This Data Processing Agreement (“Agreement”) forms part of, and is subject to the provisions of, the Roistat Agreement for Services between you (“Client, Controller”) and Roistat, Inc., a Delaware corporation (“Company, Processor”), together as the “Parties”.


(A) The Client acts as a Controller.

(B) The Client entered into the Agreement for Services with the Company to receive Services, which imply the processing of personal data. The Company acts as a Processor.

(C) The Parties seek to implement a Agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR).

(D) The agreement is concluded by the Parties only in relation to those personal data processed when receiving Services that are subject to GDPR compliance requirements.

(E) If Controller do not agree with terms of Agreement, Controller should discontinue use of the Services immediately. Terms not defined here have the meanings set forth in the Agreement for Services and applicable legislation.

The following definitions apply solely to this Agreement:

(A). The terms “Controller”, “data subject”, “personal data”, “process,” “processing” and “Processor” have the meanings given to these terms in Data Protection Law.

(B). “Data Protection Law” means all applicable EU and US Data Protection Laws, including GDPR, and, to the extent applicable, the data protection or privacy laws of any other country.

(C). “Data Transfer” means: 1. a transfer of Client Personal Data from the Client to a Processor; or 2 an onward transfer of Client Personal Data from a Processor to a Sub-Processor, or between two establishments of a Processor.

(D). “Sub-Processor” means an entity engaged by the Company to process personal data.

1. Processing of personal data

The Processor processes personal data on behalf of the Controller in connection with the Agreement for services concluded by the Parties. Personal Data will be Processed for the duration of the Agreement and, when required by applicable law, after termination of the Agreement.. The scope and goals of processing are determined exclusively by the Controller. Depending on the Controller's wishes, the Processor can process the following personal data:

• Name

• Phone Number

• Email Address

• Slack ID

• Skype ID

• Telegram ID

• Profile photo (avatar)

• Payment details

• IP address

• Cookies

• Other electronic data submitted, stored, sent or received via respective website.

Categories of data subjects (in accordance with the definition in Article 4 No. 1 of the GDPR): Data subjects are Controllers, other users of the Services. Data subjects also can be Controller`s personnel, representatives, contractors or partners.

Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Sub-processor who may have access to the Client's Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know and/or access the relevant Client's Personal Data, as strictly necessary for the purposes of the Agreement for Services and to comply with applicable laws in the context of that individual’s duties to the Sub-processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality. The processor, while technically managing the Site, processes personal data in systems located in countries, including the US, on behalf of the Controller. The scope and goals of processing are determined exclusively by the Controller. The Controller must ensure that the personal data subjects consent to such processing, including the cross-border transfer of personal data.

2. Rights, Duties and Powers of Instruction of the Controller

The Controller shall alone be responsible for assessing the lawfulness of processing pursuant to Article 6(1) of the GDPR and other Data Protection Laws and for safeguarding the rights of data subjects in accordance with Articles 12-22 of the GDPR and other Data Protection Modifications of the subject of processing and changes in procedures are to be coordinated between the Controller and the Processor and defined in a documented electronic format. The Controller shall generally issue all instructions in a documented electronic format. Verbal instructions are to be confirmed in a documented electronic format without undue delay. The Controller shall notify the Processor without undue delay if the Controller finds errors or irregularities when reviewing the results of the processing. The Controller shall be obligated to treat all knowledge of business secrets and data security measures of the Processor obtained thereby within the framework of the contractual relationship confidentially. This obligation shall remain in effect even after the termination of this Agreement. For the avoidance of doubt, Controller’s instructions for the processing of personal data shall comply with the Data Protection Law.

3. Duties of the Processor

The Processor shall process personal data exclusively within the bounds of the agreements reached by the Parties and the Controller's instructions, unless it is obligated to conduct processing otherwise by the applicable laws which the Processor is subject (e.g. investigations by law enforcement and state security authorities). The Company's Services are provided exclusively in electronic form. Physical media that may contain personal data are not to be used. The Processor shall inform the Controller without undue delay if, in its opinion, an instruction issued by the Controller violates statutory provisions (including Article 28(3) Sentence 3 of the GDPR) and otherwise infringes the Data Protection Law. The Processor shall be entitled to delay performance of the relevant instruction until it is confirmed or amended by the Controller's after review. The Processor shall be required to modify, delete or restrict processing of personal data arising from the contractual relationship if the Controller makes such request by means of an instruction unless such is opposed by legitimate interests of the Processor.

