Data Processing Agreement

1. Definitions

• Applicable Data Protection Laws: all data protection and privacy laws applicable to the processing under this DPA, including EU GDPR, UK GDPR, Swiss FADP, and applicable U.S. state privacy laws governing service providers/processors.
• EU GDPR: Regulation (EU) 2016/679.
• UK GDPR: has the meaning given in the UK Data Protection Act 2018.
• Personal Data: information relating to an identified or identifiable natural person, as defined by Applicable Data Protection Laws.
• Subprocessor: a third party engaged by Processor to process Personal Data on behalf of Controller.
• Services: the services described in the Agreement (e.g., design, build, host, and maintain client MVPs and related consulting/support).

Capitalized terms not defined here have the meanings in the Agreement.

2. Roles, instructions, and scope

1. Roles. Controller is the controller; Processor is the processor with respect to Personal Data processed under the Agreement.
2. Instructions. Processor shall process Personal Data only on documented instructions from Controller (including as set out in this DPA, the Agreement, and any written instructions), unless processing is required by law. Processor will notify Controller of such legal requirements unless prohibited by law.
3. Details of processing. The subject‑matter, duration, nature/purpose, categories of data subjects, and categories of data are set out in Annex I.
4. Personnel. Processor ensures persons authorized to process Personal Data are bound by confidentiality obligations and receive appropriate data protection training.

3. Security

1. Measures. Processor implements and maintains appropriate technical and organizational measures ("TOMs") to ensure a level of security appropriate to the risk, as described in Annex II.
2. Updates. TOMs may be updated from time to time provided the overall level of protection is not materially reduced.

4. Subprocessing

1. Authorization. Controller authorizes engagement of Subprocessors listed in Annex III and future Subprocessors per this Section.
2. Notice & objection. Processor will provide advance notice of new/replacement Subprocessors (e.g., via email or a posted list). Controller may object on reasonable data‑protection grounds within 10 days of notice. If the Parties cannot agree on mitigation in good faith, Controller may suspend the affected Services or terminate the relevant order without penalty.
3. Flow‑down. Processor will enter into a written contract with Subprocessors imposing data protection obligations no less protective than this DPA, including appropriate TOMs and assistance obligations.
4. Liability. Processor remains responsible for Subprocessors' performance of their data‑protection obligations, provided that Processor's liability for Subprocessor breaches is limited to Processor's use of reasonable care in selecting and monitoring such Subprocessors, and Processor's liability shall not exceed the liability limitations set forth in the Agreement.

5. Assistance; data subject requests

1. Rights. Taking into account the nature of processing, Processor will assist Controller by appropriate TOMs, insofar as possible, to respond to requests to exercise data subject rights.
2. DPIAs & consultations. Processor will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities, where required and related to the Services, within Processor's knowledge of the Services and subject to Processor's operational constraints. Extensive assistance beyond documentation and information within Processor's possession may be subject to additional fees.

6. Personal data breaches

1. Notice. Processor will notify Controller without undue delay and, where feasible, within 48 hours after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of Controller.
2. Content. Notifications will include information then‑available to Processor: (a) nature of the breach; (b) categories and approximate number of data subjects/records; (c) likely consequences; (d) measures taken or proposed to address the breach.
3. Cooperation. Processor will take remedial measures as reasonably practicable under the circumstances and cooperate with Controller in meeting Controller's breach‑notification obligations, subject to Processor's operational capabilities and legal obligations.

7. Return and deletion

1. Termination. Upon termination/expiry of the Services, at Controller's choice, Processor will return Personal Data (in a commonly used format) and/or delete Personal Data, unless storage is required by law. If deletion is not technically feasible, Processor will pseudonymize and securely isolate the data and cease active processing.
2. Exports during term. Where feasible, Processor will provide tools or support to enable Controller to export data during the term.

8. Audits and compliance

1. Information. Processor shall make available to Controller information necessary to demonstrate compliance with Article 28 GDPR and this DPA.
2. Third‑party reports. Processor may satisfy audit requests by providing independent audit reports or security summaries (e.g., SOC 2, ISO/IEC 27001, penetration‑test summaries), where available.
3. Audits. Processor will not conduct on-site audits. Where third-party reports are insufficient, Processor will provide additional documentation or information remotely to demonstrate compliance. Any additional audit requests are subject to Processor's reasonable availability and may be subject to additional fees for extensive assistance.

9. International transfers

1. EEA/UK/CH transfers. To the extent Personal Data originating in the EEA, UK, or Switzerland is transferred to a country without an adequacy decision, the Parties incorporate by reference the EU Standard Contractual Clauses (SCCs) – Controller to Processor (Module Two), completed as follows:
   • Annex I/II/III: as set out in the Annexes to this DPA.
   • Clause 9(a): general authorization with notice per Section 4.
   • Docking clause: enabled.
   • Governing law & forum (Clause 17/18): Czech Republic; courts of the Czech Republic.
   • Supervisory authority: Úřad pro ochranu osobních údajů (Czech Data Protection Authority), or the authority competent based on the Controller's EEA establishment.
2. UK Addendum. For transfers governed by UK GDPR, the Parties adopt the UK International Data Transfer Addendum to the EU SCCs ("UK Addendum") as entered into and incorporated by reference. The Addendum Table is completed by reference to this DPA and the SCCs/Annexes.
3. Swiss Addendum. For Swiss FADP transfers, references in the SCCs to the GDPR are read as references to FADP; the competent authority is the FDPIC; and references to the EU include Switzerland where applicable.

