Agreement of entrustment of personal data processing

This Data Processing Agreement (“Agreement”) is made between:
Data Controller: The entity utilizing Octolize.com’s services, hereinafter referred to as the “Controller”,
and
Data Processor: Octolize LTD, located at 51 Holland Street, W8 7JB London, United Kingdom, VAT ID: GB404916506, Company number: 12826254, hereinafter referred to as the “Processor”.

§1. Subject matter of the Agreement

1.1. The Controller entrusts the Processor with the processing of personal data under the terms specified in this Agreement.

1.2. The Processor shall process personal data solely for the purpose of providing technical support for the Controller’s website, including diagnosing and resolving issues related to WordPress plugins.

1.3. This Agreement is entered into for the purpose of fulfilling the requirements of Article 28 of the GDPR (General Data Protection Regulation) and any other applicable data protection legislation.

§2. Scope and purpose of Data Processing

2.1. The Processor shall process personal data solely for the purpose of providing technical support services to the Controller’s online store. This includes diagnosing, testing, and resolving technical issues, and may involve temporary access to the Controller’s administrative panel.

2.2. The categories of personal data processed may include:

  1. User account data (e.g., username, contact details, order information) necessary to identify and reproduce technical issues;
  2. Other website-related data required to troubleshoot and improve functionality.

2.3. The Processor will not modify personal data unless explicitly requested to do so by the Controller. All processing shall be limited to what is strictly necessary for the performance of the requested support services.

§3. Obligations of the Processor

3.1. The Processor agrees to:

  1. Process personal data only on documented instructions from the Controller.
  2. Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with applicable data protection laws.

3.2. The Processor shall, at the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage of the personal data.

3.3. The Processor shall assist the Controller, upon the Controller’s request and taking into account the nature of the processing, in fulfilling its obligations to respond to requests from data subjects and in ensuring compliance with its obligations under Articles 32 to 36 of GDPR.

3.4. The Processor shall notify the Controller without undue delay (and in any event within [48] hours) after becoming aware of a personal data breach.

§4. Responsibility for Instructions

4.1. The Controller is responsible for ensuring that the instructions it provides to the Processor regarding the processing of personal data comply with applicable laws.

4.2. The Processor shall not be liable for any damages arising from processing carried out in accordance with instructions received from the Controller that are incorrect, incomplete, or unlawful.

4.3. The Controller is responsible for ensuring that the personal data provided to the Processor is collected and processed in accordance with applicable laws, including obtaining all necessary consents from data subjects.

§5. Indemnification

5.1. The Controller agrees to indemnify and hold harmless the Processor, its affiliates, officers, directors, employees, agents, and subcontractors from any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or in connection with:

  1. Any breach by the Controller of its obligations under this Agreement or applicable data protection laws;
  2. Any processing of personal data conducted by the Processor in accordance with the Controller’s instructions.

§6. Limitation of liability

6.1. In no event shall the Processor be liable for any indirect, incidental, consequential, special, or punitive damages, or for any loss of profits or revenues, whether incurred directly or indirectly.

6.2. The Processor shall not be liable for any data breach or unauthorized access to personal data that occurs despite the Processor’s adherence to the security measures agreed upon in this Agreement, provided that such breach is not a result of the Processor’s negligence or willful misconduct.

6.3. The Processor shall not be liable for any fines, penalties, or other sanctions imposed on the Controller by any regulatory authority, except to the extent that such fines are a direct result of the Processor’s breach of its obligations under this Agreement.

§7. Sub-processing

7.1. The Controller authorizes the Processor to engage sub-processors to process personal data on behalf of the Controller.

7.2. The Processor shall ensure that any sub-processor it engages to process personal data on behalf of the Controller is bound by data protection obligations consistent with those of the Processor under this Agreement.

7.3. The Processor shall remain fully liable to the Controller for the performance of the sub-processor’s obligations.

§8. Confidentiality

8.1. Both parties agree to maintain the confidentiality of all information received from the other party that is designated as confidential or that ought reasonably to be considered confidential.

8.2. The Processor shall ensure that any person authorized to process personal data is subject to a duty of confidentiality.

§9. Governing law and jurisdiction

9.1. This Agreement shall be governed by and construed in accordance with the laws of United Kingdom, without regard to its conflict of laws principles.

9.2. Any disputes arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts located in United Kingdom.

9.3. Where personal data originating from the European Economic Area (EEA) is transferred to the Processor in the UK, the Parties shall ensure that such transfers are made in compliance with applicable data protection laws and, if necessary, are governed by appropriate safeguards such as EU Standard Contractual Clauses.

§10. Final provisions

10.1. If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

10.2. This Agreement constitutes the entire agreement between the parties regarding the subject matter herein and supersedes all prior agreements, understandings, and communications.