(48) 22 350 65 34

Contact
regulamin

Polityka prywatności

Data Processing Agreement (DPA)

This Data Processing Agreement (“Agreement”) is entered into between:

Macom-lab, with its registered office at [Nastrojowa 29 st. 02-441 Warsaw] (the “Controller”)

and

MACOM-LAB, available at www.macom-lab.ai

(the “Processor”)

(together referred to as the “Parties”).

This Agreement forms an integral part of the main service agreement (“Main Agreement”).


1. Subject Matter and Duration

  1. This Agreement governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of SaaS and AI services.
  2. The Agreement applies for the duration of the Main Agreement and until all personal data are deleted or returned.


2. Nature and Purpose of Processing

  1. Processing operations may include: collection, storage, organization, structuring, retrieval, use, transmission, and deletion of data.
  2. The Processor shall process personal data solely for the purpose of:
  • providing SaaS and AI-based services,
  • hosting, storing, and managing data,
  • enabling functionalities requested by the Controller,
  • ensuring system security and performance.


3. Types of Personal Data and Categories of Data Subjects

  1. Types of personal data may include:
  • identification data (e.g., name),
  • contact data (e.g., email, phone),
  • business-related data,
  • technical and usage data.
  • Categories of data subjects may include:
  • employees and representatives of the Controller,
  • customers or end-users of the Controller,
  • contractors and business partners.


4. Obligations of the Processor

The Processor shall:

  1. Process personal data only on documented instructions from the Controller.
  2. Ensure that persons authorized to process personal data are bound by confidentiality obligations.
  3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
  • encryption and pseudonymization,
  • access control mechanisms,
  • system monitoring and regular testing.
  • Assist the Controller in fulfilling obligations under the General Data Protection Regulation, including:
  • responding to data subject requests,
  • ensuring compliance with security, breach notification, and impact assessments.
  • Notify the Controller without undue delay after becoming aware of a personal data breach.


5. Subprocessors

  1. The Controller grants general authorization for the Processor to engage subprocessors.
  2. The Processor shall ensure that any subprocessor is bound by data protection obligations equivalent to those set out in this Agreement.
  3. The Processor shall inform the Controller of any intended changes concerning subprocessors, giving the Controller the opportunity to object.

6. International Data Transfers

  1. The Processor may transfer personal data outside the European Economic Area (EEA) only where appropriate safeguards are in place.
  2. Such safeguards may include:
  • Standard Contractual Clauses (SCCs),
  • adequacy decisions issued by the European Commission.

7. Rights of Data Subjects

  1. Taking into account the nature of the processing, the Processor shall assist the Controller in responding to requests from data subjects exercising their rights under the GDPR.

8. Audit and Compliance

  1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Agreement.
  2. The Controller may conduct audits or inspections, subject to reasonable notice and confidentiality obligations.

9. Data Return and Deletion

  1. Upon termination of the Main Agreement, the Processor shall, at the choice of the Controller:
  • return all personal data, or
  • securely delete all personal data.
  • This obligation does not apply where retention is required by law.


10. Liability

  1. Each Party shall be liable for damages caused by processing that infringes the GDPR, in accordance with applicable law.
  2. The Processor shall be liable only where it has failed to comply with its obligations under the GDPR or acted outside or contrary to lawful instructions of the Controller.


11. Confidentiality

The Processor shall ensure that all personal data are treated as confidential and are not disclosed to unauthorized persons.


12. Final Provisions

  1. In case of conflict between this Agreement and the Main Agreement, this Agreement shall prevail with respect to data protection matters.
  2. This Agreement shall be governed by the laws of [jurisdiction – e.g., Poland].
  3. Any disputes shall be resolved by the competent courts of that jurisdiction.


Appendix 1 – Security Measures

The Processor implements:

  • TLS/SSL encryption,
  • role-based access control (RBAC),
  • logging and monitoring systems,
  • regular vulnerability assessments,
  • backup and disaster recovery procedures.


Appendix 2 – Subprocessors

  • Cloud infrastructure providers (e.g., hosting providers)
  • Analytics providers
  • Communication tools (e.g., email delivery services)
Contact

Contact our team