Data Processing Agreement
last updated: 15.06.2025
This Data Processing Agreement (“DPA”) is entered into by and between Giulio spółka z ograniczoną odpowiedzialnością (“Giulio” or “Processor“) and the User (“User” or “Controller“) and is incorporated into the Giulio Terms of Service (“Principal Agreement“).
BACKGROUND
(A) The User acts as the Data Controller with respect to any Personal Data it submits to or processes via the Giulio Platform. The User is solely responsible for determining the lawfulness of the processing.
(B) Giulio acts as a Data Processor, providing the technical platform for the User to process such data according to the User’s instructions.
(C) This DPA sets forth the binding obligations of the parties under Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR“).
AGREEMENT
1. PROCESSING OF PERSONAL DATA
1.1. Roles and Responsibilities: The parties acknowledge that for the purposes of the GDPR, the User is the Data Controller and Giulio is the Data Processor. The User shall be solely responsible for the accuracy, quality, and legality of the Personal Data and the means by which it acquired the Personal Data.
1.2. User’s Instructions: Giulio will process Personal Data only in accordance with the User’s documented instructions. The parties agree that the User’s use of the Platform’s functionalities and configurations constitutes the entirety of the User’s documented instructions. Any instructions outside the scope of the standard Services may be subject to additional fees and will be performed at Giulio’s reasonable discretion. Giulio will immediately inform the User if, in its opinion, an instruction infringes the GDPR, without any obligation to provide legal analysis.
2. DETAILS OF DATA PROCESSING
2.1. Subject-Matter: The processing of Personal Data submitted by the User through the Platform.
2.2. Duration: For the term of the Principal Agreement.
2.3. Nature and Purpose: The provision of the Platform’s services, which enable the User to manage procurement processes, including creating RFx, evaluating Proposals, and communicating with other users.
2.4. Categories of Data Subjects: The User is solely responsible for determining the categories of Data Subjects, which may include its employees, contractors, and business partners.
2.5. Types of Personal Data: Personal Data submitted by the User, which may include identity, contact, and professional information.
2.6. Special Category Data: The User explicitly agrees not to upload, process, or submit any Special Categories of Personal Data as defined in Article 9(1) of the GDPR (e.g., data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data) to the Platform. Giulio has no mechanism to identify such data and its presence on the Platform constitutes a material breach of this DPA by the User.
3. OBLIGATIONS OF GIULIO (PROCESSOR)
3.1. Confidentiality: Giulio shall ensure that its personnel authorized to process Personal Data are subject to a strict duty of confidentiality.
3.2. Security: Giulio shall implement and maintain the technical and organizational security measures described in Appendix 2 (“Security Measures”) to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
3.3. Assistance: Taking into account the nature of the processing, Giulio shall provide reasonable assistance to the User, at the User’s sole cost and expense, in fulfilling the User’s obligations to respond to Data Subjects’ rights requests. Giulio has no obligation to respond directly to Data Subjects.
3.4. Breach Notification: Upon becoming aware of a Personal Data Breach affecting the User’s data, Giulio will notify the User without undue delay. Giulio’s notification shall not be interpreted as an admission of fault or liability.
4. SUB-PROCESSING
4.1. General Authorization: The User grants Giulio a general authorization to engage the Sub-processors listed in Appendix 1.
4.2. Changes and Objections: Giulio will notify the User of any intended changes to its list of Sub-processors. If the User objects to a new Sub-processor within fourteen (14) days, Giulio may, at its sole discretion, (i) choose not to engage the new Sub-processor, or (ii) allow the User to terminate the Principal Agreement without penalty. Giulio has no obligation to find an alternative Sub-processor or to modify its services.
4.3. Liability: Giulio shall remain liable for the acts and omissions of its Sub-processors to the same extent Giulio would be liable if performing the services of each Sub-processor directly under the terms of this DPA, subject to the limitations set forth in Section 6.
5. AUDITS AND COMPLIANCE
5.1. Demonstration of Compliance: Giulio shall demonstrate its compliance with this DPA by:
a) Making available to the User, upon written request, its most recent third-party audit reports or certifications (e.g., SOC 2, ISO 27001). The User acknowledges that this shall be the primary and preferred method of verifying compliance.
b) Providing written responses to the User’s reasonable requests for information regarding Giulio’s security practices.
