Data Processing Agreement

1. Definitions

• Controller – the Customer who determines the purposes and means of processing personal data.
• Processor – Spakto Technologies, who processes personal data on behalf of the Controller.
• Personal Data – any information relating to an identified or identifiable natural person.
• Processing – any operation performed on personal data, including collection, storage, use and deletion.
• Sub-processor – any third party engaged by Spakto to process personal data.

2. Scope and Nature of Processing

Spakto processes personal data only as necessary to provide the contracted services and strictly in accordance with the documented instructions of the Customer. Spakto will not process personal data for its own purposes beyond what is necessary for service delivery.

3. Customer Obligations

• Ensure you have a lawful basis for transferring personal data to Spakto.
• Provide clear and complete documented instructions for processing.
• Ensure the personal data you provide is accurate and up to date.
• Comply with applicable data protection laws in your use of our services.

4. Spakto's Obligations as Processor

• Process personal data only on documented instructions from the Customer.
• Ensure all personnel who process data are bound by appropriate confidentiality obligations.
• Implement appropriate technical and organisational security measures.
• Assist the Customer in fulfilling obligations to respond to data subject requests.
• Notify the Customer without undue delay upon becoming aware of a personal data breach.
• Provide all information necessary to demonstrate compliance with this DPA.
• Delete or return all personal data upon termination of services, as instructed.

5. Security Measures

Spakto implements technical and organisational measures including: encryption of personal data in transit and at rest, access controls and authentication, regular security assessments and penetration testing, employee security training, and incident response procedures.

6. Sub-processors

Spakto engages sub-processors to support the delivery of our services. We maintain an up-to-date list of sub-processors available to Customers upon request. We require all sub-processors to be bound by data protection obligations equivalent to those in this DPA.

7. International Transfers

Where personal data is transferred outside the European Economic Area or other jurisdictions with data transfer restrictions, Spakto ensures appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or equivalent mechanisms.

8. Data Subject Rights

Spakto will assist the Customer in responding to data subject requests for access, rectification, erasure, portability and objection to processing. We will promptly forward any requests received directly from data subjects to the relevant Customer.

9. Data Breach Notification

In the event of a personal data breach, Spakto will notify the Customer without undue delay (and within 72 hours where feasible) and provide all information necessary for the Customer to fulfil its breach notification obligations to supervisory authorities and affected individuals.

10. Audits and Compliance

Spakto will make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, with reasonable prior notice.

11. Duration and Termination

This DPA remains in force for the duration of the service agreement. Upon expiry or termination, Spakto will delete or return all personal data as instructed by the Customer, and certify such deletion in writing.