Data Processing Agreement

This Data Processing Agreement ("DPA") is concluded between FUMO – Mateusz Fajst ("Processor" or "Elean") and the Client ("Data Controller") upon acceptance of the Elean Terms of Service ("Main Agreement").

This DPA forms an integral part of the Main Agreement and governs the processing of personal data by Elean on behalf of the Client, in accordance with Article 28 of the GDPR.

§ 1 Subject of the Agreement

1. Pursuant to Article 28 GDPR, the Data Controller entrusts the Processor with the processing of personal data solely for the purpose of and to the extent necessary for the performance of the Main Agreement.

2. The details of the data entrusted for processing — including the nature of processing, types of personal data, and categories of data subjects — are specified in Annex No. 1 to this DPA.

3. The scope of personal data in Annex No. 1 constitutes a maximum list. In practice, the scope transferred by the Controller may be smaller, without prejudice to this DPA.

4. The Processor undertakes to process the entrusted personal data in accordance with this DPA, the GDPR, and applicable national data protection law.

§ 2 Scope and Purpose of Processing

The Processor is authorized to process personal data on behalf of the Controller solely for the purpose of performing the Main Agreement and within the scope specified in § 1.

§ 3 Obligations of the Processor

1. The Processor shall process personal data exclusively on documented instructions from the Controller. Instructions shall be issued by utilizing the Service's functionalities (UI/API) and — for other dispositions — through the indicated communication channels (ticket/e-mail). Should an instruction infringe upon the law or the agreement, the Processor shall promptly notify the Controller and withhold its execution until the matter is clarified. Where the Processor provides services under the Main Agreement, processing is deemed to be carried out on the Controller's documented instructions.

2. The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR, including:

   a) encryption of personal data in transit (TLS/SSL);

   b) encryption of personal data at rest (AES-256), including databases, files, and backups;

   c) pseudonymisation of personal data where technically feasible;

   d) storage of data in the European Union (Cloudflare R2, EU region; SkyPass Solutions Sp. z o.o.);

   e) access controls limiting who can access personal data;

   f) authentication handled by Stytch, a SOC 2 Type II and ISO 27001 certified provider;

   g) measures ensuring confidentiality, integrity, availability and resilience of processing systems and services, including access controls, audit logging, network security, and infrastructure redundancy;

   h) the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident, taking into account defined recovery time and recovery point objectives appropriate to the nature of processing;

   i) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing, including periodic backup restoration tests, security assessments, and continuous monitoring and logging;

   j) daily backups retained for 7 days. Backups kept for 7 days serve solely for disaster recovery purposes; following any system restoration, the Controller/Processor shall promptly re-execute the deletion instructions; after 7 days, restoring the data is technically impossible.

3. The Processor shall assist the Controller, to the extent possible, in responding to requests from data subjects exercising their rights under Chapter III of the GDPR.

4. The Processor shall assist the Controller in fulfilling its obligations under Articles 32–36 of the GDPR (security, breach notification, DPIA, prior consultation).

5. The Processor shall notify the Controller without undue delay — and in any event within 72 hours — of any personal data breach concerning the entrusted data, by email to the address provided by the Controller in the Main Agreement.

6. The notification referred to in section 5 above shall at least:

   a) describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

   b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

   c) describe the likely consequences of the personal data breach;

   d) describe the measures taken or proposed to be taken by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

7. Where, and in so far as, it is not possible to provide all the information referred to in section 6 at the same time, the Processor shall provide the information in phases (update the notification) without undue further delay.

8. The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller, in accordance with Article 30(2) GDPR.

9. The Processor shall ensure that persons authorized to process personal data are bound by confidentiality obligations.

10. Following termination of the Main Agreement, the Processor shall permanently anonymize all personal data immediately upon account deletion by the Controller. The anonymized record, containing no personal data, may be retained for technical integrity purposes.

11. If the account has not been deleted by the Controller following termination of the Main Agreement, the account shall be treated as inactive. The Processor shall send a written notice to the Controller's registered e-mail address after 180 days of inactivity, informing of the upcoming deletion. If no login is recorded within 30 days of such notice, the Processor shall permanently delete the account and all associated personal data. The total period does not exceed 210 days from the last recorded login. The Processor shall not be liable for any loss of data resulting from deletion carried out in accordance with this provision.

12. Notwithstanding the above, the Processor may retain personal data to the extent strictly necessary for compliance with legal obligations, including statutory accounting and tax retention requirements, for a period of 5 years starting from the end of the calendar year in which the tax payment deadline expired. Such retained data shall be limited to information appearing on invoices and billing records. Furthermore, other personal data which may be relevant for the purpose of potential legal claims shall be retained for the duration of the statute of limitations, not exceeding 3 years from the termination of the Main Agreement.

13. Where an account has remained inactive for a continuous period of 180 days, the Processor shall send a written notice to the Controller's registered e-mail address informing of the upcoming deletion. If no login is recorded within 30 days of such notice, the Processor shall permanently delete the account and all associated personal data. The Processor shall not be liable for any loss of data resulting from deletion carried out in accordance with this provision.

