DATA PROCESSING AGREEMENT
(the “AGREEMENT”)
concluded by and between:
Giulio spółka z ograniczoną odpowiedzialnością with its registered office in Wrocław 48 Wrocław, Poland, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for Wrocław Fabryczna in Wrocław, VI Economic Department of the National Court Register under the KRS number: 0001030618, NIP: 8992957655, REGON: 52507587900000, with the share capital of 5000.00 PLN (“Giulio”);
and
the User who created the account at Giulio Platform available at: https://giulio.ai, https://app.giulio.ai, https://new.giulioapp.com(“Platform”) (“User”).
WHEREAS:
- by creating by the User a user account on the Platform, the Parties have entered into an agreement for the provision of services by electronic means (the “Principal Agreement“), the performance of which involves the processing of personal data under this Agreement;
- the purpose of this Agreement is to define terms and conditions under which Giulio shall perform the personal data processing operations on behalf of the User;
- the User entrusts Giulio with the processing of personal data in connection with the use of the Platform and the functionalities available therein (the “Services“);
- by concluding this Agreement the Parties intend to regulate the processing of personal data in compliance with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”);
THE PARTIES AGREE AS FOLLOWS:
Entrusting the processing of personal data. The Scope and Purpose of Data Processing.
1.1. Subject of the Agreement. [GDPR 28.3] Pursuant to the provisions of the GDPR, the User entrusts Giulio with the processing of personal data as referred to in Article 4 of the GDPR, on terms and in connection with the implementation and provision of the Platform Services.
1.2. Duration of processing. [GDPR 28.3] Giulio processes the data entrusted to it by the User in order to provide the Services – i.e. access to Platform and its functionalities.
1.3. Nature and purpose of processing. [GDPR 28.3] The nature and purpose of data processing result from the Principal Agreement, i.e.:
- the purpose of personal data processing is to perform the Principal Agreement properly, inter alia to provide the User with an access to Platform and its functionalities.
- the nature of personal data processing is determined by the role of Giulio under the Principal Agreement;
1.4. Type of personal data. [GDPR 28.3] Data processing will include the types of personal data indicated below:
- mailing address;
- name(s) and surname(s);
- e-mail address;
- telephone number(s);
- as well as any other data collected and exported by using the Service.
The Giulio is not obliged to verify whether the set of personal data provided by the User are real and complies with the law.
1.5. Categories of data subjects. [GDPR 28.3] We will process any personal data we may have access to because of the provision of the Services in the Platform. The personal data processed by Giulio hereunder shall refer to User’s personnel, contractors and employees as well as any third parties, cooperating with the User, through the Platform.
2. SUB-PROCESSING
2.1 Data sub-processing. [GDPR 28.2] User hereby authorizes Giulio to engage another data processor (“Sub-processor”) of Giulio’s choice for processing of personal data on behalf of User under agreement concluded with such Sub-processor. The scope and purpose of processing the personal data by the Sub-processor shall not exceed the scope and purpose of permitted processing thereof by Giulio under this Agreement. Such Sub-processors shall include: (i) Giulio’s subcontractors engaged in the performance of the Principal Agreement, and (ii) provider of infrastructure. The User agrees to further processing of personal data by entities that provide services and technological solutions supporting the Service and that are indicated in Appendix 1 to this Agreement. Additionally the User agrees to entrust the processing of personal data to sub-processors other than those indicated in Appendix 1.
2.2 Objection right. [GDPR 28.2 sentence 2] User may object to Giulio ’s use of a Sub-processor by notifying Giulio promptly in writing or via e-mail within 7 days after receipt of the notice.
2.3 Data protection obligations of Sub-processors. [GDPR 28.4] Sub-processors shall apply the same data protection obligations as set out herein, in particular provide sufficient guarantees of appropriate technical and organizational measures to ensure that the data processing meet the requirements of the GDPR.
3. OBLIGATIONS OF GIULIO (DATA PROCESSOR)
3.1 Documented instructions. [GDPR.28.3.a] Giulio processes the personal data only in accordance with the manner resulting from the Principal Agreement and the documented (e.g. in writing or e-mail) instructions of the User.
3.2 Transfer of personal data outside the EEA. [GDPR.28.3.a] Giulio may transfer or authorize the transfer of personal data to a third country or an international organization outside the European Economic Area (“EEA“). If personal data processed under this Agreement is transferred from a country within the EEA to a country outside the EEA, the Parties shall ensure that the personal data are adequately protected. In case of data transfer to a third country or international organization outside the EEA, Giulio declares that it will apply the measures of protection and procedures provided for by law, in particular Articles 44 to 50 of the GDPR.
