Data Processing Agreement

Last Updated: August 16, 2024

This Data Processing Agreement (“Agreement”) is incorporated into and forms part of the Terms of Service (“Terms”) between the parties, namely you (the “Company”) and Determ d.o.o., (the “Processor”), collectively referred to as the “Parties.”

RECITALS

(A) The Company functions as the Data Controller.
(B) The Company intends to delegate certain Services involving the processing of personal data to the Processor.
(C) The Parties wish to establish a data processing agreement compliant with relevant Data Protection Laws (as defined below).
(D) The Parties seek to outline their respective rights and obligations.

AGREEMENT

1. Definitions and Interpretation
Unless otherwise stated, capitalized terms and expressions in this Agreement are defined as follows:

• “Agreement” refers to this Data Processing Agreement and all associated Annexes;
• “Company Personal Data” means any Personal Data provided to or processed by the Processor on behalf of the Company in relation to or in connection with the Principal Agreement;
• “Data Protection Laws” encompasses all applicable laws related to the processing of Personal Data and privacy within any relevant jurisdiction, including European Data Protection Laws;
• “EEA” refers to the European Economic Area;
• “EU Personal Data” means the processing of Personal Data to which data protection legislation of the European Union, or any Member State of the European Union or EEA, was applicable prior to processing by the Processor;
• “European Data Protection Laws” includes the GDPR, UK Data Protection Act 2018, UK GDPR, ePrivacy Directive 2002/58/EC, FADP, and any related or supplementary legislation in force within the EU, EEA, Member States, and the United Kingdom, as amended, replaced, or superseded from time to time;
• “GDPR” refers to the General Data Protection Regulation EU2016/679;
• “UK GDPR” means the General Data Protection Regulation (EU) 2016/679 as applicable within UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended);
• “Protected Area” refers to (i) for EU Personal Data, the EU Member States, the EEA, and any country, territory, sector, or international organization with an adequacy decision under Art 45 GDPR, or (ii) for UK Personal Data, the United Kingdom and any country, territory, sector, or international organization recognized as adequate under UK adequacy regulations, or (iii) for Swiss Personal Data, any country, territory, sector, or international organization recognized as adequate by the FDPIC or the Swiss Federal Council;
• “Services” refers to the products and services provided by the Processor;
• “Subprocessor” means any entity appointed by or on behalf of the Processor to process Personal Data on behalf of the Company in connection with this Agreement.

The terms “Controller,” “Data Subject,” “Member State,” “Personal Data,” “Personal Data Breach,” “Processing,” and “Supervisory Authority” shall have the meanings assigned to them in the GDPR and UK GDPR, with related terms construed accordingly.

2. Processing of Company Personal Data

• Company Obligations:
  • The Company shall ensure that all data, including but not limited to Company Personal Data, is collected, processed, transferred, and used in full compliance with Data Protection Laws.
  • The Company is responsible for obtaining all necessary authorizations and consents from Data Subjects to process Company Personal Data, including consents required to meet the cookie requirements in the ePrivacy Directive 2002/58/EC and any related national legislation.
  • The Company instructs the Processor to process Company Personal Data.
• Processor Obligations:
  • The Processor shall comply with all applicable Data Protection Laws in the processing of Company Personal Data.
  • The Processor shall not process Company Personal Data except as instructed by the Company, including data transfers outside the Protected Area, unless required by applicable laws to which the Processor is subject. In such cases, the Processor will inform the Company of the legal requirement before processing, unless prohibited by law on significant public interest grounds.
  • The Processor will notify the Company immediately if it believes that any instruction given by the Company for the processing of Personal Data infringes applicable Data Protection Laws, though it is not obliged to undertake additional work or screening to verify compliance.

3. Processor Personnel
The Processor shall take reasonable steps to ensure the reliability of personnel with access to Company Personal Data, ensuring all such individuals are bound by confidentiality obligations or statutory confidentiality duties regarding the Company Personal Data.

