Effective Date: 12.12.2024 This Data Processing Agreement (“DPA”) forms part of the End User License Agreement (the “EULA”) between the Almarise Entity identified below ("Almarise", "we," "our,", "us" or “Processor”) and its Customers (“Controller”) governing the processing of Personal Data in connection with Almarise’s products. We sell our Products through two affiliated entities (each an “Almarise Entity ”): AppTime Almarise Robert Dzido S.K.A Owalna 43 05-420 Józefów, Poland Secure Fields SLA PowerBox Workflow PowerBox Visual Links Automated Attachments Groups Plus PULSE Component Picker Announcement Feeds Secure Pages for Confluence Gate GPT Project Field Manager Idea Hub Communities for Jira Promity Sp z o.o. ul. Wiejska 14/25 00-732 Warsaw, Poland For the purposes of this DPA, the following definitions apply: Almarise will process Personal Data solely to provide services and support under the EULA in accordance with the Customer’s documented instructions as set forth in this DPA. This processing includes, but is not limited to: Almarise will process Personal Data for the duration of the EULA between Almarise and the Customer or until data deletion or anonymization as directed by the Controller. The categories of Data Subjects include: Almarise may process the following types of Personal Data: The Customer, as Controller, shall: Almarise, as Processor, agrees to: Almarise will implement robust security measures, including: In the event of a data breach, Almarise will notify the Controller within 48 hours of becoming aware, including details on the nature, impact, and mitigation steps taken. Almarise engages the following internal and external Sub-processors to assist in providing services: Type Name Link Location Purpose In case of adding a new Sub-processors, The Controller has the right to object to them within 10 business days of notice. In case of objection, Almarise will work with the Controller to resolve the issue or provide an option to terminate the affected services. Almarise will ensure all Sub-processors are contractually bound by terms similar to this DPA, ensuring they implement equivalent data protection standards. Almarise will assist the Controller in fulfilling its obligation to respond to Data Subject requests, including requests for: Upon receiving a request directly from a Data Subject, Almarise will promptly notify the Controller unless legally prohibited. The Controller is responsible for responding to Data Subject requests. Almarise will not transfer Personal Data outside the European Economic Area (EEA) without implementing adequate safeguards, such as Standard Contractual Clauses (SCCs) or other recognized mechanisms under GDPR. Upon termination of the EULA, Almarise will: Almarise and all personnel involved in processing Personal Data are committed to maintaining strict confidentiality. This confidentiality obligation survives the termination of this DPA. The Controller may request documentation, security certifications, or audit reports to demonstrate Almarise’s compliance with this DPA. The Controller may audit Almarise’s compliance with this DPA once per year or upon identifying a substantiated security concern. Audits must be conducted with reasonable notice and during regular business hours. Each party’s liability under this DPA is subject to the liability limitations set forth in the EULA. Almarise shall not be liable for any claims arising from the Controller’s failure to comply with its data protection obligations. This DPA is governed by the laws of the Republic of Poland. Disputes arising out of this DPA are subject to the exclusive jurisdiction of the courts in Warsaw, Poland. If required by applicable laws, additional terms will apply to data processing for residents of specific jurisdictions, such as California under the CCPA. Almarise agrees to cooperate in good faith to ensure compliance. This DPA, together with the EULA, constitutes the entire agreement between the parties regarding data processing. Amendments must be in writing and signed by both parties. If any provision of this DPA is held invalid, the remaining provisions shall remain in full force and effect. Almarise Robert Dzido S.K.A Email: privacy@almarise.com Phone: +48 (22) 354 63 13If you license: the Licensor will be: 1. Definitions
2. Scope and Purpose of Data Processing
3. Duration of Processing
4. Categories of Data Subjects
5. Types of Personal Data Processed
6. Obligations of the Controller
7. Obligations of the Processor
8. Security Measures
8.1 Specific Security Measures
8.2 Data Breach Notification
9. Sub-processors
9.1 Authorization of Sub-processors
External Amazon Web Services (AWS) https://www.amazon.com United States of America, Germany Cloud Hosting External MongoDB, Inc. https://www.mongodb.com United States of America, Germany Data Hosting Internal Promity Sp. z o.o. https://promity.com/ Poland Log Management 9.2 Right to Object to Sub-processors
9.3 Sub-processor Obligations
10. Data Subject Rights
10.1 Handling Data Subject Requests
11. International Data Transfers
12. Data Retention and Deletion
13. Confidentiality
14. Audit Rights
14.1 Information Requests
14.2 Audits
15. Liability and Indemnification
16. Governing Law and Jurisdiction
17. Jurisdiction-Specific Terms
18. Entire Agreement and Amendments
19. Severability
Contact Information
Address: Owalna 43, 05-420 Józefów, Poland