Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Terms and Conditions (the “Agreement”) between Nimbus Riders sp. z o.o. (“Company”, “Processor”, “we”, “us”) and the entity agreeing to these terms (“Subscriber”, “Controller”, “you”).

This DPA applies to the extent that Company processes Personal Data on behalf of Subscriber in connection with the provision of the WebSpeaker Service.

1. Definitions

For the purposes of this DPA:

  • “Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data, including GDPR, and any national implementing legislation;
  • “Data Subject” means an identified or identifiable natural person whose Personal Data is processed;
  • “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;
  • “Personal Data” means any information relating to a Data Subject that is processed by Company on behalf of Subscriber in connection with the Service;
  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data;
  • “Processing” means any operation performed on Personal Data, such as collection, recording, storage, retrieval, use, disclosure, or erasure;
  • “Service” means the WebSpeaker service as described in the Agreement;
  • “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to third countries;
  • “Sub-processor” means any third party engaged by Company to process Personal Data on behalf of Subscriber.

2. Scope and Roles

2.1 Roles of the Parties

For the purposes of Data Protection Laws:

  • Subscriber is the Controller of Personal Data processed through the Service;
  • Company is the Processor acting on behalf of Subscriber.

2.2 Scope of Processing

This DPA applies to the processing of Personal Data as described in Annex 1 (Details of Processing).

2.3 Subscriber Obligations

Subscriber represents and warrants that:

  • It has the legal authority to provide Personal Data to Company;
  • It has provided all necessary notices and obtained all necessary consents from Data Subjects as required by Data Protection Laws;
  • Its instructions to Company comply with Data Protection Laws;
  • It is responsible for the accuracy, quality, and legality of Personal Data provided to Company.

3. Processing Instructions

3.1 Documented Instructions

Company shall process Personal Data only on documented instructions from Subscriber, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such case, Company shall inform Subscriber of that legal requirement before processing, unless prohibited by law.

3.2 Scope of Instructions

Subscriber’s instructions are set out in:

  • This DPA and its Annexes;
  • The Agreement;
  • Subscriber’s configuration and use of the Service;
  • Any additional written instructions provided by Subscriber and acknowledged by Company.

3.3 Additional Instructions

If Subscriber requires processing beyond the scope of the Agreement, such processing shall be subject to separate agreement and may incur additional fees.

4. Confidentiality

4.1 Personnel Obligations

Company shall ensure that persons authorized to process Personal Data:

  • Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • Process Personal Data only on instructions from Subscriber, unless required by law.

4.2 Access Limitation

Company shall limit access to Personal Data to personnel who need access to perform the Service.

5. Security Measures

5.1 Technical and Organizational Measures

Company shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure.

These measures are described in Annex 2 (Security Measures) and include:

  • Encryption of Personal Data in transit and at rest;
  • Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems;
  • Measures to restore availability and access to Personal Data in a timely manner in the event of an incident;
  • Regular testing and evaluation of the effectiveness of security measures.

5.2 Security Updates

Company may update Security Measures from time to time, provided that such updates do not materially decrease the overall security of the Service.

6. Sub-processors

6.1 Authorization

Subscriber provides general authorization for Company to engage Sub-processors to process Personal Data, subject to the requirements of this Section 6.

6.2 List of Sub-processors

A current list of Sub-processors is available at https://webspeaker.pro/sub-processors.

6.3 Sub-processor Requirements

Company shall:

  • Enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA;
  • Remain liable for the acts and omissions of its Sub-processors.

6.4 Changes to Sub-processors

Company shall notify Subscriber of any intended changes to Sub-processors by:

  • Updating the Sub-processors list at least 30 days before engaging a new Sub-processor;
  • Providing notice via email to Subscriber’s designated contact.

6.5 Objection to Sub-processors

If Subscriber has a reasonable objection to a new Sub-processor based on data protection concerns, Subscriber shall notify Company in writing within 14 days of receiving notice. The parties shall discuss the objection in good faith. If no resolution is reached, Subscriber may terminate the affected Service without penalty by providing written notice within 30 days.

7. Data Subject Rights

7.1 Assistance with Requests

Company shall, taking into account the nature of the processing, assist Subscriber by appropriate technical and organizational measures, insofar as possible, for the fulfillment of Subscriber’s obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws.

7.2 Notification

If Company receives a request from a Data Subject regarding Personal Data processed on behalf of Subscriber, Company shall:

  • Promptly notify Subscriber of the request;
  • Not respond to the request directly, unless authorized by Subscriber or required by law.

8. Personal Data Breach

8.1 Notification

Company shall notify Subscriber without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of Subscriber.

8.2 Breach Notification Content

The notification shall include, to the extent known:

  • A description of the nature of the Personal Data Breach, including categories and approximate number of Data Subjects and records concerned;
  • The name and contact details of the point of contact for more information;
  • A description of the likely consequences of the Personal Data Breach;
  • A description of measures taken or proposed to address the breach and mitigate its effects.

8.3 Assistance

Company shall cooperate with Subscriber and provide reasonable assistance in investigating and mitigating the Personal Data Breach.

9. Data Protection Impact Assessment

Company shall provide reasonable assistance to Subscriber with data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Data Protection Laws and taking into account the nature of the processing and information available to Company.

10. Audits

10.1 Audit Rights

Company shall make available to Subscriber all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Subscriber or an auditor mandated by Subscriber.

10.2 Audit Conditions

Audits shall be:

  • Conducted with reasonable advance notice (at least 30 days, except in case of a Personal Data Breach);
  • Conducted during normal business hours;
  • Subject to reasonable confidentiality obligations;
  • At Subscriber’s expense (unless the audit reveals material non-compliance by Company).

