Data Processing Agreement (DPA)

ProductSync Data Processing Agreement

ANNEX NO. 1 TO THE PRODUCTSYNC TERMS OF SERVICE

(hereinafter referred to as the “Processing Agreement”) entered into between:

  • You who have decided to use the ProductSync service;

(hereinafter referred to as “Controller” or “you”)

and

  • ProductSync s.r.o., ID No.: 24372722, with registered office at Olešná 51, 338 24 Němčovice, represented by Ing. Petr Ferschmann, managing director, registered in the Commercial Register maintained by the Regional Court in Pilsen under file no. C 47916,

(hereinafter referred to as “Processor”, “ProductSync”, or “we”)

(Processor and Controller hereinafter jointly as “Parties” and individually “Party”).

If you use the ProductSync service ("Service"), ProductSync will be the processor of the Personal Data you entrust to us. The Service is provided under the ProductSync Terms of Service ("Terms"). By entering into the Agreement, you acknowledge that you have read and agree to the Processing Agreement and that it is legally binding on you. This Processing Agreement applies to all users who access or use the Service.

Please read this Processing Agreement carefully, which sets out the terms and conditions under which Personal Data is processed in connection with the provision of the Service. If you have any questions regarding the processing of Personal Data, you can contact us at any time at privacy@productsync.com.

The Parties process Personal Data in connection with the concluded Agreement in accordance with legal regulations, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as “GDPR”). According to the GDPR, the Parties must regulate the processing rules in writing, which they do in this Processing Agreement.

INTRODUCTION AND BRIEF OVERVIEW OF THE AGREEMENT

  • Subject matter and purpose of the Processing Agreement. By entering into this Processing Agreement, as Controller, you authorise the Processor to process Personal Data for you in connection with the provision of the Service. The aim is to ensure the protection of Personal Data to the extent required by law. The scope of the Personal Data processed can be found in Annex A to this Processing Agreement.

  • ProductSync Service. The ProductSync Service consists in particular of providing Installation services, Programming work, mediating the connection between the User’s Applications with the User’s chosen target Applications (i.e. data transfer between them), and displaying and transferring data from public sources and specialised databases to the target Applications, as further defined in the Terms.

  • What the positions of Processor and Controller mean. When using the Service, you provide us with Personal Data of which you are the Controller, which we then process on your instructions and to the extent you choose. When processing Personal Data, you are the Controller of Personal Data under Article 4(7) of the GDPR and ProductSync is the Processor under Article 4(8) of the GDPR.

  • Written form. According to Article 28 GDPR, the Parties shall regulate the processing rules in writing in this Processing Agreement.

  • Definitions. The definitions of terms in the Terms shall be adopted with the same meaning in this Processing Agreement.

  • Duration of the Terms. This Processing Agreement is concluded for the duration of the Agreement under the Terms.

  • Moment of conclusion and termination of the Processing Agreement. The Processing Agreement is concluded at the moment of completion of registration for the purpose of using the Service (conclusion of the Agreement). The Processing Agreement may be terminated under the same conditions as the termination of the use of the Service under the Terms.

  • Effects of termination. Termination of this Processing Agreement shall also result in the termination of the contractual relationship in the areas to which this Processing Agreement relates, unless the Parties agree otherwise. Termination of the Terms also terminates this Processing Agreement. However, termination of this Processing Agreement shall not affect the Processor’s obligations to transfer (return) Personal Data to the Controller or to destroy it and to maintain the confidentiality of information.

JOINT OBLIGATIONS OF THE CONTROLLER AND THE PROCESSOR

  • Lawfulness of processing. The Controller and the Processor undertake to comply with the regulations governing the protection of Personal Data.

  • Cooperation. The Controller and the Processor undertake to assist each other to the necessary and reasonable extent in fulfilling the obligations in the processing of Personal Data arising from mutually concluded contracts and legal regulations, in particular in connection with responses to the exercise of the rights of data subjects, with security incidents and also with the preparation of impact assessments and with dealings with supervisory authorities. The Parties undertake to provide the necessary documents for handling a request relating to the processing of Personal Data in accordance with the Terms. The Party shall provide these documents without undue delay, but no later than 10 working days after receiving the request for cooperation to the other Party.

  • Incident. A Party shall notify the other Party that it has become aware of a security breach within 48 hours of becoming aware of the breach. A breach shall be understood as any case of breach of security of Personal Data that may potentially lead to accidental or unlawful destruction, alteration or unauthorised provision or disclosure of Personal Data that is processed under the Agreement as set out in the Terms.

