Data processing addendum

1.1. Unless otherwise defined in this Addendum, all capitalized terms not defined in this Addendum will have the meanings given to them in the T&C or the Privacy Policy.

1.2. “Client Data” means any personal data of any data subject processed by Extendity under this Addendum.

1.3. The terms “personal data”, “data subject”, “processing” as used in this Addendum shall have the meanings given in the GDPR.

2.1. Extendity and the Client agree that the Client is the Data Controller of Client Data and Extendity is the Data Processor of such data, except when Client acts as a Data Processor of Client Data, in which case Extendity is a Sub-Processor. The roles of the Parties are in detail explained in Extendity’s Privacy Policy.

2.2. Where Client is a Data Processor of Client Data, Client warrants to Extendity that Client’s instructions, provided in this Addendum, including appointment of Extendity as a Sub-Processor, have been authorized by the relevant ultimate Data Controller and the Client has the authority to act on behalf of ultimate Data Controller.

2.3. This Addendum applies in both scenarios and governs all processing of Client Data undertaken by Extendity regardless of whether Extendity acts as a Data Processor or a Sub-Processor. In either case, Extendity shall have no obligation to assess the legality or sufficiency of Client’s instructions and shall be entitled to rely on them as compliant with applicable law, and where the Client acts as a Data Processor, as reflecting the true will of the ultimate Data Controller.

2.4. All rights, obligations, limitations of liability and safeguards set out in this Addendum apply equally whether Extendity acts as a Data Processor or a Sub-Processor, unless expressly stated otherwise.

3.1. While fulfilling the duties and exercising the rights as set by T&C, Extendity shall act in accordance with the Client’s instructions and shall process the Client Data as specified in this Addendum.

3.2. The nature, subject matter, purpose, duration, types of personal data processed while processing Client Data, and categories of data subjects are set out in Annex 1 to this Addendum.

4.1. Extendity undertakes to limit the processing of Client Data to the extent that is necessary for providing the Platform to the Client and the services available on the Platform as described in T&C.

4.2. Extendity shall process Client Data on behalf of and following the instructions of the Client. Extendity shall contact the Client if Extendity does not know or understand the Client’s instructions.

4.3. Extendity undertakes to process Client Data in accordance with the applicable legal requirements and recommendations of supervisory authorities.

4.4. Extendity undertakes to ensure the confidentiality and security of the Client Data processed by Extendity.

4.5. Upon receipt of any request or demand relating to the Client Data, Extendity shall inform the Client immediately, but no later than within 3 (three) business days, and shall forward such requests to the Client, unless prohibited by applicable law.

4.6. At the request of the Client (for an additional fee calculated following Extendity’s business rates if such a request exceeds the usual performance of Extendity’s obligations under the T&C), Extendity undertakes to:

4.6.1. assist the Client in responding to requests from data subjects;
4.6.2. provide information and documents requested by the Client;
4.6.3. cooperate with the Client on data protection impact assessments and prior consultation with the supervisory authority.

4.7. Some of the Client’s instructions, including the implementation of the Client’s obligations, the destruction of data, or the return of data from Extendity, may result in additional fees. In such a case, unless otherwise agreed, Extendity shall notify the Client of such costs in advance. If the Client refuses to pay such costs, its requests or demands will not be implemented or will only be implemented to the extent that they do not require extra efforts in comparison to Extendity’s normal activities in the providing the services under the T&C. Such behaviour or conduct of Extendity shall not be considered as a breach of this Addendum or the T&C. In such event, the entire risk of non-compliance with the requests or demands of data subjects or requirements of applicable data protection laws shall be borne solely by the Client.

5.1. The Client is solely responsible for assessing the lawfulness of the Client Data processing while using the Platform and for safeguarding the rights of data subjects.

5.2. The Client has provided all the necessary privacy notices and/or obtained all consents and rights necessary under the applicable legislation for Extendity to process Client Data in connection to the use of the Platform pursuant to the T&C and this Addendum.

5.3. The Client is entitled to issue instructions concerning the nature, scale and method of Client Data processing. Upon request by Extendity, the Client shall confirm verbal instructions immediately in writing or in text form (e.g., by email) to Extendity.

5.4. The Client shall notify Extendity immediately of any errors or irregularities detected in relation to the processing of Client Data by Extendity.

5.5. The Client confirms that processing of Client Data by the Client is carried out following the requirements of the applicable legislation.

6.1. Extendity undertakes to apply appropriate technical and organizational security measures to protect Client Data and undertakes to comply with the information security requirements introduced by the GDPR. The minimum list of technical and organizational measures to be implemented by Extendity is set out in Annex 2 to the Addendum.

6.2. To ensure the security and integrity of the data stored in the electronic systems, Extendity usually uses security measures developed by third parties. These measures are standardized and applied to all similar services and Clients of Extendity. The Client confirms that such measures are sufficient and appropriate for it to ensure an adequate level of protection of Client data following its processing and the nature of the processing, the risks involved, the type, scope, context, and purposes of the Client Data.

6.3. Extendity may, at its sole discretion, modify and update the technical and organizational measures without notifying the Client separately. Such modification and updating shall provide the same level of protection as the earlier measures.

6.4. Upon the Client’s instruction and at the sole expense of the Client the implementation of any additional technical and organizational measures that are not directly related and necessary for the providing services as described in T&C may be carried out.

7.1. The Client agrees that Extendity may use other Data Processors to fulfil its contractual obligations under the T&C and this Addendum. The Client hereby grants general authorization to Extendity’s use of other Data Processors as described in this Section.

