1. Definitions

​

For the purposes of this DPA, the following terms shall have the meanings set forth below:

1.1 "Personal Data": Any information relating to an identified or identifiable natural person.
1.2 "Processing": Any operation performed on Personal Data, whether automated or manual, such as collection, recording, organization, structuring, storage, alteration, retrieval, use, disclosure, or deletion.
1.3 "Controller": The entity that determines the purposes and means of processing Personal Data.
1.4 "Processor": The entity that processes Personal Data on behalf of the Controller.
1.5 "Sub-Processor": Any third party engaged by the Processor to process Personal Data.
1.6 "Data Subject": The individual to whom the Personal Data relates.

 

 

2. Roles and Responsibilities

​

2.1 Controller’s Obligations:
The Controller confirms that:

• It has a lawful basis for collecting and processing Personal Data under applicable Data Protection Laws.

• It provides sufficient notices and obtains consent from Data Subjects, as required.

• It instructs the Processor to process Personal Data only as necessary to fulfill the Agreement.

2.2 Processor’s Obligations:
The Processor shall:

• Process Personal Data only on documented instructions from the Controller.

• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.

• Implement appropriate technical and organizational measures to protect Personal Data in accordance with Article 32 of the GDPR.

 

 

3. Scope of Processing

​

3.1 Purpose:
The Processor will process Personal Data solely for the purposes specified in the Agreement and as instructed by the Controller.

3.2 Nature of Processing:
The processing activities may include data scraping, extraction, structuring, storage, and transfer.

3.3 Categories of Data Subjects:
The categories of Data Subjects may include users of the Controller’s website or services, employees, contractors, and other end-users.

3.4 Types of Personal Data:
Personal Data may include names, email addresses, IP addresses, and any other data types specified by the Controller.

 

 

4. Security Measures

​

4.1 The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, alteration, or destruction.

4.2 Security measures may include, but are not limited to:

• Encryption of data in transit and at rest.

• Access controls and authentication protocols.

• Regular security audits and vulnerability assessments.

4.3 The Processor shall notify the Controller of any Personal Data breach without undue delay, providing details of the breach and mitigation steps taken.

 

 

5. Sub-Processors

​

5.1 The Controller authorizes the Processor to engage Sub-Processors as necessary to perform the Services.

5.2 The Processor shall:

• Conduct due diligence to ensure Sub-Processors maintain equivalent data protection standards.

• Enter into a written agreement with each Sub-Processor imposing obligations similar to those in this DPA.

5.3 The Processor shall provide the Controller with a list of current Sub-Processors upon request.

 

 

6. International Transfers

​

6.1 If the Processor transfers Personal Data outside the European Economic Area (EEA) or any jurisdiction with similar data transfer restrictions, it shall ensure such transfers comply with applicable Data Protection Laws.

6.2 Mechanisms for compliance may include:

• Standard Contractual Clauses approved by the European Commission.

• Binding corporate rules.

• Certification under frameworks such as the EU-U.S. Data Privacy Framework (if applicable).

 

 

7. Data Subject Rights

​

7.1 The Processor shall assist the Controller, where possible, in responding to Data Subject requests to exercise their rights under Data Protection Laws, including:

• Right of access, rectification, and erasure.

• Right to data portability.

• Right to restriction or objection to processing.

7.2 The Processor shall promptly notify the Controller of any such requests it receives directly.

 

 

8. Data Retention and Deletion

​

8.1 The Processor shall retain Personal Data only for as long as necessary to fulfill the Agreement or as required by law.

8.2 Upon termination of the Agreement or at the Controller’s request, the Processor shall delete or return all Personal Data, unless retention is required by law.

 

 

9. Liability

​

The Processor’s liability under this DPA is limited to the extent specified in the Agreement, except where prohibited by applicable law.

 

 

10. Audits and Inspections

​

10.1 The Controller may request reasonable access to the Processor’s records and facilities to verify compliance with this DPA.

10.2 The Processor shall cooperate with audits conducted by the Controller or its authorized representatives, provided such audits do not disrupt business operations.

 

 

11. Changes to This DPA

​

We may update this DPA to reflect changes in legal requirements or business practices. Any updates will become effective upon notice to the Controller.

 

 

12. Governing Law and Dispute Resolution

​

12.1 This DPA is governed by the laws of Lithuania.

12.2 Any disputes arising under or in connection with this DPA shall be resolved exclusively in the courts of Lithuania.