5.2. On-Site Audits: Any on-site audit of Giulio’s premises shall be subject to the following strict conditions:
a) The User must demonstrate a reasonable, good-faith basis for requiring an on-site audit that cannot be satisfied by the measures in 5.1.
b) The User must provide at least sixty (60) days’ prior written notice.
c) The audit shall be limited in scope to Giulio’s processing of the User’s Personal Data and shall not compromise the security or confidentiality of any other customer’s data.
d) The audit shall be conducted during normal business hours, by a mutually agreed-upon third-party auditor subject to strict confidentiality obligations, and in a manner that does not unreasonably disrupt Giulio’s business operations.
e) The User shall bear all costs of the audit, including its own costs and any costs or time incurred by Giulio at its then-current professional services rates.
6. LIABILITY AND INDEMNIFICATION
6.1. Limitation of Liability: The total aggregate liability of Giulio arising out of or related to this DPA, whether in contract, tort, or any other theory of liability, shall not exceed the liability limitations set forth in the Principal Agreement.Giulio shall not be liable for any indirect, incidental, special, consequential, or exemplary damages, including loss of profits or revenue.
6.2. User’s Responsibility: Giulio shall not be liable for any claims, losses, or damages arising from or related to (i) the User’s breach of this DPA or the GDPR, or (ii) any action taken by Giulio in accordance with a documented instruction from the User.
6.3. Indemnification: The User agrees to indemnify, defend, and hold harmless Giulio and its affiliates, officers, employees, and Sub-processors against any and all claims, losses, damages, liabilities, fines, penalties, and expenses (including reasonable attorneys’ fees) arising from any third-party claim or regulatory action resulting from the User’s breach of its obligations as a Data Controller under the GDPR or this DPA, including but not limited to the prohibition on uploading Special Category Data.
7. FINAL PROVISIONS
7.1. Priority: In case of conflict, this DPA shall prevail over the Principal Agreement with respect to the subject matter of data processing.
7.2. Governing Law and Jurisdiction: This DPA is governed by the laws of Poland. Any disputes shall be resolved in the competent courts with jurisdiction over Giulio’s registered office.
8. Final Provisions
Giulio shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with Supervisory Authorities which Controller reasonably considers to be required by Article 35 or 36 of the GDPR
APPENDIX 1: LIST OF SUB-PROCESSORS
Giulio engages the following Sub-processors to provide its Services. This list is subject to change in accordance with Section 5.3 of this DPA.
| Sub-processor | Purpose | Location (Entity) |
| Google Cloud Platform (GCP) | Hosting and infrastructure services. | USA/EU |
| Vercel | Front-end application deployment and hosting. | USA |
| MongoDB | Database services for storing application data. | USA/EU |
| Clerk | User authentication and identity management. | USA |
| Stripe | Payment processing services. | USA/Ireland |
| SendGrid (Twilio) | Email delivery service for transactional emails. | USA |
| OpenAI | Artificial intelligence and language processing. | USA |
| Anthropic | Artificial intelligence and language processing. | USA |
| GitHub | Version control and code management. | USA |
| Ably | Real-time messaging and data synchronization. | UK |
| Apify | Web scraping and automation services. | Czech Republic |
| Better Stack | Monitoring and logging services. | USA/Czech Republic |
APPENDIX 2: SECURITY MEASURES
Giulio implements and maintains the following technical and organizational measures:
- Access Control: Access to systems processing Personal Data is restricted to authorized personnel based on the principle of least privilege. Multi-factor authentication (MFA) is enforced for access to critical systems.
- Encryption: Personal Data is encrypted in transit using industry-standard protocols (e.g., TLS 1.2+) and at rest using strong encryption standards (e.g., AES-256).
- Data Minimization: Giulio processes only the Personal Data necessary to provide the Services as instructed by the User.
- Breach Detection and Response: Giulio maintains an incident response plan to promptly identify, investigate, and respond to security incidents.
- Personnel Security: All personnel with access to Personal Data undergo background checks (where permitted by law) and are subject to ongoing security and data protection training. They are bound by strict confidentiality agreements.
- Physical Security: Our infrastructure providers (e.g., Google Cloud Platform) maintain state-of-the-art physical security for their data centers, including 24/7 monitoring, biometric access controls, and environmental protections.