter of the Processing is the provision of the PackGuru Service as described in the Main Agreement.

c) Duration

The Processing will be carried out for the duration of the Main Agreement, unless otherwise agreed by the Parties.

d) Nature and Purpose

The purpose of the Processing is to host, store, analyze, and process User Content to provide the features of the Service to the Controller, including but not limited to AI-driven training, performance analytics, and troubleshooting support.

e) Categories of Personal Data:

i. User Account Data: Name, email address, job title, and other contact details of authorized users.

ii. User Content Data: Personal Data contained within User Content, which may include video recordings, images, and voice recordings of the Controller's employees and other personnel.

f) Categories of Data Subjects

The Data Subjects are the Controller's employees, operators, technicians, and other authorized users of the Service.

3. Processor's Obligations

Packguru, as the Processor, agrees to:

a) Process Only on Documented Instructions

Process the Personal Data only on the documented instructions of the Controller (as set out in the Main Agreement and this DPA), unless required to do so by Union or Member State law.

b) Confidentiality

Ensure that all Packguru personnel authorized to process the Personal Data are bound by a strict duty of confidentiality.

c) Security

Implement and maintain the appropriate technical and organizational measures ("TOMs") to ensure a level of security appropriate to the risk, as detailed in Annex 1 to this DPA.

d) Data Subject Rights

To the extent legally permissible, provide reasonable assistance to the Controller to enable the Controller to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (e.g., right to access, rectification, erasure).

e) Personal Data Breach Notification

Notify the Controller without undue delay after becoming aware of a Personal Data Breach, providing sufficient information to allow the Controller to meet its own notification obligations.

f) Assistance to Controller

Provide reasonable assistance to the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR (Security, Breach Notification, Data Protection Impact Assessments) taking into account the nature of processing and the information available to the Processor.

g) Data Deletion or Return

Upon termination of the Main Agreement, and at the Controller's written request, either delete or return all Personal Data to the Controller, and delete existing copies unless Union or Member State law requires storage of the Personal Data.

4. Sub-processors

a) The Controller provides a general written authorization for Packguru to engage third-party sub-processors to support the provision of the Service.

b) Packguru shall maintain an up-to-date list of its sub-processors (including their function and location) and shall make it available to the Controller upon request.

c) Packguru shall notify the Controller in writing of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes.

d) Packguru confirms that it has entered into (or will enter into) a written agreement with each sub-processor containing data protection obligations no less protective than those in this DPA.

5. Audits and Records

Upon reasonable written request, Packguru shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (subject to reasonable confidentiality and scheduling controls).

6. Controller's Obligations

The Controller warrants that:

a) It has complied, and will continue to comply, with all Applicable Data Protection Laws in its use of the Service.

b) It has a lawful basis for the Processing of all Personal Data, including having obtained all necessary rights, licenses, and consents from its employees and personnel (e.g., for the use of their image and voice in User Content) as required by law.

Annex 1

Technical and Organizational Measures (TOMs)

Packguru implements the following security measures to protect Personal Data:

Data Encryption:

Encryption in Transit: All data transferred between the Customer and the Service, and between internal service components, is encrypted using industry-standard protocols (e.g., TLS 1.2 or higher).

Encryption at Rest: All Personal Data and User Content stored on production servers (e.g., in databases, object storage) is encrypted using strong cryptographic standards (e.g., AES-256).

Access Control:

Authentication: Access to the Service requires a unique username and password. Multi-Factor Authentication (MFA) is made available as an option for Customer accounts.

Authorization: Customer is responsible for managing user roles and permissions within its own account. Packguru personnel access to Personal Data is restricted on a strict "least-privilege" and "need-to-know" basis.

Logging: Packguru maintains logs of access to production systems and sensitive data.

Physical Security:

The Service is hosted by major, enterprise-grade cloud infrastructure providers (e.g., Microsoft Azure, Google Cloud Platform) which maintain state-of-the-art, independently audited physical security controls (e.g., SOC 2, ISO 27001 certified data centers).

System Integrity and Resilience:

Packguru applies regular security patches and updates to its systems.

Systems are monitored for security threats and performance issues.

Packguru maintains data backup and disaster recovery plans to ensure the resilience and availability of the Service.

Incident Response:

Packguru maintains an internal incident response plan to address security incidents, including Personal Data Breaches, in a timely and effective manner.