3.3 Confidentiality. [GDPR.28.3.b] Giulio ensures that the persons authorized by Giulio to process personal data have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality.
3.4 Proof of competency. Giulio ensures that persons authorized by Giulio to process personal data have received appropriate training on their responsibilities regarding the protection of personal data.
3.5 Security. [GDPR.28.3.c] Giulio ensures the protection of personal data and takes all measures required pursuant to Article 32 of the GDPR, in accordance with the following provisions of this Agreement.
3.6 Data subject request. [GDPR.28.3.e] Taking into account the nature of the personal data processing, Giulio shall assist User through implementing appropriate technical and organizational measures, insofar as this is possible, in fulfilling User’s obligation to respond to the requests of the data subjects with respect to the exercise of their rights as referred to in Chapter III of the GDPR. If the data subject transfers the request directly to Giulio, Giulio shall immediately inform User about the submitted request. User is solely responsible for preparing a response to the request of the data subject.
3.7 Security of personal data. [GDPR.28.3.f] Giulio shall assist the User, insofar as this is possible, in fulfilling the obligations related to ensuring adequate data security of personal data, obligation to report violations of personal data protection or obligation to assess the impact for data protection (resulting from Articles 32-36 of the GDPR).
3.8 Lawfulness of instructions. [GDPR 28.3 sec 2] In the event of Giulio’s doubts as to conformity of the User’s instruction with the provisions of law, Giulio shall immediately inform the User in writing or via e-mail of the identified doubt.
3.9 Data protection by design. [GDPR 25.1] Whenever Giulio plans to make changes with regard to the processing of personal data, it shall comply with the requirements set out in Article 25(1) of the GDPR (data protection by design).
3.10 Limitation of access. [GDPR 25.2] Giulio shall ensure that Giulio’s access to personal data is limited to those of personnel engaged in the performance of the Principal Agreement.
3.11 Records of processing activities. [GDPR 30.2] If applicable, Giulio shall maintain a record of processing activities carried out on behalf of User as referred to in Article 30(2) of the GDPR and make it available to the User upon its request, except for information constituting a trade secret of other customers of Giulio .
3.12 Confidentiality obligations of persons authorized to process data. Giulio shall ensure that persons authorized to process User’s personal data will (i) process such data only if instructed by the User, and (ii) keep such data and the security measures secret, and the obligation of confidentiality shall survive the termination of personnel engagement in such personal data processing.
4. OBLIGATIONS OF USER (DATA CONTROLLER)
4.1 User’s duties. User shall cooperate with Giulio with respect to data processing, including providing Giulio with explanations in the event of doubt as to the conformity of the User’s instructions with the provisions of law, as well as fulfill User’s obligations in a timely manner.
4.2 Compliance with principles relating to processing of personal data. [GDPR 5] User represents that the personal data that is entrusted for processing, in particular the basics of the personal data processing, as well as the specific scope, purposes, manner, context and nature of the data processing, is compliant with the GDPR and applicable laws. The User is obliged to check on their own the compliance of the data processing with the applicable provisions of law, thus the User hereby releases Giulio from performing such activities.
4.3 The User’s statement. User represents that it is the controller of the personal data and that it is entitled to process the personal data to the extent that User entrusted these data for processing to Giulio. Only the User, as the personal data controller, can decide about the manner and purpose of data processing.
5. SECURITY OF PERSONAL DATA
5.1 Safety measures. [GDPR 32] Prior to the commencement of the processing of personal data, Giulio shall implement appropriate technical and organizational measures ensuring an adequate level of security corresponding to the risk related with the processing of personal data, referred to in Article 32 of the GDPR, in order to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
6. NOTIFICATION OF A PERSONAL DATA BREACH
6.1 Notification of suspected personal data breach. In the event of suspected personal data breach, Giulio shall without undue delay shall notify User of the personal data breach after becoming aware of it.
6.2 Notification of personal data breach. The notification of the personal data breach shall be sent to the User along with the information as referred to in Article 33(3) of the GDPR, in order to enable User to fulfill its obligation to notify the personal data breach to the competent supervisory authority.
