Data Processing Agreement

1. Introduction

This Data Processing Agreement ('DPA') forms part of the Terms of Service ('Terms') between Infobits ApS ('Processor', 'we', 'us', 'our') and the customer using our services ('Controller', 'you', 'your').

This DPA reflects the parties' agreement with respect to the processing of personal data by us on your behalf in connection with our services under the Terms. This DPA is designed to ensure compliance with applicable data protection laws and regulations, including but not limited to the European Union General Data Protection Regulation ('GDPR') and the California Consumer Privacy Act ('CCPA').

2. Definitions

The terms used in this DPA shall have the meanings set forth in this section, or if not defined, the meanings assigned to them in the GDPR or other applicable data protection laws:

• Personal Data: Any information relating to an identified or identifiable natural person ('Data Subject')
• Processing: Any operation performed on Personal Data, whether or not by automated means
• Controller: The entity that determines the purposes and means of Processing Personal Data
• Processor: The entity that Processes Personal Data on behalf of the Controller
• Sub-processor: Any Processor engaged by Infobits to process Personal Data on behalf of the Controller
• Data Protection Laws: All laws and regulations applicable to the Processing of Personal Data under the Terms, including but not limited to the GDPR and CCPA

3. Scope and Purpose of Processing

This DPA applies to the Processing of Personal Data by Infobits in the course of providing its error tracking and analytics services ('Services') as described in the Terms.

The purpose of the Processing is to provide the Services, which involves collecting error information, performance data, and analytics from the Controller's applications or websites to help identify and fix issues, improve performance, and gain insights into user behavior in a privacy-first manner.

4. Obligations and Responsibilities

4.1 Controller Obligations

As the Controller, you are responsible for ensuring that your use of our Services complies with all applicable Data Protection Laws. Specifically, you shall:

• Ensure that you have a valid legal basis for Processing the Personal Data and for the Processing activities you instruct us to perform
• Provide clear and sufficient instructions to us regarding the Processing of Personal Data
• Inform your users about the Processing of their Personal Data and ensure you have obtained any necessary consents or have another valid legal basis for sharing the data with us
• Comply with all requirements for controllers as set forth in applicable Data Protection Laws

4.2 Processor Obligations

As the Processor, we shall:

• Process Personal Data only on your documented instructions, including with regard to transfers to third countries, unless required to do so by applicable law
• Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the Processing
• Not engage another processor (Sub-processor) without your prior authorization and ensure any Sub-processor is bound by the same data protection obligations
• Assist you, taking into account the nature of the Processing, in responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws
• Assist you in ensuring compliance with obligations related to security, data breach notification, data protection impact assessments, and prior consultations with supervisory authorities

5. Sub-processors

You hereby provide general authorization for us to engage Sub-processors for the Processing of Personal Data in connection with the provision of the Services. We shall maintain a list of our current Sub-processors and shall provide you with at least 30 days' prior notice of any changes to our Sub-processors.

If you have a reasonable objection to any new or replacement Sub-processor, you shall notify us promptly in writing. If you object to a new or replacement Sub-processor, and we cannot reasonably accommodate your objection, you may terminate the Services by providing written notice to us.

5.1 Current Sub-processors

As of the date of this DPA, we use the following Sub-processors:

• Cloudflare: Content delivery network (CDN) and DDoS protection services
• Scaleway: Cloud infrastructure provider for hosting our services and data storage
• Stripe: Payment processing for subscription fees

6. Security Measures

We shall implement and maintain appropriate technical and organizational measures to protect the security, confidentiality, and integrity of Personal Data. Our security measures include, but are not limited to:

6.1 Security Measures

• Encryption of Personal Data in transit and at rest
• Regular testing and evaluation of the effectiveness of security measures
• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
• Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing
• Measures to ensure the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
• Access controls and authentication to ensure that only authorized personnel have access to Personal Data

7. Data Breach Notification

We shall notify you without undue delay after becoming aware of a personal data breach affecting the Personal Data Processed under this DPA. Our notification will include, to the extent possible: a description of the nature of the breach, the categories and approximate number of Data Subjects concerned, the categories and approximate number of Personal Data records concerned, and a description of the likely consequences of the breach.

We shall also provide you with information about the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

We shall cooperate with you and take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation, and remediation of any data breach.

8. Data Subject Rights

Taking into account the nature of the Processing, we shall assist you by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of your obligation to respond to requests by Data Subjects exercising their rights under applicable Data Protection Laws.

We shall assist you in responding to requests from Data Subjects seeking to exercise their rights, including but not limited to:

• The right of access to their Personal Data
• The right to rectification of inaccurate Personal Data
• The right to erasure of their Personal Data
• The right to restriction of Processing of their Personal Data
• The right to data portability

9. Audits and Inspections

We shall make available to you all information necessary to demonstrate compliance with the obligations set forth in this DPA and shall allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.

Any audit or inspection shall be conducted during regular business hours, with reasonable advance notice to us, and subject to reasonable confidentiality procedures. Such audits shall occur no more than once per year, except in the case of a data breach or if required by a supervisory authority.

You shall bear any costs arising from any audit or inspection, unless such audit reveals material non-compliance with this DPA, in which case we shall bear the reasonable costs of the audit.

10. Term and Termination

This DPA shall commence on the effective date of the Terms and shall remain in effect until the termination of the Terms, upon which this DPA shall automatically terminate.

Upon termination of this DPA, we shall, at your choice, delete or return all Personal Data to you and delete existing copies unless applicable law requires storage of the Personal Data.

11. Governing Law

This DPA shall be governed by and construed in accordance with the laws of Denmark, without regard to its conflict of law provisions. Any disputes arising from this DPA shall be resolved exclusively in the courts of Denmark.

12. Contact Information

If you have any questions about this DPA, please contact us at: