Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the existing agreement ("Principal Agreement") between the Processor and the Controller. It is entered into effect as of [Effective Date] and reflects the parties' agreement with respect to the processing of personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

Definitions

Terms used in this DPA shall have the meanings given to them in the GDPR. In particular, "personal data," "processing," "controller," "processor," and "data subject" shall have the respective meanings given to them in GDPR Article 4.

Processing of Personal Data

2.1 Types of Personal Data: The Processor acknowledges that the types of personal data processed are dependent on the application developed by the Controller but may include personally identifiable information.

2.2 Purpose of Processing: The Processor shall provide storage, retrieval, analytics, and authentication capabilities on behalf of the Controller. Certain services may, at the Controller's choice, allow for specific data processing preferences.

2.3 Data Transfer and Storage: Personal data may be transferred and stored in the United States or other regions, depending on the Controller's selection of data storage locations. The Processor will not transfer data across borders without the Controller's explicit permission for services that allow choosing the region of data storage. For services that do not allow the Controller to choose the region, the storage region will be the United States.

Security Measures

3.1 The Processor commits to implementing and maintaining strict security measures to protect personal data. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. This includes:

• Encryption of data in transit and at rest using industry-standard protocols to ensure that personal data is protected from unauthorized access or disclosure.
• Access controls to ensure that only authorized personnel have access to personal data, based on the principle of least privilege and through secure authentication mechanisms.
• Network security measures, including firewalls, intrusion detection, and prevention systems, to safeguard against unauthorized access to or attacks on network systems.
• Regular security audits and penetration testing conducted by independent third parties to assess the effectiveness of security measures and identify potential vulnerabilities.
• Data protection impact assessments for high-risk processing activities to systematically evaluate the impact of processing activities on the protection of personal data.
• Employee training on data protection and security to ensure that all personnel are aware of their responsibilities in protecting personal data and are trained in security best practices.
• Responsible Disclosure Policy allowing for the anonymous disclosure of security issues and encouraging responsible and ethical disclosure. Security issues can be reported to us via https://proto.studio/security/.

3.2 Data Retention and Log Management: The Processor shall retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable law. The Processor will make reasonable efforts to ensure that private data is not included in logs. Where logs are necessary for security, performance, or error resolution, data will be anonymized or pseudonymized where possible.

3.3 Legal Disclosure and Cooperation: The Processor will not disclose any of the Controller's data, except when required by applicable law. In the event of a data breach, the Processor will cooperate with all reasonable law enforcement requests, including notifying law enforcement and data protection authorities in accordance with GDPR requirements.

Subprocessors

4.1 The Processor may engage subprocessors to fulfill its processing obligations. A dedicated list of subprocessors is available at https://proto.studio/legal/subprocessors/.

Legal and Compliance

5.1 General inquiries regarding data protection can be directed to https://proto.studio/contact/.

Terms and Conditions

6.1 Liability: The Controller shall assume the maximum liability permitted under GDPR, acknowledging the Processor's role in providing platform services.

6.2 Audit Rights: The Controller may request audits at their own expense to verify compliance with GDPR, subject to reasonable notice and confidentiality obligations.

6.3 Data Breach Notification: In the event of a data breach, the Processor shall notify the Controller without undue delay, and no later than 72 hours after becoming aware of it, through the email addresses assigned to the Controller's administrative users.

6.4 Handling Data Subject Requests: The Processor shall assist the Controller in fulfilling data subject rights requests under GDPR. This includes providing necessary technical and organizational measures to enable the Controller to respond effectively.

6.5 Termination: Upon termination of the DPA, the Processor shall, at the choice of the Controller, delete or return all personal data to the Controller, and delete existing copies unless EU or national law requires storage of the personal data.

This DPA is entered into and becomes a binding part of the Principal Agreement between the Processor and the Controller on the date last signed below.

[Signature of Processor]

[Signature of Controller]

[Date]