6.3 Communication. The Parties shall determine the methods of communication and designate persons responsible for incident management and notifications in order to report personal data breaches and other incidents in a timely manner pursuant to the GDPR. For this purpose, the Parties designate contact persons indicated in clause 7 below.
7.1 Contact details. The contact persons in all matters related to the personal data protection, including the notifications referred to in clause 6.3, shall be same as in the Principal Agreement. The addresses for notices (including e-mail addresses) provided in the Principal Agreement shall apply also for notices under this Agreement.
8. CONTROL RIGHTS. AUDITS.
8.1 Audit rights. [GDPR.28.3.h] Giulio shall make available to User, on its request, all information necessary to demonstrate compliance with this Agreement and allow for and contribute to audits, including inspections, conducted by User or another auditor mandated by User in relation to the processing of the User’s personal data by Giulio .
8.2 Cooperation with the supervisory authority. [GDPR 31] Giulio shall cooperate, on request, with the supervisory authority in the performance of its tasks.
8.3 Notification obligations. Giulio shall notify the User immediately of:
(a) initiation of any control, audit or inspection concerning the processing of personal data by Giulio, in particular conducted by the supervisory authority, as well as of any decisions issued in relation thereto,
(b) administrative, judicial or any other proceedings, actual or pending, concerning the processing of the personal data by Giulio, as well as of any decisions, orders or rulings issued in relation thereto,
(c) any requirement to make personal data available to the competent authority, unless provisions of law do not allow for such notification.
9. LIABILITY
9.1 Liability of Giulio. [GDPR 82.2] Giulio shall be liable for the damage caused by processing only if (i) it has failed to comply with the GDPR provisions specifically directed to data processors, or (ii) it has acted without the User’s lawful instructions, or against those instructions.
9.2 Liability of Sub-processors. [GDPR 28.4] Where the Sub-processor fails to fulfil its data protection obligations, Giulio shall remain fully liable to User for the performance of that Sub-processor’s obligations.
10. RETURN AND DELETION OF PERSONAL DATA
10.1 End of data processing. [GDPR 28.3.g] Upon termination of this Agreement, Giulio, subject to the Principal Agreement, shall not have the right to further process personal data and shall be obliged to delete or return personal data to User (including all their backups), unless the applicable law requires storage of the personal data.
10.2 Obligation to store the personal data. [GDPR 28.3.g] If Giulio cannot delete personal data within the time limit set by the User due to laws requiring the storage of personal data, Giulio shall notify it to User.
11. FINAL PROVISIONS
11.1 Entry into force. The Agreement comes into force upon conclusion of the Principal Agreement without any additional declarations of will of the Parties.
11.2 Term. The Agreement is entered into for a specified period of provision of the Service by Giulio and for the term of the Principal Agreement.
11.3 Priority. In the event of any conflict or inconsistency between this Agreement and the Principal Agreement, the provisions of this Agreement shall prevail.
11.4 Confidentiality. The content of this Agreement, as well as any personal data or information disclosed in connection with this Agreement shall be treated by the Parties as strictly confidential and shall not be disclosed to third parties.
11.5 Jurisdiction. Each Party irrevocably agrees to submit to the exclusive jurisdiction of the courts of Polandhaving jurisdiction over Giulio ’s registered office in relation to any claim or matter arising under or in connection with this Agreement.
11.6 Governing Law. This Agreement shall be governed by the laws of Poland.
APPENDIX NO. 1
LIST OF SUBPROCESSORS PROCESSING PERSONAL DATA
The third parties Giulio work with to provide our Platform and Services are :
| GCP (Google Cloud Platform) | https://cloud.google.com/ | Hosting and infrastructure services for our application. |
| Vercel | https://vercel.com/ | Deployment and hosting of our front-end web applications. |
| GitHub | https://github.com/ | Version control and collaboration platform for code management. |
| Ably | https://ably.com/ | Real-time messaging and data synchronization services. |
| Clerk | https://clerk.dev/ | User authentication and identity management services. |
| SendGrid | https://sendgrid.com/ | Email delivery service for sending transactional emails. |
| MongoDB | https://www.mongodb.com/ | Database services for storing application data. |
| Stripe | https://stripe.com/ | Payment processing services. |
| Better Stack | https://betterstack.com/ | Monitoring and logging services for application performance. |
| OpenAI | https://openai.com/ | Artificial intelligence and language processing services. |
| Apify | https://apify.com/ | Web scraping and automation services. |
| Anthropic | https://www.anthropic.com/ | Artificial intelligence and language processing services. |