14. The Processor may disclose personal data to its employees or collaborators only to the extent necessary for the performance of this DPA and the Main Agreement.

§ 4 Obligations of the Data Controller

1. The Controller shall cooperate with the Processor and provide all information necessary for the performance of this DPA.

2. The Controller shall document all instructions to the Processor regarding personal data processing.

3. The Controller shall inform data subjects about processing operations at the time of data collection.

4. The Controller represents that it acts as data controller within the meaning of the GDPR in relation to all data subjects whose data are entrusted under this DPA.

5. The Controller represents that the processing of data entrusted under this DPA does not violate the GDPR or any other applicable law.

§ 5 Audits and Inspections

1. The Controller has the right, in accordance with Article 28(3)(h) GDPR, to verify whether the Processor complies with the requirements of the GDPR and this DPA. To this end:

   a) the Processor shall make available to the Controller all information necessary to demonstrate compliance with its obligations;

   b) the Processor shall allow and contribute to audits and inspections conducted by the Controller or an auditor authorized by the Controller. The Controller shall notify the Processor of the intended audit at least 14 days before the audit begins. Audits may be conducted a maximum of once per calendar year and are performed at the sole expense of the Controller, unless the audit reveals a material breach of this DPA by the Processor.

2. The Processor shall implement any corrective measures recommended by the Controller following an audit, provided they are consistent with this DPA and applicable law.

3. If an audit reveals a breach of this DPA or data protection law, the Processor shall remedy such breach within the timeframe specified by the Controller in a written notice.

§ 6 Sub-processors

1. The Processor may engage sub-processors only to the extent necessary for the performance of the Main Agreement. The Processor shall select sub-processors that provide sufficient guarantees of GDPR compliance.

2. Any sub-processing requires a written agreement imposing the same data protection obligations as those set out in this DPA and Article 28 GDPR.

3. The Controller grants general authorization for the Processor to engage the sub-processors listed below. The Processor shall notify the Controller of any intended changes (addition or replacement of sub-processors) via https://elean.app/legal/privacy-policy at least 14 days in advance, allowing the Controller to object.

4. The Processor shall remain fully liable to the Controller for the performance of data protection obligations by any sub-processor it engages.

5. If the processing requires the transfer of personal data outside the EEA, the Processor shall ensure a valid legal basis for the transfer in accordance with Chapter V of the GDPR, in particular: (i) an adequacy decision (e.g., the EU-U.S. Data Privacy Framework), where applicable; (ii) Standard Contractual Clauses (SCCs 2021/914), along with conducting a Transfer Impact Assessment (TIA) and implementing appropriate supplementary measures (including strong encryption in transit and at rest, with encryption keys controlled by the data exporter, access restrictions, logging, and audits). In the event of the invalidation of the adequacy decision or the loss of the recipient's certification status, the Parties shall immediately transition to the SCCs, perform a TIA, and implement supplementary measures. Derogations under Article 49 of the GDPR may be applied solely on an occasional and exceptional basis.

Authorized sub-processors

§ 7 Confidentiality

1. The Processor shall keep confidential all personal data and information received from the Controller.

2. The Processor shall not use, disclose, or make available such data for any purpose other than the performance of the Main Agreement, unless required by applicable law.

3. The Parties shall ensure that all means of communication used for the transfer and storage of personal data provide adequate security against unauthorized access.

§ 8 Liability

1. The Processor shall be liable under Article 82(2) GDPR for damages caused by processing only if it has failed to comply with GDPR obligations specifically imposed on processors, or has acted outside or contrary to the Controller's lawful instructions.

2. The Processor shall be exempt from liability if it proves it is not responsible for the event causing the damage. The Processor's total liability under this DPA shall not exceed the liability cap defined in the Main Agreement.

§ 9 Term

1. This DPA is concluded for the duration of the Main Agreement.

2. Termination of the Main Agreement results in automatic termination of this DPA on the same date.

§ 10 Remuneration

The fees due to the Processor under the Main Agreement include remuneration for services rendered under this DPA. No separate fee is charged for this DPA.

§ 11 Final Provisions

1. Any amendments to this DPA require documentary form (e.g., via email or electronic notification within the service).

2. In matters not regulated by this DPA, the provisions of the GDPR and applicable Polish law shall apply.

3. Disputes arising from this DPA shall be resolved by the court having jurisdiction over the registered office of the Controller.

4. This DPA is accepted electronically (documentary form) upon the Controller's acceptance of the Main Agreement (Terms of Service). No wet signature is required.

Annex No. 1 — Detailed Information on Personal Data

Nature of Processing

The Processor processes personal data on a continuous basis as part of the activities arising from the Main Agreement. Processing operations include: collection, recording, storage, modification, retrieval, use, and deletion of data.

Categories of Data Subjects

Types of Personal Data