10. Confidentiality and restrictions

1. Processor shall not use Personal Data for any purpose other than providing the Services and as documented by Controller, and shall not sell or share Personal Data (as those terms are defined under Applicable Data Protection Laws).
2. Processor will ensure confidentiality of Personal Data and restrict access to personnel with a business need‑to‑know.

11. Records and cooperation

Processor will maintain records of processing activities as required by Article 30(2) GDPR and will cooperate with supervisory authorities upon reasonable request, subject to Processor's operational constraints and legal obligations.

12. Liability; precedence

1. The Parties' aggregate liability under this DPA is subject to the limitations/exclusions in the Agreement. To the extent permitted by applicable law, the liability limitations in the Agreement apply to this DPA, including but not limited to indirect, incidental, consequential, special, or lost-profit damages.
2. Order of precedence. In the event of conflict between this DPA and the Agreement, this DPA controls with respect to Personal Data processing. In the event of conflict between this DPA and the SCCs/UK Addendum, the SCCs/UK Addendum control.

13. Term

This DPA remains in force for as long as Processor processes Personal Data on behalf of Controller under the Agreement.

Annex I — Details of processing

A. Parties

• Data Exporter (Controller): [CLIENT LEGAL NAME], [address]; contact: [email].
• Data Importer (Processor): We don't need name s.r.o. (CIN 10861718) (OvernightMVP/WDNN), Lidicka 700/19, 602 00 Brno, Czech Republic; contact: legal@overnightmvp.com.

B. Description of processing

• Subject matter: Operation and support of Controller's MVP/application and related services.
• Duration: For the term of the Agreement and the data return/deletion period thereafter.
• Nature and purpose: Hosting, storage, transmission, display; user account management; customer support; performance/error monitoring; backups; CI/CD; analytics as configured by Controller.
• Categories of data subjects: End users of Controller's MVP/application; Controller's staff/admins; beta testers; (where relevant) website visitors engaging with the MVP.
• Categories of Personal Data: Identification/contact (e.g., name, email); account credentials; usage/interaction data; device/technical data (IP, headers); support content; payment indicators/transaction IDs if applicable (no full card numbers processed by Processor); any other data uploaded/configured by Controller.
• Special categories: Not intended. If processed, only on Controller's documented instructions with appropriate safeguards.
• Frequency of transfers: Continuous and ad hoc, as necessary to provide the Services.
• Processing locations: EU/EEA, UK, and/or United States (as per Annex III and Subprocessor list).

C. Competent supervisory authority

• EEA: Czech DPA (ÚOOÚ) or the authority competent for Controller's EEA establishment.
• UK: Information Commissioner's Office (ICO).
• Switzerland: FDPIC.

Annex II — Technical and organizational measures (TOMs)

TOMs are implemented proportional to risk and may evolve without reducing overall protection. The measures described below are illustrative and implemented as appropriate to the nature, scope, context, and purposes of processing, as well as the risks to data subjects. Processor implements security measures appropriate to the risks, which may include (where applicable):

1. Organization & governance — Security policy; role‑based access; least privilege; onboarding/offboarding with periodic access reviews; confidentiality agreements; security/privacy training.
2. Access control & authentication — Multi-factor authentication where applicable; SSO where available; role‑based access; access logging; automatic session expiration.
3. Data protection — Encryption in transit (TLS 1.2+); encryption at rest on supported services (managed DB/storage); data minimization; environment separation (dev/stage/prod); pseudonymization/anonymization where feasible.
4. Network & application security — Firewalls/security groups; secure SDLC with code review; dependency scanning; periodic security assessments and remediation as appropriate; vulnerability management.
5. Monitoring & logging — Centralized logging/alerting; anomaly detection; audit trails for key actions; time‑synced logs.
6. Business continuity & backups — Regular backups with restore testing; high availability/replication where applicable; disaster recovery plan with defined RPO/RTO targets proportionate to the MVP.
7. Incident response — Documented IR plan; defined roles; monitoring of critical systems; post‑incident reviews with corrective actions.
8. Vendor & subprocessor management — Security due diligence; DPAs/SCCs with subprocessors; periodic reassessment; change notifications.
9. Data subject rights & privacy by design — Administrative tooling/workflows to fulfill access/erasure/rectification/portability; configurable data retention; IP masking/cookie consent options where applicable.
10. Physical security — Industry‑standard data‑center controls from reputable cloud providers.

Annex III — Authorized Subprocessors (initial list)

Annex IV — U.S. state privacy (service provider/processor) addendum (optional)

To the extent Processor processes Personal Data subject to U.S. state privacy laws (e.g., CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA) on behalf of Controller, Processor acts as a service provider/processor and shall not sell or share Personal Data; shall not combine Personal Data with other data except as permitted; and shall assist Controller in responding to verifiable consumer requests within Processor's reasonable capabilities and subject to Processor's operational constraints. The Parties will execute additional addenda where required by law.

UK Addendum — International Data Transfer Addendum to the EU SCCs (Summary Table)

Part 1: Tables

• Table 1 (Parties): As in Annex I(A) of this DPA.
• Table 2 (Selected SCCs): EU SCCs Module Two (C2P), incorporated by reference.
• Table 3 (Appendix Information): As in Annex I/II/III of this DPA.
• Table 4 (Ending this Addendum when the Approved Addendum changes): Option 2 (importer may end if exporter issues a revised copy), unless Parties agree otherwise.

Part 2: Mandatory Clauses

The Mandatory Clauses of the UK Addendum are incorporated in full by reference.