Data Processing Agreement (DPA)
Effective Date: 12.12.2024
This Data Processing Agreement (“DPA”) forms part of the End User License Agreement (the “EULA”) between the Almarise Entity identified below ("Almarise", "we," "our,", "us" or “Processor”) and its Customers (“Controller”) governing the processing of Personal Data in connection with Almarise’s products.
We sell our Products through two affiliated entities (each an “Almarise Entity ”):
| If you license: | the Licensor will be: |
AppTime | Almarise Robert Dzido S.K.A Owalna 43 05-420 Józefów, Poland |
Secure Fields SLA PowerBox Workflow PowerBox Visual Links Automated Attachments Groups Plus PULSE Component Picker Announcement Feeds Secure Pages for Confluence Gate GPT Project Field Manager Idea Hub Communities for Jira | Promity Sp z o.o. ul. Wiejska 14/25 00-732 Warsaw, Poland |
1. Definitions
For the purposes of this DPA, the following definitions apply:
- Controller: The entity that determines the purposes and means of processing Personal Data.
- Processor: The entity that processes Personal Data on behalf of the Controller.
- Data Subject: An individual whose Personal Data is processed.
- Personal Data: Any information relating to an identified or identifiable individual.
- Processing: Any operation performed on Personal Data, such as collection, storage, use, transfer, or deletion.
- Sub-processor: Any third party engaged by the Processor to assist in processing Personal Data.
- Data Protection Laws: Applicable data protection and privacy laws, including GDPR, CCPA, and any other relevant regulations.
2. Scope and Purpose of Data Processing
Almarise will process Personal Data solely to provide services and support under the EULA in accordance with the Customer’s documented instructions as set forth in this DPA. This processing includes, but is not limited to:
- Provision of Services: Enabling application features and functionalities.
- Technical Support: Providing support services.
- Analytics and Improvements: Aggregating and anonymizing data to improve product performance.
3. Duration of Processing
Almarise will process Personal Data for the duration of the EULA between Almarise and the Customer or until data deletion or anonymization as directed by the Controller.
4. Categories of Data Subjects
The categories of Data Subjects include:
- Employees and Authorized Users: Users within the Customer’s organization.
- Customer Representatives: Employees or contractors who interact with Almarise’s services.
5. Types of Personal Data Processed
Almarise may process the following types of Personal Data:
- Identifiers: Names, email addresses, IP addresses.
- Usage Data: Log files, device data, in-app activity.
- Support Data: Information provided during support interactions.
6. Obligations of the Controller
The Customer, as Controller, shall:
- Comply with applicable data protection laws.
- Provide lawful instructions for processing.
- Notify Almarise of data subject requests requiring Processor action.
- Limit data processed to lawful purposes only.
7. Obligations of the Processor
Almarise, as Processor, agrees to:
- Process data only on documented instructions.
- Implement appropriate security measures.
- Ensure all authorized personnel are committed to confidentiality.
- Notify Controller if an instruction violates applicable law.
8. Security Measures
Almarise will implement robust security measures, including:
- Encryption: SSL/TLS encryption for data in transit.
- Access Controls: Access restricted to authorized personnel.
- Regular Assessments: Conduct regular vulnerability scans.
- Incident Response: Formal protocols for investigating and responding to security incidents.
8.1 Specific Security Measures
- Physical Security: Access controls at data centers.
- Data Segmentation: Segregation of data environments to limit access.
- Data Integrity: Automated checks to verify data accuracy.
- Security Training: Annual training for personnel on data protection best practices.
8.2 Data Breach Notification
In the event of a data breach, Almarise will notify the Controller within 48 hours of becoming aware, including details on the nature, impact, and mitigation steps taken.
9. Sub-processors
9.1 Authorization of Sub-processors
Almarise engages the following internal and external Sub-processors to assist in providing services:
Type | Name | Link | Location | Purpose |
|---|---|---|---|---|
| External | Amazon Web Services (AWS) | https://www.amazon.com | United States of America, Germany | Cloud Hosting |
| External | MongoDB, Inc. | https://www.mongodb.com | United States of America, Germany | Data Hosting |
| Internal | Promity Sp. z o.o. | https://promity.com/ | Poland | Log Management |
9.2 Right to Object to Sub-processors
In case of adding a new Sub-processors, The Controller has the right to object to them within 10 business days of notice. In case of objection, Almarise will work with the Controller to resolve the issue or provide an option to terminate the affected services.
9.3 Sub-processor Obligations
Almarise will ensure all Sub-processors are contractually bound by terms similar to this DPA, ensuring they implement equivalent data protection standards.
10. Data Subject Rights
Almarise will assist the Controller in fulfilling its obligation to respond to Data Subject requests, including requests for:
- Access: Providing access to Personal Data.
- Correction: Correcting inaccurate or incomplete data.
- Deletion: Deleting data upon request and lawful grounds.
- Restriction: Limiting processing under certain conditions.
10.1 Handling Data Subject Requests
Upon receiving a request directly from a Data Subject, Almarise will promptly notify the Controller unless legally prohibited. The Controller is responsible for responding to Data Subject requests.
11. International Data Transfers
Almarise will not transfer Personal Data outside the European Economic Area (EEA) without implementing adequate safeguards, such as Standard Contractual Clauses (SCCs) or other recognized mechanisms under GDPR.
12. Data Retention and Deletion
Upon termination of the EULA, Almarise will:
- Return or delete all Personal Data, unless retention is required by law.
- Confirm data deletion upon the Controller’s request.
- Retain backup copies temporarily per secure deletion protocols.
13. Confidentiality
Almarise and all personnel involved in processing Personal Data are committed to maintaining strict confidentiality. This confidentiality obligation survives the termination of this DPA.
14. Audit Rights
14.1 Information Requests
The Controller may request documentation, security certifications, or audit reports to demonstrate Almarise’s compliance with this DPA.
14.2 Audits
The Controller may audit Almarise’s compliance with this DPA once per year or upon identifying a substantiated security concern. Audits must be conducted with reasonable notice and during regular business hours.
15. Liability and Indemnification
Each party’s liability under this DPA is subject to the liability limitations set forth in the EULA. Almarise shall not be liable for any claims arising from the Controller’s failure to comply with its data protection obligations.
16. Governing Law and Jurisdiction
This DPA is governed by the laws of the Republic of Poland. Disputes arising out of this DPA are subject to the exclusive jurisdiction of the courts in Warsaw, Poland.
17. Jurisdiction-Specific Terms
If required by applicable laws, additional terms will apply to data processing for residents of specific jurisdictions, such as California under the CCPA. Almarise agrees to cooperate in good faith to ensure compliance.
18. Entire Agreement and Amendments
This DPA, together with the EULA, constitutes the entire agreement between the parties regarding data processing. Amendments must be in writing and signed by both parties.
19. Severability
If any provision of this DPA is held invalid, the remaining provisions shall remain in full force and effect.
Contact Information
Almarise Robert Dzido S.K.A
Email: privacy@almarise.com
Address: Owalna 43, 05-420 Józefów, Poland
Phone: +48 (22) 354 63 13