This Data Processing Agreement (“Agreement“) is an integral part of ****Terms of Use of website: matomba.com (“Site”). It forms an agreement (“Principal Agreement“) between a user of the Site, hereinafter referred to as the “Controller” and LLC MATOMBA TECHNOLOGIES INN 5043077977 OGRN 1225000087597 KPP 504301001, hereinafter referred to as the “Processor”, acting on its own behalf, together referred to as “Parties”.

The terms used in this Agreement shall have the meanings set either in the Agreement or in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect. The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

HOW TO EXECUTE THIS DPA:

To execute this DPA, please do one of the following:

download this DPA, complete the form fields, sign, and email to

or

click here (currently unsupported option) to complete the form fields and sign electronically.

Once electronically executed by both Controller and Processor, this DPA will be effective and your signatory will receive a fully-executed copy by email.

Definitions and Interpretation

In this Agreement, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

• "Sub-processor" **means any Data Processor (including any third party) appointed by the Processor to process Controller Personal Data on behalf of the Controller.
• "Process/Processing/Processed", "Data Controller", "Data Processor", "Data Subject", "Personal Data", "Special Categories of Personal Data" **and any further definition not included under this Agreement or the Principal Agreement shall have the same meaning as in EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR").
• "Data Protection Laws" **means EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR") as well as any local data protection laws.
• "Erasure" **means the removal or destruction of Personal Data such that it cannot be recovered or reconstructed.
• "EEA" **means the European Economic Area.
• "Third country" **means any country outside EU/EEA, except where that country is the subject of a valid adequacy decision by the European Commission on the protection of Personal Data in Third Countries.
• "Controller Personal Data" **means Personal Data processed by Processor on behalf of the Controller pursuant to or in connection with the Principal Agreement.
• "Personal Data Breach" **means a breach of leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Controller Personal Data transmitted, stored or otherwise processed.
• "Services" **means the services to be supplied by the Processor to the Controller pursuant to the Principal Agreement.
• "Products" **means the products to be supplied by the Processor to the Controller pursuant to the Principal Agreement.
• "Standard Contractual Clauses" **means the standard contractual clauses for the transfer of personal data to Processors established in third countries, as approved by the European Commission Decision 2010/87/EU, or any set of clauses approved by the European Commission which amends, replaces or supersedes these.

Processing of Controller Personal Data

2.1. In the course of providing the Services and/or Products to the Controller pursuant to the Principal Agreement, the Processor may process Controller Personal Data on behalf of the Controller.

2.2. The Processor shall not Process Company Personal Data other than on the relevant Controller’s documented instructions.

2.3. The Processor shall only process Controller Personal Data for the purposes of the Principal Agreement. The Processor shall not process, transfer, modify, amend or alter the Controller Personal Data or disclose or permit the disclosure of the Controller Personal Data to any third party other than in accordance with Controller's documented instructions, unless processing is required by EU or Member State law to which Processor is subject. The Processor shall, to the extent permitted by such law, inform the Controller of that legal requirement before processing the Personal Data and comply with the Controller's instructions to minimize, as much as possible, the scope of the disclosure.

2.4. Whereby the Controller requests a resource or resources to be shared with another controller, the Controller will seek to establish a direct documented agreement to ensure Data Protection Laws are followed as these relationships will not be classed as an “Authorized Sub-Processor”.

Reliability and Non-Disclosure

3.1. The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who require access to the relevant Controller Personal Data.

3.2. The Processor must ensure that all individuals which have a duty to process Controller Personal data:

• Are informed of the confidential nature of the Controller Personal Data and are aware of Processor's obligations under this Agreement, the Principal Agreement in relation to the Controller Personal Data;
• Have undertaken appropriate training / certifications in relation to the Data Protection Laws;
• Are subject to confidentiality undertakings or professional or statutory obligations of confidentiality;
• Are subject to user authentication and logon processes when accessing the Controller Personal Data in accordance with this Agreement, the Principal Agreement and the applicable Data Protection Laws.

Personal Data Security

4.1. Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2. In assessing the appropriate level of security, the Processor shall consider the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller Personal Data transmitted, stored or otherwise processed.

Sub-Processing

5.1. Processor shall not appoint (or disclose any Controller Personal Data to) any Sub-Processor unless required or authorized by the Controller.