4. Security Measures
Taking into account the current state of technology, implementation costs, and the nature, scope, context, and purposes of Processing, as well as the risk to the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, where applicable, the measures specified in Article 32(1) of the GDPR and UK GDPR.

5. Subprocessing
The Company grants the Processor general authorization to engage Subprocessors. The Processor shall enter into a written agreement with each Subprocessor, imposing data protection obligations equivalent to those set out in this Agreement. The Processor remains fully liable to the Company for the Subprocessor’s performance of its data protection obligations.

The Processor will notify the Company at least fourteen (14) days in advance of any updates to the list of Subprocessors (Annex I). If the Company objects to a Subprocessor, it must notify the Processor in writing within seven (7) days of receiving the updated list. If the Company’s objections cannot be resolved within thirty (30) days, the Company may terminate the portion of the Services involving the Subprocessor without penalty.

6. Data Subject Rights and Cooperation

• The Processor shall assist the Company, where possible, with implementing appropriate technical and organizational measures to meet the Company’s obligations under applicable Data Protection Laws, particularly in responding to Data Subject rights requests.
• The Processor shall notify the Company if it receives a request from a Data Subject and shall not respond to such a request without the Company’s documented instructions, except as required by applicable law.

7. Personal Data Breach Notification
The Processor shall notify the Company without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data. The Processor will provide sufficient information to enable the Company to comply with its obligations to report or notify Data Subjects or Supervisory Authorities under applicable Data Protection Laws.

8. Audits
The Processor shall provide the Company with all necessary information to demonstrate compliance with this Agreement and, at the Company’s expense, allow for and contribute to audits or inspections by the Company to assess compliance with this Agreement.

9. Deletion or Return of Company Personal Data
Upon request from the Company, the Processor shall, within 20 business days following the cessation of any Services involving the processing of Company Personal Data, return or delete all copies of the Company Personal Data unless applicable law requires its retention.

10. General Terms

10.1 Confidentiality
This Agreement and any information related to the data processing activities covered herein are not confidential and may be disclosed publicly. However, any specific communications, data, or materials exchanged between the Company and the Processor that are not part of this publicly available Agreement shall be treated as confidential. Such information must not be disclosed without the prior written consent of the other Party, except where disclosure is required by law or where the information has already entered the public domain through no fault of the receiving Party.

10.2 Notices
All notices, requests, and other communications required or permitted under this Agreement shall be in writing. For matters related to this Agreement, the Company may contact the Processor via the contact form on the Processor’s website or by sending an email to support@determ.com. The Processor shall send any notices to the Company using the contact information provided by the Company in their account settings or registration details. Notices sent by email shall be deemed received on the day of transmission if sent during normal business hours, and on the next business day if sent outside such hours.

10.3 Governing Law and Jurisdiction
This Agreement is governed by the laws of Croatia. Any disputes arising under or in connection with this Agreement shall be resolved exclusively in the courts of Croatia.

ANNEX I

Subprocessors

• Amazon Web Services (Amazon Web Services Inc.) – Cloud service provider
• Beamer (Beamer Inc.) – User engagement and product updates
• Braintree (Braintree, a division of Paypal Inc.) – Payment processing
• Calendly (Calendly LLC) – Scheduling and managing meetings
• Google Analytics (Google LLC) – Website traffic analysis
• Hotjar (Hotjar LTD) – User behavior analytics
• Intercom (Intercom Inc.) – Customer messaging and support
• Mixpanel (Mixpanel Inc.) – Product analytics
• Paddle (Paddle.com Market Limited) – Payment processing
• Pipedrive (Pipedrive OÜ) – Customer relationship management (CRM)
• Plausible (Plausible Insights OÜ) – Website analytics
• Posthog (Posthog Inc.) – Product analytics
• Postmark (Wildbit LLC) – Email delivery and transactional emails
• Taxamo (Taxamo Checkout Limited) – Tax compliance for digital services
• tldv.io (TLDV Inc.) – Call recordings for sales meetings
• Userflow (Userflow Inc.) – Users onboarding and product tours
• Wootric (Wootric Inc.) – Customer feedback and Net Promoter Score (NPS) tracking