DATA PROCESSING ADDENDUM (DPA)

This Data Processing Addendum (“DPA”) forms part of the agreement, including any master services agreement, terms of service, or other agreement (the “Agreement”) between Roman Nuzhdin, operating under the brand “Octoix,” as a Spanish sole proprietor (autónomo) with principal place of business at Avenida Prat de la Riba, 37, Piso 1, Puerta 1, 43001 Tarragona, Catalonia, Spain (“Processor”) and the undersigned customer or subscriber, including but not limited to those located worldwide (“Controller”), that has subscribed to or entered into the Agreement for the provision of certain software-as-a-service (SaaS) analytics services (the “Services”).

1. Definitions

1.1. “Applicable Data Protection Law” means all applicable data protection and privacy laws and regulations to which the Controller is subject, including, where applicable, the EU General Data Protection Regulation (EU) 2016/679 (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), the Spanish Organic Law 3/2018 of December 5 on Personal Data Protection and the Guarantee of Digital Rights (LOPDGDD), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and any other similar or supplemental laws, regulations, or binding guidance, as may be amended or replaced from time to time.

1.2. “Personal Data” means any information relating to an identified or identifiable natural person that the Processor processes on behalf of the Controller in providing the Services.

1.3. “Processing,” “process,” or “processed” means any operation or set of operations performed upon Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.

1.4. “Sub-processor” means any third party appointed by or on behalf of the Processor to process Personal Data on behalf of the Controller under the Agreement and this DPA.

1.5. Terms not defined herein shall have the meaning set forth in the Agreement or under Applicable Data Protection Law.

2. Roles of the Parties

2.1. The Parties acknowledge that the Controller is the “controller” (or “business”) and the Processor is the “processor” (or “service provider”) with respect to the Personal Data that is processed under this DPA.

2.2. Processor shall only process Personal Data on documented instructions from the Controller, unless required otherwise by Applicable Data Protection Law. In such cases, the Processor shall inform the Controller (unless prohibited by law) before undertaking such processing.

3. Subject Matter, Nature, and Purpose of Processing

3.1. Processor provides analytics and data integration Services that enable the Controller to connect various marketing platforms (e.g., Google Ads, Facebook Ads, LinkedIn Ads, Bing Ads, Google Search Console) and analyze resulting campaign data.

3.2. The nature of the Processing includes collecting, storing, analyzing, and reporting on Personal Data for the purpose of enabling the Controller to identify, monitor, and improve the effectiveness of its marketing campaigns.

3.3. Categories of Data Subjects may include the Controller’s customers, leads, end-users, and other individuals interacting with the Controller’s marketing channels, as determined by the Controller.

3.4. The duration of Processing shall be as set forth in the Agreement or until the Agreement’s termination or expiration and the return or deletion of Personal Data as required by this DPA.

4. Compliance with Applicable Data Protection Law

4.1. Each Party shall comply with all Applicable Data Protection Law in relation to the Processing of Personal Data. Controller represents and warrants that it has all necessary rights to provide the Personal Data to Processor for the purposes of the Processing contemplated by the Agreement and this DPA.

4.2. Processor shall not use Personal Data for any purpose other than as set out in this DPA and the Agreement.

5. Confidentiality and Personnel

5.1. Processor shall ensure that all persons authorized to process Personal Data are subject to a duty of confidentiality or are under an appropriate statutory obligation of confidentiality.

5.2. Processor shall not disclose Personal Data to any third party unless specifically authorized by the Controller or required by law.

6. Security Measures

6.1. Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Such measures shall take into account the state of the art, the costs of implementation, the nature of the Personal Data, and the risks of Processing for Data Subjects.

6.2. Processor shall maintain policies and procedures to regularly test, assess, and evaluate the effectiveness of these measures.

7. Sub-processors

7.1. The Controller authorizes the Processor to engage Sub-processors to assist in providing the Services. Processor shall ensure that any Sub-processor is subject to data protection obligations equivalent to those set out in this DPA and remains liable for the Sub-processor’s performance of those obligations.

7.2. Processor shall provide the Controller with notice (via email or through the Services) of any intended additions or replacements of Sub-processors. Controller may object to such changes on reasonable grounds related to data protection within ten (10) business days of being informed. Processor will use reasonable efforts to find an acceptable resolution if the Controller objects.

8. Data Subject Rights

8.1. Taking into account the nature of the Processing, Processor shall assist the Controller, by appropriate technical and organizational measures, to the extent feasible, in fulfilling its obligation to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Law.

8.2. If Processor receives a request directly from a Data Subject, Processor shall promptly notify the Controller unless prohibited by law.

9. Data Breach Notification

9.1. Processor shall notify the Controller without undue delay, and in any event within the time frame required by Applicable Data Protection Law, after becoming aware of a Personal Data Breach affecting Personal Data.

9.2. Such notification shall describe the nature of the breach, the categories and approximate number of Data Subjects concerned, the categories and approximate number of Personal Data records concerned, and the measures taken or proposed to be taken to address the breach, as available to the Processor.

10. International Transfers

10.1. To the extent that the Processing of Personal Data by the Processor involves a transfer of Personal Data from the European Economic Area (EEA), the UK, or Switzerland to a third country not recognized by the relevant authority as providing an adequate level of protection, the Parties shall ensure such transfer is governed by appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission or other legally recognized transfer mechanisms.

11. Data Retention and Deletion

11.1. Upon termination or expiration of the Agreement, or upon written request by the Controller, Processor shall, at the Controller’s election, securely delete or return all Personal Data, unless continued storage is required by Applicable Data Protection Law.

11.2. Processor shall ensure that Sub-processors comply with the Controller’s instructions regarding the return or deletion of Personal Data.

12. Audits and Compliance

12.1. Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits and inspections by the Controller or its designated auditor.

12.2. Any audit shall be conducted upon reasonable notice, during normal business hours, in a manner that does not unreasonably interfere with the Processor’s operations, and subject to appropriate confidentiality obligations.

13. Liability and Indemnities

13.1. The liability of each Party under this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement, except to the extent prohibited by Applicable Data Protection Law.

14. Governing Law and Jurisdiction

14.1. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction set forth in the Agreement.

15. Miscellaneous

15.1. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

15.2. Any amendments to this DPA shall be in writing and signed by both Parties.

By accepting the Terms of Service, the Controller also agrees to the terms outlined in this Data Processing Addendum.

Related documents

• Terms of Service: https://octoix.com/tos
• Privacy Policy: https://octoix.com/privacy-policy-statement