Data Processing Agreement

1.1This Data Processing Agreement (the “DPA”) governs the processing of personal data in connection with Accquix services when the Provider processes personal data on behalf of the Client.

1.2The Client acts as the controller of personal data when the Client determines the purposes and means of processing personal data contained in its accounting, business, or tax documents.

1.3The Provider acts as a processor to the extent that it processes personal data on behalf of the Client for the purpose of providing the service.

1.4When processing personal data for the Provider's own invoicing, own accounting records, AML/KYC, protection of legal claims, security, and fulfillment of the Provider's own statutory obligations, the Provider acts as an independent controller.

2.1The subject of processing is the processing of personal data necessary to provide accounting, administrative, consulting, one-off, and related Accquix services.

2.2The purpose of processing is, in particular, bookkeeping or record keeping, processing of accounting documents, preparation of tax and accounting outputs, electronic communication with public authorities, review or systematization of records, provision of consulting outputs, archiving, and communication between the parties.

2.3Processing may be carried out by automated and non-automated means, especially in accounting software, cloud storage, e-mail communication, spreadsheets, exports, and related digital tools.

3.1Personal data is processed during the contractual relationship and subsequently for the period necessary to fulfill statutory, accounting, tax, AML, archiving, or legal obligations.

3.2If further retention is neither necessary nor justified, the Provider will delete the personal data or return it to the Client according to the nature of the data, technical possibilities, and the terms of this DPA.

4.1The processed data may include, in particular, the following categories: name and surname, business name, address, business ID, tax ID, VAT ID, contact details, bank details, invoicing details, payment data, data stated on accounting documents, data of the Client's customers and suppliers, transaction data, and data necessary for identification or AML/KYC verification.

4.2For services that do not include payroll or HR administration, the Provider does not normally process extensive special categories of employees' personal data. If such an agenda is to be provided, it must be agreed separately.

5.1Data subjects may include, in particular, the Client, the Client's customers, suppliers, contact persons of business partners, representatives, workers, and persons listed on invoices, statements, contracts, or other documents.

6.1The Provider processes personal data only on the basis of this DPA, an individual contract, the Terms, documented instructions of the Client, or requirements of legal regulations.

6.2If the Provider believes that an instruction of the Client infringes GDPR or other legal regulations, the Provider will notify the Client unless a legal obligation prevents it.

7.1The Provider undertakes to process personal data only to the extent necessary to provide the service, maintain confidentiality, adopt appropriate technical and organizational measures, ensure instruction of persons with access to data, assist the Client in fulfilling reasonable obligations under GDPR, and provide reasonable information necessary to demonstrate compliance with this DPA.

7.2The Provider is not required to perform the Client's legal or compliance agenda toward the Client's customers, employees, or other data subjects unless separately agreed.

7.3If the Provider receives a request from a data subject to exercise rights under GDPR concerning personal data processed on behalf of the Client, the Provider will not respond to that request directly. Instead, the Provider will forward the request to the Client without undue delay, and the Client is responsible for handling it.

7.4If the Provider is required to disclose personal data on the basis of a binding request from a public authority, the Provider will inform the Client of the request without delay before disclosing the data, unless the relevant legal regulation prevents it, for example a court order prohibiting notification.

8.1The Client is responsible for the lawfulness of personal data processing, determination of the legal basis, informing data subjects, accuracy and completeness of data, fulfillment of data subject rights, and ensuring that personal data delivered to the Provider was obtained lawfully.

8.2The Client must not deliver to the Provider personal data that is not necessary to provide the service or that the Client is not entitled to process.

9.1The Client grants the Provider general authorization to engage further processors and technology providers necessary to provide the service.

9.2The list of main processors and technology providers is published at /legal/subprocessors or made available to the Client upon request.

9.3The Provider is entitled to update the list if the change does not reduce the appropriate level of personal data protection. In the case of a material change in a recurring service, the Provider may inform the Client by e-mail or by publishing the updated list.

9.4The Client is entitled to raise a reasoned objection to the engagement of a new further processor or replacement of an existing further processor within 14 days of notification of the change. If the Client raises a justified objection and the parties do not agree on a solution that would address the Client's concerns, this may be considered a reason for the Client to terminate the contractual relationship in accordance with the terms agreed in the individual contract or the Terms.

10.1The Provider adopts appropriate technical and organizational measures, in particular access management, use of secured accounts and cloud services, appropriate passwords, restriction of access to persons who need it, backups appropriate to the nature of the service, protection of devices, and transfer of data through secure channels where appropriate.

10.2The level of security measures corresponds to the nature of processing, scope of data, risk to data subjects, and size of the service provided.

11.1If the Provider becomes aware of a personal data breach concerning data processed on behalf of the Client, the Provider will inform the Client without undue delay and provide information available at the time of notification.

11.2The Client is responsible for assessing whether notification to the supervisory authority or data subjects is required unless the law provides otherwise.

12.1When using certain cloud, analytics, communication, payment, or verification tools, personal data may be transferred or accessed outside the European Union or the European Economic Area.

12.2The Provider will ensure that such transfer takes place in accordance with GDPR, especially on the basis of an adequacy decision, standard contractual clauses, the Data Privacy Framework, or other appropriate safeguards used by the relevant provider.

13.1The Provider will provide the Client with reasonable cooperation necessary to demonstrate fulfillment of obligations under this DPA. Cooperation must be proportionate to the size of the service, nature of processing, and capacities of the Provider.

13.2If the Client requires extensive audit or security cooperation beyond ordinary communication, such cooperation may be charged according to an individual agreement.

14.1After termination of the service that leads to termination of processing, the Provider will normally securely delete all personal data processed on behalf of the Client, except for data whose further retention is required by accounting, tax, AML, or other legal regulations.

14.2If the Client requests in writing before termination of the contractual relationship that personal data be returned instead of deleted, the Provider will provide reasonable cooperation. Returning data in the form of a specific export or in another non-standard format is considered an extra-standard paid service, the price of which will be agreed individually.

15.1This DPA forms part of the contractual relationship between the Provider and the Client if it is referenced in an individual contract, order, or the Terms.

15.2In matters of personal data protection, this DPA prevails over the Terms if the documents conflict.