RIGHTS AND OBLIGATIONS OF THE PROCESSOR

  • Restriction of access. The Processor shall ensure that access to Personal Data is restricted only to (a) employees who process Personal Data as part of their job duties, and (b) persons who cooperate with the Processor and may process Personal Data for it as part of the cooperation, in accordance with the terms of this Processing Agreement and for the purpose of providing the Services under the Agreement as set out in the Terms. Unless these persons are subject to a statutory duty of confidentiality, the Processor shall ensure their contractual confidentiality.

  • Processor’s commitment regarding the measures taken. The Processor has adopted and undertakes to maintain throughout the term of this Processing Agreement appropriate technical and organisational measures in accordance with the GDPR regulations applicable to the Processor. An overview of the measures taken can be found in Annex B to this Processing Agreement.

Processor’s commitment. The Processor undertakes to:

  • comply with all obligations arising for the processor of Personal Data from the relevant legal regulations when processing personal data;

  • process Personal Data exclusively on the basis of the Controller’s instructions made in accordance with this Processing Agreement, including in matters of transfer of Personal Data to a third country or international organisation;

  • notify the Controller without undue delay of cases where the Office for Personal Data Protection or another administrative authority initiates an inspection or other administrative proceedings in relation to the processing of Personal Data by the Processor, and provide the Controller with all information about the course and results of this inspection or the course and results of such proceedings;

  • assist the Controller in ensuring compliance with the Controller’s obligations regarding the security of Personal Data under Articles 32 to 36 GDPR, taking into account the nature of the processing to be carried out by the Processor;

  • allow the Controller to conduct internal audits, including inspections, carried out by the Controller or another auditor authorised by the Controller, provided that these are notified to the Processor one month before they are carried out; the Processor may object to any auditor authorised by the Controller if it is not independent, is in a competitive or similar position to the Processor. On the basis of an objection raised by the Processor, the Controller is obliged to authorise another auditor;

  • notify the Controller of any breach of security of Personal Data of which it becomes aware, without undue delay, no later than 48 hours after becoming aware of the breach of security. The minimum scope of this notification is set out in Article 33(3) GDPR;

  • keep a record of all breaches of security of Personal Data and the corrective measures taken to ensure an adequate level of security of processing. The Processor is obliged to provide the Controller with all necessary cooperation in connection with the investigation of security breaches and the fulfilment of the Controller’s obligations under Articles 33 to 34 GDPR;

  • assist the Controller in documenting processes or documents that prove that the Controller complies with the GDPR.

  • Reimbursement of costs. The Parties have agreed that the Processor is entitled to reimbursement of reasonable costs associated with providing cooperation to the Controller.

  • Confidentiality of the Processor. The Processor undertakes to observe the obligation of confidentiality regarding all Personal Data provided by the Controller, and shall keep it secret, not disclose it, not make it accessible to a third party, either as a whole or in part, unless it is to be transferred on the instructions of the Controller, or if required by law.

  • Trade secret. All information and documents that the Processor makes available to the Controller in connection with an audit or inspection form part of the Processor’s trade secret and, unless otherwise specified, are subject to the confidentiality requirements under this Processing Agreement. This information and documents may only be made available to the competent supervisory authority.

  • Lawfulness of processing. The Processor undertakes to fulfil the Processor’s obligations regarding the protection of Personal Data for the entire duration of the Agreement, unless it follows from the provisions of the Agreement, this Processing Agreement or the relevant legal regulations that they are to continue even after its termination.

  • Involvement of processors and involvement of a new processor. The Processor has further involved Hetzner Online GmbH (Hetzner) in the processing of Personal Data, data with this provider is always stored within the EU. If the Processor involves other processors, it will inform the Controller of this change by e-mail or directly in the Dashboard before this change. If the Controller does not agree with the involvement of a new processor, it may lodge an objection no later than 5 days after receipt of the Processor’s notification. Lodging an objection, and therefore not involving a new (sub)processor, may result in the inability to use the Service.

  • Programmers and other specialists of the Processor. The Controller expressly agrees to the involvement of other processors - programmers and other specialists of the Processor in the position of natural persons doing business, who provide services to the Processor on the basis of a cooperation agreement.

  • Processor’s obligation in case of termination of cooperation. The Processor undertakes that in the event of termination of the provision of the Services, it will delete all Personal Data and, at the Controller’s request, return it, including all copies, unless EU or Czech law requires its storage. In such a case, they will be returned within three months of receipt of the Controller’s request via a secure storage specified by the Controller in its request and to which it grants the Processor access. If, after three years from the termination of cooperation, the Controller does not give instructions for the transfer of Personal Data, the Processor will notify it of the possibility of returning the data. If the Controller does not give instructions for the transfer of data within one month of the notification, the Personal Data will be deleted with regard to the fulfilment of its legal obligations.

FINAL PROVISIONS

  • Legal order. For matters not specifically regulated in this Processing Agreement, generally binding legal regulations shall apply. The Processing Agreement is governed by and shall be construed in accordance with the laws of the Czech Republic, in particular Act No. 89/2012 Coll., the Civil Code, as amended. The Parties have agreed that trade customs shall not take precedence over any provisions of the law, even those provisions of the law that do not have mandatory effects.

  • Force majeure. The Processor shall not be liable for situations where it could not fulfil its obligation under the Processing Agreement due to an event referred to as force majeure (war, riots, terrorism, insurrections, strikes, fires, epidemics or natural disasters).

Communication between the Parties. The Parties have agreed that their communication regarding the Processing Agreement (including notification of a security incident) will take place via the following e-mail addresses:

  • Controller: the e-mail address with which the Controller registered for the Service;

  • Processor: privacy@productsync.com;

  • No assignment. No Party may assign or transfer in any way the rights and obligations arising from or related to this Processing Agreement without the prior written consent of the other Party.

  • Updates and changes. The Processor reserves the right to modify or update this Processing Agreement. If we make changes that change the rights and obligations under the Processing Agreement, you will be informed in a timely manner via an email that we will send you. If you continue to use the Service, you agree to the updated version of the Processing Agreement. If you do not agree with the changes, please stop using the Service.

  • Effectiveness. This Processing Agreement is effective in this version from 1.3.2026.

Attachments. The following attachments form part of the Processing Agreement:

  • Annex A: Nature, scope, duration and purpose of the processing of Personal Data,
  • Annex B: Technical and organisational measures.

ANNEX A

TO THE DATA PROCESSING AGREEMENT

NATURE, SCOPE, DURATION AND PURPOSE OF THE PROCESSING OF PERSONAL DATA

Nature of processing. Personal Data is processed automatically through the Processor’s systems used by the Processor to provide the Service.

Purpose. The purpose of the processing is to enable Controllers to use the Service (performance of the Agreement), in particular by transferring data through the selected Integration Scenario.

Legal basis for processing. The legal basis for the processing of Personal Data in the context of the provision of the Service is the performance of the Agreement (as set out in the Terms).

Scope of processing: Depending on how the Controller uses the Service (in particular by choosing an Integration Scenario), the following Personal Data may be processed in connection with the provision of the Service:

  • Contact details: Name, surname, e-mail, telephone number, address, ID number, registered office, order number, account number;

  • Data on tax documents: Contact details, order number, account number, invoice number; or

  • Alternatively, other Personal Data transferred by the selected Integration Scenario, processed exclusively on the instructions of the Controller.

Special categories of Personal Data. The Controller undertakes not to disclose to the Processor any Personal Data that falls into the special categories of Personal Data within the meaning of Article 9 GDPR. Special categories of Personal Data may only be processed after express prior agreement with the Processor.

What are special categories of Personal Data? These are Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life or sexual orientation of a natural person. Genetic and biometric data are also considered to be a special category of data if they are processed for the purpose of uniquely identifying a natural person.

Data subject. This is usually Personal Data of the Controller’s customers or clients, the Controller’s employees and other cooperating persons including suppliers, users of the Controller’s website, business partners or their employees or representatives.

Processing time. Personal Data is processed for as long as the Parties are bound by the Agreement as set out in the Terms, unless the Parties’ agreement or a legal regulation provides for a longer period.

ANNEX B

TO THE DATA PROCESSING AGREEMENT

TECHNICAL AND ORGANISATIONAL MEASURES

Technical and organisational measures. Security is very important to us and therefore we are constantly working to ensure that your Personal Data is protected. When choosing measures, we take into account the scope of processing, the riskiness of processing or the state of our technology.

  • We regularly back up data;

  • we update anti-virus software systems;

  • we encrypt data using SSL/TLS (“secure sockets layer / transport layer security”) for all data transfers;

  • we use a secure https protocol;

  • our data on servers is encrypted;

  • access passwords to information systems (where Personal Data will be processed) and access rights are controlled at the individual level.

Organisational measures. We have adopted and undertake to comply with the following measures:

  • Our employees are bound by confidentiality;

  • Our employees are properly trained and also regularly trained on GDPR and familiarised with the rules of safe working on work equipment;

  • In the case of storing API keys, we remove authorisation data;

  • Access to all systems, including the information system, is personalised and covered by secure passwords;

  • We store passwords in the operating environment in a separate location (Safe store), to which logs are recorded so that we can control employee access to individual Users’ Personal Data.