4. Processor's Notification Duties in the Event of Disruptions in Processing and Breaches of the Protection of Personal Data:

The Processor shall notify the Controller by posting on without undue delay of disruptions and violations by the Processor or the persons employed by it of provisions of Data Protection Law or the provisions of the Agreement, as well as of the suspicion of data protection violations or irregularities in the processing of personal data. This shall apply above all with respect to possible notification and communication obligations of the Controller in accordance with Article 33 and Article 34 of the GDPR. The Processor hereby warrants that it will adequately assist the Controller with its obligations in accordance with Article 33 and Article 34 of the GDPR (Article 28(3) Sentence 2 character “f” of the GDPR).

5. Relationships with Subcontractors

The Controller, pursuant to article 28 (2) of the GDPR, grants the Processor general authorisation to engage third parties and/or Sub-Processor personal data in accordance with this Agreement. The Processor is responsible for these third parties and/or subcontractors and shall impose upon the third parties and/or Sub-Processor the same conditions, duties and responsibilities as mentioned in this Agreement. The provisions of this Section shall mutually apply if the Processor engages a sub-processor in a country outside the EU and/or the European Economic Area (“EEA”) not recognized by the European Commission as providing an adequate level of protection for personal data. If, in the performance of this Agreement, Processor transfers any personal data to a sub-processor located outside of the EU and/or the EEA, Processor shall, in advance of any such transfer, ensure that a legal mechanism to achieve adequacy in respect of that processing is in place.

6. Technical and Organizational Measures

Processor shall take the appropriate technical and organizational measures to adequately protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. A level of security adequate to the risk for the rights and freedoms of natural persons affected by the specific processing shall be ensured. To this end the Processor takes all necessary measures to protect personal data, including, if necessary, the measures specified in Article 32(1) of the GDPR, such as the confidentiality, integrity and availability of systems and services and the resilience thereof with regard to the nature, scope, context and purpose of the processing. Upon written request from the Controller, and no more than once per calendar year, the Processor will make available to the Controller all information necessary to demonstrate compliance with its obligations under the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Any reviews of information, audits, or inspections conducted pursuant to this Section shall be at the Controller’s sole expense. Information and audit rights of the Client only arise under this section to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

7. Data Subject Requests

Processor will provide reasonable assistance, including by appropriate technical and organizational measures and taking into account the nature of the processing, to enable Controller to respond to any request from data subjects. If such request is made directly to Processor, Processor will promptly inform Controller and will advise data subjects to submit their request to the Controller. Controller shall be solely responsible for responding to any data subjects’ requests. Controller shall reimburse Processor for the costs arising from this assistance.

8. Data Transfers

Controller acknowledges and agrees that, in connection with the performance of the services under this Agreement, personal data may be transferred outside the EU and/or the EEA for processing by Sub-Processors. The Standard Contractual Clauses pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, will apply with respect to personal data that is transferred outside the EU and/or the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the Data Protection Law). For the purposes of such transfer, the Controller must obtain the appropriate consent from the subjects of personal data in the manner and under the conditions provided for by the Data Protection Law.

9. Liability

The Processor is responsible for the implementation of the measures as set out in this Agreement. The Controller indemnifies the Processor against claims of third parties, including data protection authorities, ensuing for any reason whatsoever from the Processing of Personal Data as set out in this Data Processing Agreement. Any liability of the Processor on account of imputable failure to perform the agreement or on any other ground, is governed by the limitation of liability as agreed upon in the Roistat Agreement for Services.

10. Deletion or Retrieval of Personal Data

Other than to the extent required to comply with legislation, following termination or expiry of the Agreement, Processor will delete all personal data (including copies thereof) processed pursuant to this Agreement. If Processor is unable to delete personal data for technical or other reasons, Processor will apply measures to ensure that personal data is blocked from any further processing.

11. Confidentiality

Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; (b) the relevant information is already in the public domain.

12. General Terms

In case of any conflict, this Agreement shall take precedence over the regulations of the Agreement for Services. Where individual provisions of this Agreement are invalid or unenforceable, the validity and enforceability of the other provisions of this Agreement shall not be affected. This Agreement is an annex to and forms part of the Agreement for Services. The legal entity agreeing to this Agreement represents that it is authorized to agree to and enter into this Agreement for, and is agreeing to this Agreement solely on behalf of, the Controller. All notices and correspondence related to this agreement are to be directed to [email protected]. Agreement is entered into with effect from the date of conclusion by Parties of the Agreement for Services.

Dated December 1, 2021