5.2.With respect to each Sub-processor, the Processor shall:

5.2.1. Provide the Controller with full details of the Processing to be undertaken by each Sub-Processor;

5.2.2. Carry out adequate due diligence on each Sub-Processor to ensure that it can provide the level of protection for Controller Personal Data, including without limitation, sufficient guarantees to implement appropriate technical and organizational measures in such a manner that Processing will meet the requirements of GDPR, this Agreement, the Principal Agreement and the applicable Data Protection Laws;

5.2.3. Upon request, the Processor shall provide a copy of its agreements with Sub-Processors to Controller for its review;

5.2.4. Insofar as the Principal Agreement involves the transfer of Controller Personal Data outside of the EEA, incorporate the Standard Contractual Clauses, Privacy Shield, or such other mechanism as directed by the Controller into the contract between the Processor and each Sub-Processor to ensure the adequate protection of the transferred Controller Personal Data;

5.2.5. Remain fully liable to the Controller for any failure by each Sub-Processor to fulfil its obligations in relation to the Processing of any Controller Personal Data.

Data Subject Rights

6.1. Considering the nature of the Processing, the Processor shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights as laid down in EU GDPR.

6.2. The Processor shall promptly notify the Controller if it receives a request from a Data Subject, the Supervisory Authority and/or other competent authority under any applicable Data Protection Laws with respect to Controller Personal Data.

6.3. The Processor shall cooperate as requested by the Controller to enable the Controller to comply with any exercise of rights by a Data Subject under any Data Protection Laws with respect to Controller Personal Data and comply with any assessment, enquiry, notice or investigation under any Data Protection Laws with respect to Controller Personal Data or this Agreement, which shall include:

6.3.1. The provision of all data requested by the Controller within any reasonable timescale specified by the Controller in each case, including full details and copies of the complaint, communication or request and any Controller Personal Data it holds in relation to a Data Subject.

6.3.2. Where applicable, providing such assistance as is reasonably requested by the Controller to enable the Controller to comply with the relevant request within the timescales prescribed by the Data Protection Laws.

Personal Data Breach

7.1. The Processor shall notify the Controller without undue delay and, in any case, within seventy-two (72) hours upon becoming aware of or reasonably suspecting a Personal Data Breach. The Processor will provide the Controller with sufficient information to allow the Controller to meet any obligations to report a Personal Data Breach under the Data Protection Laws. Such notification shall as a minimum:

7.1.1. Describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;

7.1.2. Communicate the name and contact details of the Processor's Data Protection Officer, Privacy Officer or other relevant contact from whom more information may be obtained;

7.1.3. Describe the estimated risk and the likely consequences of the Personal Data Breach as well as the measures taken or proposed to be taken to address the Personal Data Breach.

7.2. The Processor shall co-operate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each Personal Data Breach.

7.3. In the event of a Personal Data Breach, the Processor shall not inform any third party without first obtaining the Controller's prior written consent, unless notification is required by EU or Member State law to which the Processor is subject, in which case the Processor shall, to the extent permitted by such law, inform the Controller of that legal requirement, provide a copy of the proposed notification and consider any comments made by the Controller before notifying the Personal Data Breach.

7.3. Processor shall promptly and in any event within 10 (ten) business days of the date of cessation of any Services involving the Processing of Controller Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data.

Data Protection Impact Assessment and Prior Consultation

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments which are required under Article 35 of GDPR and with any prior consultations to any supervisory authority of the Controller which are required under Article 36 of GDPR, in each case solely in relation to Processing of Controller Personal Data by the Processor on behalf of the Controller and considering the nature of the processing and information available to the Processor.

Audit rights

Processor shall make available to the Controller, upon request, all information necessary to demonstrate compliance with this Agreement and allow for, and contribute to audits. The Processor shall permit the Controller, or another auditor mandated by the Controller to inspect, audit and copy any relevant records, processes and systems in order that the Controller may satisfy itself that the provisions of this Agreement are being complied with. The Processor shall provide full cooperation to the Controller with respect to any such audit and shall, at the request of the Controller, provide the Controller with evidence of compliance with its obligations under this Agreement. Processor shall immediately inform the Controller if, in its opinion, an instruction pursuant to this section 11 (Audit Rights) infringes the GDPR or other EU or Member State data protection provisions.

Data transfer

The Processor may transfer and process Controller Personal Data anywhere in the world where the Processor maintain data processing operations. The Processor shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws.

General Terms

11.1. Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

• disclosure is required by law;
• the relevant information is already in the public domain.

11.2. Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address. Any breach of this Addendum shall constitute a material breach of the Principal Agreement.

Governing Law and Jurisdiction

12.1. This Agreement is governed by the laws of European Union.

12.2. Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Russian Federation.

Relationship with the Principal Agreement

13.1. For avoidance of doubt, this DPA shall only become legally binding between Controller and Processor when the steps set out in the Section “HOW TO EXECUTE THIS DPA” above have been fully completed.

13.2**.** This DPA shall remain in effect for as long as the Processor carries out Controller Personal Data processing operations on behalf of the Controller or until termination of the Principal Agreement (and all Customer Data has been returned or deleted).

IN WITNESS WHEREOF, the parties caused this Agreement to be duly executed. Each party warrants and represents that its respective signatories whose signatures appear below are on the date of signature duly authorized.