10.3 Third-Party Certifications

Company may satisfy audit requirements by providing:

  • Copies of relevant third-party certifications or audit reports (e.g., SOC 2, ISO 27001);
  • Written responses to reasonable audit questionnaires.

11. International Data Transfers

11.1 Transfers Outside EEA

Company may transfer Personal Data outside the European Economic Area only if appropriate safeguards are in place as required by Data Protection Laws.

11.2 Transfer Mechanisms

For transfers to countries without an adequacy decision by the European Commission, Company relies on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • Additional supplementary measures where necessary.

11.3 SCCs

Where SCCs apply:

  • For transfers from Subscriber (Controller) to Company (Processor): Module Two of the SCCs applies;
  • For transfers from Company (Processor) to Sub-processors: Module Three of the SCCs applies;
  • The SCCs are incorporated by reference into this DPA.

11.4 Specific Transfers

A current list of Sub-processors, including their locations and applicable transfer mechanisms, is available at https://webspeaker.pro/sub-processors. For Sub-processors located outside the EEA, the Company applies SCCs and supplementary measures as appropriate.

12. Return and Deletion of Data

12.1 During the Term

During the term of the Agreement, Subscriber may export Personal Data using the features provided by the Service.

12.2 Upon Termination

Upon termination of the Agreement:

  • Company shall, at Subscriber’s choice, return or delete all Personal Data within 30 days of receiving written request;
  • If no request is received within 90 days of termination, Company shall delete all Personal Data;
  • Company may retain Personal Data to the extent required by applicable law, in which case Company shall isolate and protect such data and limit further processing to that required by law.

12.3 Certification

Upon request, Company shall provide written certification of deletion.

13. Liability

13.1 Liability Cap

Each party’s liability under this DPA is subject to the limitations of liability set forth in the Agreement.

13.2 Indemnification

Each party shall indemnify the other for any fines, damages, or costs arising from the indemnifying party’s breach of this DPA or Data Protection Laws, subject to the limitations in the Agreement.

14. Term

This DPA shall remain in effect for the duration of the Agreement and for as long as Company processes Personal Data on behalf of Subscriber.

15. Conflict

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

16. Governing Law

This DPA shall be governed by the laws of Poland, without regard to conflict of law principles.

Annex 1: Details of Processing

Categories of Data Subjects

  • Subscriber’s employees and authorized users;
  • Subscriber’s customers and end users;
  • Visitors to Subscriber’s websites indexed by the Service.

Categories of Personal Data

  • Identifiers: names, email addresses, IP addresses, user IDs;
  • Technical data: browser type, device information, operating system;
  • Usage data: search queries, chatbot conversations, page views;
  • Content data: any personal data contained in content indexed from Subscriber’s websites.

Sensitive Data

The Service is not designed to process special categories of personal data (Art. 9 GDPR) or data relating to criminal convictions (Art. 10 GDPR). Subscriber shall not submit such data unless expressly agreed in writing.

Processing Operations

  • Collection and storage of indexed content;
  • Processing of search queries;
  • Processing of chatbot conversations via AI services;
  • Analytics and usage reporting;
  • Customer support.

Purpose of Processing

To provide the WebSpeaker Service as described in the Agreement, including:

  • Website search functionality;
  • AI-powered chatbot functionality;
  • Analytics and reporting for Subscriber.

Duration of Processing

For the term of the Agreement, plus any retention period required by law or as specified in Section 12.

Annex 2: Security Measures

Company implements the following technical and organizational measures:

Access Control

  • Role-based access control (RBAC);
  • Multi-factor authentication for administrative access;
  • Regular access reviews;
  • Principle of least privilege.

Encryption

  • TLS 1.2+ for data in transit;
  • AES-256 encryption for data at rest;
  • Encryption key management procedures.

Network Security

  • Firewalls and network segmentation;
  • Intrusion detection and prevention;
  • DDoS protection;
  • Regular vulnerability scanning.

Physical Security

  • Data centers with physical access controls;
  • 24/7 monitoring and surveillance;
  • Environmental controls (fire suppression, climate control).

Operational Security

  • Security incident response procedures;
  • Regular security training for personnel;
  • Background checks for personnel with access to Personal Data;
  • Secure development lifecycle (SDLC).

Availability and Resilience

  • Regular backups;
  • Disaster recovery procedures;
  • Redundant infrastructure;
  • Uptime monitoring.

Data Handling

  • Data minimization practices;
  • Secure data disposal procedures;
  • Logging and audit trails;
  • Data classification policies.

Annex 3: Standard Contractual Clauses

For transfers of Personal Data outside the EEA, the parties agree to the Standard Contractual Clauses as set out in Commission Implementing Decision (EU) 2021/914, which are incorporated by reference.

The following selections apply:

Module Two (Controller to Processor):

  • Clause 7 (Docking clause): Included
  • Clause 9 (Use of sub-processors): Option 2 (General written authorization)
  • Clause 11 (Redress): Optional language not included
  • Clause 17 (Governing law): Laws of Poland
  • Clause 18 (Choice of forum and jurisdiction): Courts of Poland

Module Three (Processor to Sub-processor):

  • Applied for transfers to Sub-processors outside EEA

The Annexes to the SCCs are completed as follows:

  • Annex I.A (List of Parties): As identified in the Agreement
  • Annex I.B (Description of Transfer): As set out in Annex 1 of this DPA
  • Annex I.C (Competent Supervisory Authority): Urząd Ochrony Danych Osobowych (UODO), Poland
  • Annex II (Technical and Organizational Measures): As set out in Annex 2 of this DPA

Document version

1.0 of 01 January 2025