eAuditor Cloud-Ver.1.3 / Polish / 18.12.2025

Introduction

This Agreement applies to the “eAuditor cloud®” service (hereinafter referred to as the “Service”) made available on the Internet at https://app.eauditor.eu.

The Parties agree that this Personal Data Processing Entrustment Agreement (the “Agreement”) sets forth their respective obligations with respect to the processing and security of data and personal data on behalf of the Administrator, for the purpose of processing data in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter: RODO).

The Agreement is an integral part of the Terms of Service. In addition, the parties agree that unless a separate agreement has been entered into, this Agreement shall govern data processing and security.

The Agreement sets out the rules of operation and use of the Service administered by BTC BTC Limited Liability Company (hereinafter referred to as “Processor” or “BTC”) with its registered office in Szczecin, 38 1 Maja Street, 71-617 Szczecin, registered in the National Court Register under the number 00000129373.

This Agreement is entered into electronically as a result of the Administrator’s acceptance of the contents of the Agreement in the process of purchasing the Service and shall become effective upon acceptance.

Restrictions on updates

When the Customer acquires a new subscription or renews an existing subscription, the provisions of the Data Processing Entrustment Agreement (DPA) then in effect shall apply and shall not change for the duration of the subscription.

New features, additions or related software

Notwithstanding the upgrade provisions set forth above, if new (i.e., not previously part of the Service) features, additions or related programs are introduced, BTC may introduce new or update existing provisions in the Agreement applicable to Customer’s use of such new features, additions or related programs.

If these provisions alter the Agreements in any material adverse way BTC will provide Customer with a choice regarding the use of new features, additions or related software without loss of existing features. If Customer does not install or use the new features, add-ons or related software, the relevant new provisions will not apply.

Electronic notifications

BTC may provide the Customer with information and notifications regarding the Service electronically, including by email, on the Service portal or on the designated website. The notification shall be deemed delivered as of the date it is made available by BTC.

Earlier versions

These Provisions of the Agreement contain the provisions for the then available Service. Earlier versions of the Agreement may be found at https://eauditor.eu/cloud/data-protection-addendum-dpa.

Definitions

The following defined terms are used in this Agreement:

– Administrator (Customer) – an entity that creates an Account and purchases a subscription to the Service;

– Account – is a physically and/or logically separate instance dedicated exclusively to a single business entity, where data and documents are recorded and stored

– Customer (Administrator) – the entity entering into this Agreement;

– Data – is any data, including files containing text, sounds, software, images and videos, provided to BTC by or on behalf of the Customer as a result of using the Service;

– Personal Data is information about an identified or identifiable natural person. The identifiable

An identifiable natural person is one who can be identified directly or indirectly, in particular by means of an identifier such as a name, an identification number, location data, an Internet identifier or one or more specific factors that determine the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.

§ 1 Subject matter of the Agreement

1. The Agreement sets forth the terms and conditions for entrusting the Processor with the processing of personal data in connection with the provision by the Processor of the Service to the Administrator under the Subscription purchased by the Administrator.

2. The Administrator declares that it is the controller of the personal data entrusted to the Processor under the Agreement.

3. The Processor declares that it provides sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets the requirements of the RODO and protects the rights of data subjects.

4. The Administrator entrusts the Processor with the processing of personal data on behalf of the Administrator and the Processor undertakes to process the entrusted personal data in accordance with the law and the provisions of the Agreement including due diligence.

§ 2 Processing of personal data

1. The Processor shall process the personal data entrusted by the Administrator for the purpose of providing the Service. Technical documentation, user documentation and regulations and policies can be found at: https://app.eauditor.eu.

2. The scope of personal data processing shall include the following categories of personal data with respect to the following categories of persons: employees; data categories: first name, last name, e-mail address, IP; documents in any form stored in the Service by the Administrator, inventory data, data from monitoring the activity of employees, computers, networks, computer location data, names of printed documents

3. The Processor may process personal data only to the extent and for the purpose provided for in the Agreement.

4. The Processor shall process personal data only on the documented order of the Controller, unless such obligation is imposed on the Processor by the law of the European Union or the law of the Member State to which the Processor is subject, in which case the Processor shall inform the Controller of such legal obligation prior to the processing, unless such law prohibits such information on the grounds of important public interest. A documented order should be understood as personal data processing activities ordered under this Agreement and the Terms of Service.

5. The processing of personal data shall be carried out during the term of the Service Subscription subject to paragraph (5). 6.

6. The Processor may process personal data also after the termination of the Service (in particular, after the expiration, cancellation or termination of the Subscription), only to the extent that the processing is necessary for the fulfillment of the legal interests of the Administrator, the Processor, as well as in situations necessary for the Administrator or the Processor to comply with its obligations under the law.

§ 3 Responsibilities of the Processor

1. The Processor undertakes to ensure that persons authorized to process personal data have kept the data and the security methods confidential, both during the provision of the Service to the Administrator and after its termination.

2. The Processor shall take all measures required under Article 32 of the RODO.

3. The Processor undertakes to assist the Administrator in fulfilling its obligations referred to in Articles 32 – 36 of the RODO, in particular:

a. ensure an adequate level of security of the personal data processed,

b. provide the Administrator with information about detected data protection violations immediately, but no later than 24 hours after their discovery.

4. The Processor undertakes to delete the personal data entrusted to it as soon as the purpose of processing ceases, but no later than 14 days after the termination of the provision of the Service to the Administrator (in particular, after the expiration, cancellation or termination of the Subscription), unless the law of the Union or the Member State to which the Processor is subject prescribes the retention of personal data.

5. In the absence of instructions from the Administrator, the Processor may request the Administrator to provide guidance on further handling of the data.

6. The Processor shall make available to the Administrator all information necessary to demonstrate compliance with the obligations set forth in the Agreement and shall allow the Administrator or an auditor authorized by the Administrator to conduct audits, including inspections.

7. In connection with the obligation set forth in paragraph (5), the Processor shall immediately inform the Controller if, in its opinion, the order issued to it constitutes a violation of the RODO or other provisions of the Union or the Member State to which the Processor is subject on the protection of personal data.

8. The Processor may use personal data to contact the Administrator to the extent necessary to provide the Service and ensure the security of the Service (e.g. service notifications, incidents, technical change notices, Service performance reports).

9. The Processor may use personal data to inform the Administrator about changes to the Service, new versions of the Service, new options and products . It is possible to opt out of receiving these messages by clicking on the opt-out link in the email received, following the instructions contained therein or contacting the Processor. Third-party service providers may be used to manage the sending of marketing emails, such as:

– Mailerlite – Privacy Policy available at: https://www.mailerlite.com/pl/legal/privacy-policy.

10. the Processor may offer paid products and/or services as part of the Service. In such cases, payment processing is done through third-party providers (payment processors). The Processor does not store or collect payment card data. This information is transferred directly to third-party payment processors, whose privacy policies are set forth in their Privacy Policies. The processors use PCI-DSS standards administered by the PCI Security Standards Council, which is a joint initiative of brands such as Visa, Mastercard, American Express and Discover. PCI-DSS requirements ensure secure processing of payment data. The processor can use providers such as:

– Stripe – Privacy Policy available at: https://stripe.com/en-pl/privacy.

11. In addition to the entities indicated above, the Processor is not authorized to transfer personal data to a third country or international organization outside the European Economic Area. The Processor shall not use subcontractors that transfer personal data outside the European Economic Area. If, in the course of the performance of the Agreement or the Master Agreement, the Processor acquires the intention or is required to transfer personal data outside the European Economic Area, the Processor shall inform the Administrator in order to enable the Administrator to take the necessary measures to ensure the lawfulness of the processing or to terminate the entrustment of the Processing.

§ 4 Further entrustment of personal data processing

1. The Controller shall allow the Processor to further entrust the processing of personal data in the European Economic Area, subject to paragraphs (2) and (4).

