Data Processing Agreement

This Data Processing Agreement (“DPA”), attached to the Terms of Service (General Conditions) of the Shiny Shield Global Services Limited software and services, governs the processing of Personal Data connected to the performance of the contract between:

  • The Customer (hereinafter “Data Controller”)

  • Shiny Shield Global Services Limited, a company registered in Cyprus, with registered office at Dali Indistrial Zone, 2546, Nicosia, Cyprus, Europe Company Registration Number HE 459565 (hereinafter “Data Processor”)

From here on, each is a “Party”, and together “Parties”.

Premises

  1. By subscribing to or using the ShinyBots services, the Customer has accepted the Terms of Service, of which this DPA is an integral part.

  2. The Data Controller acknowledges that in performance of the contract, the Processor will process Personal Data exclusively on its instructions and in compliance with GDPR (Regulation (EU) 2016/679) and Cyprus (or other applicable) data protection law.

  3. The Data Processor affirms it has the expertise, reliability, and capacity to carry out processing in accordance with Article 28 GDPR.

  4. Execution of the contract entails that the Processor processes Data Controller’s Personal Data.

  5. The Data Controller appoints, by means of this DPA, the Processor to process Personal Data on its behalf, under the limits and methods set out below.

1. Definitions

Unless otherwise defined in the Terms of Service or this DPA, the following definitions apply:

  • Personal Data: any information concerning an identified or identifiable natural person (Data Subject).

  • Special Categories of Data: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or sex life or sexual orientation.

  • GDPR: Regulation (EU) 2016/679.

  • Data Subjects: natural persons to whom the Personal Data refer.

  • Processing: any operation or set of operations on Personal Data (e.g. collection, storage, alteration, retrieval, use, disclosure, erasure).

  • Sub-processor: legal person, firm, or freelancer engaged by the Processor to process Personal Data on behalf of the Data Controller.

  • Personal Data Breach: breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to Personal Data processed.

2. Object of the Assignment to the Processor

The Processor undertakes, as Data Processor under Article 28 GDPR, to perform the processing activities specified in Article 4 of this DPA, in compliance with applicable data protection legislation and under the instructions of the Data Controller.

3. Categories of Personal Data and Data Subjects

3.1 In the execution of the contract, the Processor may process, on behalf of the Data Controller, the following categories of Personal Data:

  • Identifying data (e.g. name, surname, date of birth, age)

  • Contact details (e.g. email, telephone, address)

  • Bank/account/payment details

  • Data about purchases of products or services

  • Data related to requests for information or support

  • Special Categories of Data (if applicable, e.g. health data, ethnic origin, etc.)

3.2 The Controller shall periodically verify that Personal Data is accurate, complete, and relevant for the purposes in Article 4, and shall notify the Processor if modifications, updates, corrections or deletions are needed.

3.3 Upon written request by the Data Controller, the Processor shall, within 15 (fifteen) days, update, correct, or delete the Personal Data being processed.

3.4 Data Subjects may include persons who use or request support via the services (e.g. customers, potential customers, users, suppliers).

4. Purpose of Processing

4.1 To the extent permitted by the contract and this DPA, the Processor will process Personal Data exclusively for:

  1. Execution of the contract.

  2. Management of contractual and commercial relations with the Customer.

  3. Improving our products and services, and training or enhancing the software.

  4. Complying with legal obligations of the Data Controller.

4.2 The Data Controller acknowledges that the Processor may process data in aggregate (anonymized) form for statistical, research, or software improvement purposes within the scope of the contract.

5. Obligations of the Data Processor

5.1 The Processor undertakes:

  1. To comply with the Privacy Policy and data protection legislation.

  2. To comply fully with instructions from the Data Controller.

  3. To adopt technical and organizational measures ensuring security, confidentiality, availability and integrity of the systems and data, as directed by the Controller.

  4. To maintain records of its processing activities under this DPA.

  5. To promptly inform the Data Controller of disputes, investigations, or requests received from Data Subjects or supervisory authorities concerning processing under this DPA.

  6. To report to the Data Controller, without delay, any request by Data Subjects to exercise their GDPR rights so that the Controller may respond within legal timeframes.

  7. To ensure that personnel involved in processing are trained in data protection and bound by confidentiality obligations.

6. Processing toward Third Countries

6.1 The Controller will aim to use servers located within the European Union, avoiding transfers outside unless necessary.

6.2 Transfers of Personal Data to countries outside the EU are permitted only if:

  • The destination country is recognized by the European Commission as having adequate protection, or

  • Suitable safeguards are applied (e.g. Standard Contractual Clauses, binding corporate rules), in compliance with Articles 46 et seq. of GDPR.

7. Sub-processors

7.1 By this DPA, the Data Controller authorizes the Processor to engage Sub-processors for certain processing operations necessary to execute the contract. The Processor shall bind Sub-processors to obligations equivalent to those in this DPA.

7.2 The Controller should choose Sub-processors who have adequate skills, reliability, and capacity to comply with privacy law and data protection measures protecting Data Subjects’ rights.

8. Duration

8.1 This DPA becomes effective upon acceptance of the main contract and remains in effect for the contract’s duration. In case of termination, the DPA automatically ceases, unless otherwise required.

8.2 After expiry or termination, unless legal or regulatory obligations require retention, the Processor will cease processing Personal Data and return or delete all materials containing Personal Data.

9. Personal Data Breach

9.1 In the event of a Personal Data Breach affecting data processed under this DPA (including when caused by Sub-processors), the Processor shall:

  1. Inform the Data Controller without unjustified delay, and in any case within 36 (thirty-six) hours from becoming aware.

  2. Maintain a register detailing the nature of the breach, Data Subjects involved, possible consequences, and security measures taken (in collaboration with the Controller) to mitigate effects and restore conditions.

9.2 The obligation to notify supervisory authorities or Data Subjects (when required) lies with the Data Controller. The Processor commits to assist the Controller in fulfilling those obligations.

10. Communications

Any communication between the Parties for purposes of this DPA must be in writing and transmitted using the means and addresses indicated in the main agreement.

11. Applicable Law and Competent Court

11.1 This DPA is governed by the laws of the Republic of Cyprus (excluding its conflict-of-law rules).
11.2 Any dispute about validity, interpretation, or execution of the DPA shall be referred exclusively to the courts of Nicosia, Cyprus.