Data Processing Agreement (DPA)

Effective Date: 12.12.2024This Data Processing Agreement (“DPA”) forms part of the End User License Agreement (the EULA) between the Almarise Entity identified below ("Almarise", "we," "our,", "us" or “Processor”) and its Customers (“Controller”) governing the processing of Personal Data in connection with Almarise’s products.

We sell our Products through two affiliated entities (each an “Almarise Entity”):

If you license:

the Licensor will be:

AppTime

Almarise Robert Dzido S.K.A

Owalna 43

05-420 Józefów, Poland

Secure Fields

SLA PowerBox

Workflow PowerBox

Visual Links

Automated Attachments

Groups Plus

PULSE

Component Picker

Announcement Feeds

Secure Pages for Confluence

Gate GPT

Project Field Manager

Idea Hub

Communities for Jira

Promity Sp z o.o.

ul. Wiejska 14/25

00-732 Warsaw, Poland

1. Definitions

For the purposes of this DPA, the following definitions apply:

Controller: The entity that determines the purposes and means of processing Personal Data.
Processor: The entity that processes Personal Data on behalf of the Controller.
Data Subject: An individual whose Personal Data is processed.
Personal Data: Any information relating to an identified or identifiable individual.
Processing: Any operation performed on Personal Data, such as collection, storage, use, transfer, or deletion.
Sub-processor: Any third party engaged by the Processor to assist in processing Personal Data.
Data Protection Laws: Applicable data protection and privacy laws, including GDPR, CCPA, and any other relevant regulations.

2. Scope and Purpose of Data Processing

Almarise will process Personal Data solely to provide services and support under the EULA in accordance with the Customer’s documented instructions as set forth in this DPA. This processing includes, but is not limited to:

Provision of Services: Enabling application features and functionalities.
Technical Support: Providing support services.
Analytics and Improvements: Aggregating and anonymizing data to improve product performance.

3. Duration of Processing

Almarise will process Personal Data for the duration of the EULA between Almarise and the Customer or until data deletion or anonymization as directed by the Controller.

4. Categories of Data Subjects

The categories of Data Subjects include:

Employees and Authorized Users: Users within the Customer’s organization.
Customer Representatives: Employees or contractors who interact with Almarise’s services.

5. Types of Personal Data Processed

Almarise may process the following types of Personal Data:

Identifiers: Names, email addresses, IP addresses.
Usage Data: Log files, device data, in-app activity.
Support Data: Information provided during support interactions.

6. Obligations of the Controller

The Customer, as Controller, shall:

Comply with applicable data protection laws.
Provide lawful instructions for processing.
Notify Almarise of data subject requests requiring Processor action.
Limit data processed to lawful purposes only.

7. Obligations of the Processor

Almarise, as Processor, agrees to:

Process data only on documented instructions.
Implement appropriate security measures.
Ensure all authorized personnel are committed to confidentiality.
Notify Controller if an instruction violates applicable law.

8. Security Measures

Almarise will implement robust security measures, including:

Encryption: SSL/TLS encryption for data in transit.
Access Controls: Access restricted to authorized personnel.
Regular Assessments: Conduct regular vulnerability scans.
Incident Response: Formal protocols for investigating and responding to security incidents.

8.1 Specific Security Measures

Physical Security: Access controls at data centers.
Data Segmentation: Segregation of data environments to limit access.
Data Integrity: Automated checks to verify data accuracy.
Security Training: Annual training for personnel on data protection best practices.

8.2 Data Breach Notification

In the event of a data breach, Almarise will notify the Controller within 48 hours of becoming aware, including details on the nature, impact, and mitigation steps taken.

9. Sub-processors

9.1 Authorization of Sub-processors

Almarise engages the following internal and external Sub-processors to assist in providing services:

Type	Name	Link	Location	Purpose
External	Amazon Web Services (AWS)	https://www.amazon.com	United States of America, Germany	Cloud Hosting
External	MongoDB, Inc.	https://www.mongodb.com	United States of America, Germany	Data Hosting
Internal	Promity Sp. z o.o.	https://promity.com/	Poland	Log Management

9.2 Right to Object to Sub-processors

In case of adding a new Sub-processors, The Controller has the right to object to them within 10 business days of notice. In case of objection, Almarise will work with the Controller to resolve the issue or provide an option to terminate the affected services.

9.3 Sub-processor Obligations

Almarise will ensure all Sub-processors are contractually bound by terms similar to this DPA, ensuring they implement equivalent data protection standards.

10. Data Subject Rights

Almarise will assist the Controller in fulfilling its obligation to respond to Data Subject requests, including requests for:

Access: Providing access to Personal Data.
Correction: Correcting inaccurate or incomplete data.
Deletion: Deleting data upon request and lawful grounds.
Restriction: Limiting processing under certain conditions.

10.1 Handling Data Subject Requests

Upon receiving a request directly from a Data Subject, Almarise will promptly notify the Controller unless legally prohibited. The Controller is responsible for responding to Data Subject requests.

11. International Data Transfers

Almarise will not transfer Personal Data outside the European Economic Area (EEA) without implementing adequate safeguards, such as Standard Contractual Clauses (SCCs) or other recognized mechanisms under GDPR.

12. Data Retention and Deletion

Upon termination of the EULA, Almarise will:

Return or delete all Personal Data, unless retention is required by law.
Confirm data deletion upon the Controller’s request.
Retain backup copies temporarily per secure deletion protocols.

13. Confidentiality

Almarise and all personnel involved in processing Personal Data are committed to maintaining strict confidentiality. This confidentiality obligation survives the termination of this DPA.

14. Audit Rights

14.1 Information Requests

The Controller may request documentation, security certifications, or audit reports to demonstrate Almarise’s compliance with this DPA.

14.2 Audits

The Controller may audit Almarise’s compliance with this DPA once per year or upon identifying a substantiated security concern. Audits must be conducted with reasonable notice and during regular business hours.

15. Liability and Indemnification

Each party’s liability under this DPA is subject to the liability limitations set forth in the EULA. Almarise shall not be liable for any claims arising from the Controller’s failure to comply with its data protection obligations.

16. Governing Law and Jurisdiction

This DPA is governed by the laws of the Republic of Poland. Disputes arising out of this DPA are subject to the exclusive jurisdiction of the courts in Warsaw, Poland.

17. Jurisdiction-Specific Terms

If required by applicable laws, additional terms will apply to data processing for residents of specific jurisdictions, such as California under the CCPA. Almarise agrees to cooperate in good faith to ensure compliance.

18. Entire Agreement and Amendments

This DPA, together with the EULA, constitutes the entire agreement between the parties regarding data processing. Amendments must be in writing and signed by both parties.

19. Severability

If any provision of this DPA is held invalid, the remaining provisions shall remain in full force and effect.

20. Contact Information