Data Processing Agreement

This Data Processing Agreement (hereinafter referred to as the "Agreement" or "DPA") is entered into between:

The Processor and Controller are collectively referred to as the "Parties" and individually as a "Party".

2.1. This DPA governs the processing of personal data by the Processor on behalf of and under the instructions of the Controller within the framework of providing Skyservice POS services in accordance with the Terms of Use.

2.2. The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by EU or Member State law to which the Processor is subject.

2.3. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other EU or Member State data protection provisions.

3.1. Subject Matter of Processing:

Provision of cloud-based POS services (Software as a Service) for automating the management of food service and retail establishments.

3.2. Duration of Processing:

Processing is carried out for the duration of the service agreement (Terms of Use) and 180 (one hundred eighty) calendar days after its termination to enable data export.

3.3. Nature and Purposes of Processing:

• Collection, recording, and storage of data to ensure Service functionality;
• Transaction processing, order and payment management;
• Generation of fiscal documents (receipts, invoices);
• Management of loyalty programs (if applicable);
• Technical support and problem resolution;
• Analytics and reporting (on an aggregated basis).

3.4. Categories of Data Subjects:

• Employees and staff of the Controller using the Service;
• End customers (consumers) of the Controller's establishments;
• Participants in the Controller's loyalty programs.

3.5. Types of Personal Data:

• Identification data: name, surname, phone number, email;
• Transaction data: date, time, amount, list of goods/services;
• Fiscal data: receipt numbers, fiscal register codes, tax identifiers;
• Loyalty data: points, discounts, purchase history;
• Technical data: IP addresses, session logs, device data.

The Processor undertakes to:

4.1. Process personal data only in accordance with the Controller's documented instructions, including transfers to third countries (Article 28(3)(a) GDPR).

4.2. Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) GDPR).

4.3. Take all measures required pursuant to Article 32 GDPR regarding security of processing, including:

• Encryption in transit (TLS/SSL 1.2+) and at rest;
• Access control based on the principle of least privilege;
• Regular backup;
• Regular testing, assessing, and evaluating the effectiveness of technical and organizational measures.

4.4. Not engage another processor (sub-processor) without prior general or specific written authorization from the Controller (Article 28(2) GDPR). The list of current sub-processors is provided in Appendix 1.

4.5. Assist the Controller in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III GDPR (Articles 15-22).

4.6. Assist the Controller in ensuring compliance with obligations pursuant to Articles 32-36 GDPR (security of processing, breach notification, data protection impact assessment).

4.7. At the choice of the Controller, delete or return all personal data after the end of the provision of services and delete existing copies, unless EU or Member State law requires storage (Article 28(3)(g) GDPR).

4.8. Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR obligations and allow for and contribute to audits, including inspections (Article 28(3)(h) GDPR).

5.1. The Controller grants the Processor general written authorization to engage sub-processors for the provision of services under this Agreement.

5.2. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 (thirty) calendar days before the planned change, thereby giving the Controller the opportunity to object.

5.3. If the Controller objects to the engagement of a new sub-processor, the Parties shall make reasonable efforts to find an alternative solution. If no solution is found within 30 days, the Controller may terminate the agreement.

5.4. The Processor shall enter into a contract with each sub-processor containing data protection obligations equivalent to those set out in this DPA.

5.5. The Processor shall remain fully liable to the Controller for the performance of the sub-processors' obligations.

6.1. The Processor shall notify the Controller of any personal data breach without undue delay and, in any case, no later than 48 (forty-eight) hours after becoming aware of the breach.

6.2. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of data subjects;
• Contact details of the responsible person;
• A description of the likely consequences of the breach;
• A description of the measures taken or proposed to address the breach and mitigate its consequences.

6.3. The Processor shall assist the Controller in fulfilling its obligation to notify the supervisory authority (within 72 hours, Article 33 GDPR) and data subjects (Article 34 GDPR), where necessary.

7.1. Personal data is primarily processed and stored on servers within the European Union (Estonia, Germany).

7.2. Any transfer of personal data to third countries (outside the EU/EEA) shall only be made on the basis of:

• An adequacy decision by the European Commission (Article 45 GDPR);
• Standard Contractual Clauses (SCC) approved by the European Commission (Article 46(2)(c) GDPR);
• Binding Corporate Rules (BCR) (Article 47 GDPR).

7.3. The Processor does not transfer personal data to temporarily occupied territories of Ukraine or to countries subject to international sanctions by the EU, US, or UN.

8.1. The Processor shall make available to the Controller the possibility of conducting audits and inspections to verify compliance with obligations under this DPA.

8.2. The Controller shall notify the Processor of its intention to conduct an audit at least 30 (thirty) calendar days in advance. The audit shall be conducted during business hours and shall not unreasonably disrupt the Processor's operations.

8.3. The costs of conducting the audit shall be borne by the Controller, except in cases where the audit reveals a material breach of the Processor's obligations under this DPA.

8.4. Instead of a physical audit, the Processor may provide the Controller with a current compliance report (SOC 2 Type II or equivalent) covering obligations under this DPA.

9.1. Each Party shall be liable for breaches of the GDPR in accordance with Articles 82-84 GDPR.

9.2. The Processor shall be liable for damage caused by processing only where it has not complied with obligations laid down by the GDPR specifically directed to processors, or where it has acted outside or contrary to lawful instructions of the Controller.

9.3. The total liability of the Processor under this DPA shall be limited to the amount of payments actually made by the Controller to the Processor in the last 6 (six) calendar months.

10.1. This DPA shall become effective upon the Controller's acceptance of the Terms of Use and shall remain in effect for the entire duration of the service provision.

10.2. Obligations regarding confidentiality and personal data protection shall survive termination of this DPA.

10.3. Upon termination of the DPA, the Processor shall retain personal data for 180 (one hundred eighty) calendar days to enable the Controller to export the data. After this period, the Processor shall delete all personal data, except where legislation requires its retention.

11.1. The Processor shall not process personal data of individuals on EU, OFAC (US), UK, or UN sanctions lists.

11.2. The Processor shall not transfer personal data to temporarily occupied territories of Ukraine or to countries under international sanctions.

11.3. The Controller warrants that it will not issue instructions to the Processor, the execution of which would result in a violation of sanctions legislation.

12.1. This DPA shall be governed by the laws of the Republic of Estonia and European Union law, in particular Regulation (EU) 2016/679 (GDPR).

12.2. Disputes arising in connection with this DPA shall be resolved in accordance with the procedure set forth in the Terms of Use.

13.1. This DPA is an integral part of the SkyService POS Terms of Use.

13.2. In the event of a conflict between this DPA and the Terms of Use regarding the processing of personal data, the provisions of this DPA shall prevail.

13.3. Amendments to this DPA shall be made in accordance with the procedure set forth in the Terms of Use for amending appendices.

13.4. Matters not regulated by this DPA shall be governed by the Terms of Use and applicable law.