Data Processing Agreement (DPA)

1. Parties

1. Controller: the User of the Bisonary Service, to the extent the User determines the purposes and means of processing.
2. Processor: Oskar Więckowicz, conducting business as Oskar Więckowicz Software Development, a sole proprietor registered in Poland, address: aleja Marcina Kromera 61/3, 51-163 Wrocław, Poland, VAT / Tax ID: PL8992924472, email: contact@bisonary.com.

2. Scope and Subject Matter

1. This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Bisonary Service.
2. The subject matter, duration, nature, and purpose of the processing are defined by the Controller's use of the Service under the Terms of Service.

3. Processing Details

4. Processor Obligations

The Processor shall:

1. process Personal Data only on documented instructions
2. ensure that persons authorized to process Personal Data are bound by confidentiality obligations
3. implement appropriate technical and organizational security measures
4. assist the Controller, where reasonably possible, with data subject rights and security incidents
5. delete or return Personal Data upon termination where required by the Terms or applicable law

5. Controller Obligations

The Controller shall:

1. ensure a valid legal basis for the processing of Personal Data
2. provide lawful instructions and submit only data the Controller is entitled to process
3. comply with all applicable data protection and communications laws
4. avoid submitting sensitive or regulated data unless strictly necessary and lawfully permitted

6. Sub-processors

1. The Controller authorizes the use of sub-processors reasonably necessary to provide the Service, including hosting providers, analytics providers, AI model providers, and email or support tooling providers.
2. The Processor will ensure that sub-processors are subject to contractual obligations substantially equivalent to those set out in this DPA where required by applicable law.
3. An up-to-date list of significant sub-processors may be provided on request.

7. International Transfers

1. Personal Data may be transferred outside the EEA where required to provide the Service.
2. Such transfers will be subject to appropriate safeguards such as Standard Contractual Clauses or another lawful transfer mechanism.

8. Security Measures

The Processor implements appropriate measures, including:

• access controls and least-privilege practices
• encryption in transit and, where appropriate, at rest
• logging and monitoring
• regular reviews of security posture

9. Data Subject Requests and Incidents

The Processor will notify the Controller without undue delay of requests from data subjects relating to Controller Personal Data or of confirmed Personal Data breaches affecting such data, unless the law prevents disclosure.

10. Audits

1. Upon reasonable request, the Processor will provide information necessary to demonstrate compliance with this DPA.
2. Any audit must be reasonable in scope, non-disruptive, and subject to confidentiality obligations.

11. Liability

Liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service, to the extent permitted by applicable law.

12. Term and Termination

1. This DPA remains in effect for as long as the Processor processes Personal Data on behalf of the Controller.
2. Upon termination of the relevant processing, Personal Data will be deleted or returned in accordance with the Terms of Service and applicable law.

13. Governing Law

This DPA is governed by the laws of Poland, subject to mandatory data protection rules that apply to the parties.