2. The Processor may not delegate the entire performance of the Contract to a subcontractor.

3. Further entrustment of processing shall take place on the basis of an agreement entered into by the Processor with the subcontractor, imposing the same obligations on the subcontractor and granting the Administrator the same rights to the subcontractor as under the Agreement, in particular the subcontractor’s obligation to provide sufficient guarantees for the implementation of appropriate technical and organizational measures for the processing to comply with the requirements of the RODO and the Administrator’s right to control how the subcontractor processes the entrusted personal data.

4. The Processor shall inform the Administrator of its intention to further entrust personal data at least 7 days before further entrustment of processing. In the absence of a clear objection from the Administrator, it shall mean consent to further entrustment of personal data processing.

5. The Processor shall inform the Administrator of the termination of the agreement under which the further entrustment of personal data processing has occurred.

6. The processor shall make information about sub-processors available at http://euditor.eu/cloud.

§ 5 Right of control

1. Subject to § 3(6) of the Agreement, the Administrator shall be entitled to control the processing of entrusted personal data by the Processor.

2. The Administrator shall inform the Processor of the planned audit at least 7 days prior to its commencement.

3. The audit may be conducted by an authorized employee of the Administrator or an auditor authorized by the Administrator.

4. As part of the audit, the Administrator has the right to:

a. to inspect documents and information relevant to the entrustment of personal data processing,

b. to carry out an inspection of devices, media, and IT or data communication systems used for the processing of entrusted personal data, insofar as such action results from reasonable doubts of the Administrator;

c. obtain written or oral explanations to the extent necessary to establish the facts.

5. Upon completion of the audit, the Administrator shall present the audit results to the Processor. The Processor may raise objections to the Administrator to the audit results within 7 days of receipt.

6. In the event of negative audit results, the Administrator and the Processor agree to take joint action to rectify the irregularities and ensure the correctness of further processing of personal data by the Processor.

§ 6 Liability

1. The Processor shall be liable to the Administrator for damages caused by its act or omission in connection with the failure to comply with the obligations that the RODO directly imposes on the Processor or when it acted outside of or contrary to the lawful instructions of the Administrator.

2. The Processor shall be liable to the Administrator for the subcontractor’s acts and omissions as if they were its own, in particular for failure to comply with its data protection obligations.

§ 7 Duration of the Agreement

1. The Agreement is entered into for the duration of the provision of the Service to the Administrator. The Agreement enters into force upon the purchase of the Subscription and the acceptance of its terms by the Administrator. The duration of personal data processing shall last until the date of fulfillment of the obligation to return or delete personal data in accordance with §3 item 4, and until that time the provisions of the Agreement shall apply accordingly.

2. The Parties unanimously declare that entrusting the Processor with the processing of personal data covered by the Agreement is voluntary, but necessary for the Processor to properly perform the Service for the Administrator. During the Subscription period, the Parties unanimously exclude the possibility of termination or cancellation of the Agreement without simultaneous termination of the Service to the Administrator.

3. A breach of the Agreement by the Processor shall constitute a valid reason entitling the Administrator to demand immediate termination of the processing of personal data and termination of the Service to the Processor (including cancellation of the Subscription), subject to the Administrator’s rights under the law.

§ 8 Final provisions

1. In the event of a discrepancy between the provisions of the Agreement and other terms of the Service (including the terms of the Subscription), the provisions of the Agreement shall prevail.

2. In matters not regulated by this Agreement, the provisions of RODO and Polish law shall apply.

3. Disputes arising from the Agreement shall be resolved by the court having jurisdiction over the Processor’s registered office.

4. Any amendments to this Agreement shall be made in electronic form under pain of nullity.

5. The Agreement shall be concluded in electronic form and shall be recorded in the Processor’s ICT system; the Parties acknowledge that the acceptance of the Agreement made in the process of account registration and/or Subscription activation (including checkbox selection) is equivalent to the submission of declarations of intent in documentary form.