7.2. Extendity will remain responsible for its compliance with the obligations of this Addendum and for any acts or omissions of the Data Processors that cause Extendity to breach any of its obligations under this Addendum.

7.3. New Data Processors will be added to the Annex 1 to this Addendum. If the Client does not approve new Data Processor, the objection to the intended change must be lodged with Extendity within 2 (two) weeks after receipt of the information on the change. In the event of an objection, Extendity may, at its own discretion, either provide the service without the intended change or propose an alternative subcontractor and coordinate it with the Client. Insofar as the provision of the service is unreasonable for Extendity without the intended modification, for example, due to the associated disproportionate costs for Extendity, or the agreement on an alternative subcontractor fails, the Client and Extendity may terminate this Addendum as well as stop using the Platform under the T&C with a prior written notice provided 1 (one) month in advance.

8.1. Extendity is obliged to maintain confidentiality when processing Client Data on behalf of the Client.

8.2. In fulfilling its obligations under this Addendum, Extendity shall ensure that persons authorized to process personal data have committed themselves to confidentiality. Upon request, Extendity shall provide the Client with evidence of such confidentiality commitments.

9.1. The Client authorizes Extendity to transfer or access Client Data outside European Union/ European Economic area, provided that:

9.1.1. such transfer is necessary for the provision of services under T&C; and
9.1.2. appropriate safeguards are implemented to ensure an adequate level of protection for the Client Data in accordance with the GDPR.

10.1. The Client shall be entitled, after prior written notification provided 1 (one) month in advance and during Extendity’s normal business hours, to carry out an audit on the compliance of the Extendity’s activities while processing Client Data on the Client’s behalf, with the provisions of GDPR and this Addendum. This audit shall be conducted without disrupting Extendity’s business operations or endangering the security measures used by Extendity. The Client may conduct these audits either personally or through third parties. In any case the audits shall be carried out on the Client’s own expense. Audits can also be carried out by accessing existing industry-standard certifications of Extendity, current attestations or reports from an independent body (such as auditors, external data protection officers or external data protection auditors) or self-assessments. Extendity shall offer the necessary support to carry out the checks.

10.2. Extendity will not provide the Client or any third party engaged by the Client with access to Extendity’s systems and IT infrastructure used for services under the T&C.

11.1. After the end of provision of services, Extendity will retain Client Data associated with the Client’s account for 1 (one) month. During this period, the Client may access and export its data at its own initiative and expense. After the retention period, all such data will be permanently deleted and cannot be recovered.

12.1. Upon becoming aware of a personal data breach, Extendity shall inform the Client immediately, but no later than within 72 (seventy-two) hours, by email or in writing and provide the following information, where possible:

12.1.1. the date and time when the data breach may have occurred and the date and time when the Data Processor became aware of the data breach;
12.1.2. description of the nature of data breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
12.1.3. details of a contact person who can provide more information;
12.1.4. description of likely consequences;
12.1.5. description of measures that the Data Processor has implemented or intends to implement to eliminate the data breach and possible adverse effects;
12.1.6. other relevant information.

12.2. Extendity shall cooperate with the Client to eliminate a data breach and minimize its negative consequences, as well as to enable the Client to inform the supervisory authority and data subjects about the data breach.

12.3. Extendity shall implement adequate corrective measures, including notification to the Client, investigation of the relevant breach, and preparation of a report on the causes of the data breach.

13.1. Extendity shall only be liable for damages caused by the processing of Client Data if it has not complied with the obligations laid down in the GDPR and specifically applicable for Data Processor or if it has acted in disregard of or breach of the lawful instructions of the Client. Extendity shall only be liable for the damages directly caused by the breach imposed on Extendity. The liability of Extendity will be subject to the terms and conditions of liability set out in the T&C, including any limitations. The total liability of Extendity is limited to the amount paid by the Client to Extendity under the T&C in the last 6 (six) months before the occurrence of the conditions giving rise to liability.

13.2. The Client shall be liable for any damages suffered by Extendity as a result of the Client’s breach of this Addendum and / or the requirements of applicable legislation.

14.1. In case of contradictions between the provisions contained in this Addendum and provisions contained in the T&C, the provisions of this Addendum shall prevail.

14.2. This Addendum shall come into force after the acceptance of the T&C by the Client (or its authorized representatives) and shall remain in force for as long as Extendity processes Client Data on behalf of the Client.

14.3. This Addendum shall be governed by and constructed by the laws of the Republic of Lithuania.

14.4. Any claims or disputes arising out of or relating to the breach, termination, or invalidity of this Addendum or any of its provisions shall be settled by the competent court of jurisdiction of Extendity’s registered office.

14.5. The following shall constitute an integral part of the Addendum:

14.5.1. Annex 1 – Details of the processing;
14.5.2. Annex 2 – Security measures.

Measures by which readable text / information is transformed into unreadable, difficult-to-interpret character strings (encrypted text) through encryption methods.

Measures that physically prevent unauthorised persons from accessing IT systems and data processing equipment used to process personal data, as well as confidential files and data media.

Measures preventing unauthorised persons from processing or using personal data.

Measures ensuring that persons authorised to use data processing systems can only access personal data according to their granted access rights and that data cannot be read, copied, modified, or removed without permission during processing, use, and storage.

Measures ensuring that data collected for different purposes is processed separately and isolated from other data and systems to prevent unintended use for other purposes than those for which they were collected.

Measures ensuring that it is possible to verify and determine to whom personal data may be or has been transferred, using data transfer equipment.

Measures ensuring that personal data is protected against accidental destruction or loss.

Internal documents for data processing that ensures that data is processed according to the requirements of applicable legislation.