Codesi Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into by and between the respective Business Client ("Controller") and Codesi ("Processor"), collectively referred to as the "Parties."

This DPA sets forth the terms and conditions under which the Processor will process personal data on behalf of the Controller in connection with the services provided under the Terms and Conditions ("Terms"). This DPA is an integral part of the Terms and is incorporated therein by reference. By agreeing to the Terms, the Controller also agrees to the terms of this DPA. The Parties acknowledge that in the context of providing services under the Terms, the Processor will process certain personal data on behalf of the Controller, and both Parties agree to comply with the applicable data protection laws. The terms defined in the Terms shall have the same meaning when used in this DPA unless otherwise expressly stated herein.

1. Definitions

1.1. Applicable Data Protection Laws

All data protection and privacy laws applicable to the processing of Personal Data under this Agreement, including any national laws, regulations, and secondary legislation, as amended or updated from time to time.

1.2. Business Client

A third-party entity that uses Codesi’s platform to create and operate a website for its own business purposes and that has entered into an agreement with Codesi for the provision of services.

1.3. Customer

An individual who interacts with or uses the services provided by a Business Client through the website created and managed using the Codesi platform.

1.4. Data Controller

The entity which determines the purposes and means of the processing of Personal Data.

1.5. Data processor

The entity which determines the purposes and means of the processing of Personal Data.

1.6. Data Subject

An identified or identifiable natural person to whom Personal Data relates.

1.7. Personal data

Any information relating to an identified or identifiable natural person ("Data Subject") processed under this Agreement, including but not limited to names, email addresses, payment information, and other data that may be used to identify or contact the Data Subject.

1.8. Processing

Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.9. Services or Platform

The services provided by Codesi to Business Clients, including but not limited to the provision of tools and functionalities for the creation, customization, and management of websites, as well as related services such as payment processing and analytics.

1.10. Sub-processor

Any third-party service provider engaged by Codesi that processes Personal Data on behalf of Codesi to provide services to the Business Clients under this Agreement.

2. Assignment of Processing

2.1. Roles of the Parties

Codesi shall act as the Data Processor for the Personal Data of Customers of the Business Clients. In this role, Codesi will process such data on behalf of the Business Clients in accordance with their instructions, solely for the purpose of providing the Codesi Services as described in this Agreement.

2.2. Details of Processing

2.2.1. Nature of the Processing: The processing activities undertaken by Codesi include the collection, storage, organization, analysis, and transmission of Personal Data. This processing supports the functionality of the websites created by Business Clients using the Codesi platform, including communication with Customers.

2.2.2. Purpose of the Processing: The purpose of processing Personal Data under this Agreement is to enable Business Clients to manage their websites and related services through the Codesi platform. This includes facilitating online transactions, customer interactions, and the provision of digital services, as well as maintaining and improving the platform’s performance and security.

2.2.3. Duration of the Processing: Codesi will process Personal Data for as long as necessary to fulfill the purposes outlined in this Agreement or as required by Applicab Data Protection Laws. The processing will continue for the duration of the contractual relationship between Codesi and the Business Client, and any data retention periods stipulated by law or agreed upon by the parties.

2.2.4. Type of Personal Data: The types of Personal Data processed by Codesi on behalf of the Business Client may include, but are not limited to:

• Basic Identification Information: Such as names, email addresses, phone numbers, and postal addresses.

• Customer Interaction Data: Including details of interactions with the Business Client’s services, such as customer inquiries, service requests, and communication logs.

• Usage Data: Information about how the Business Client’s customers use the website and services, including IP addresses, browser type, device identifiers, and oth online identifiers.

• Preferences and Behavioral Data: Data related to customer preferences, browsing behavior, and service usage patterns.

• Any Other Data: Any other Personal Data that the Business Client instructs Codesi to process on their behalf in the course of using the Codesi platform.

2.2.5. Obligation to Avoid Processing Sensitive Data: The Business Client agrees not to instruct Codesi to process any Special Categories of Personal Data (as defined und Applicable Data Protection Laws, including but not limited to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation), or other types of sensitive data requiring special protection under Applicable Data Protection Laws. The Business Client shall indemnify and hold Codesi harmless against any claims, damages, or liabilities arising from the processing of such sensitive data in violation of this obligation.

2.2.6. Categories of Data Subjects: The categories of Data Subjects whose Personal Data may be processed under this Agreement include, but are not limited to:

• Customers of the Business Client: Individuals who interact with the websites and services operated by the Business Client via the Codesi platform, including potential and actual customers, subscribers, or users.

• Website Visitors: Individuals who visit or interact with the Business Client’s websites, including those who may not be registered users but whose data may be collected through the use of cookies or other tracking technologies.

• Other Relevant Data Subjects: Any other individuals whose Personal Data is processed by Codesi on behalf of the Business Client as part of the provision of services, as instructed by the Business Client.

4. Sub-Processing

4.1. Approval of Sub-Processors

The Business Client grants Codesi general authorization to engage sub-processors for the performance of specific processing activities under this Agreement.

4.2. Sub-Processor Obligations

Codesi shall ensure that any sub-processor engaged by Codesi is bound by the same data protection obligations as set out in this Agreement. Codesi shall enter into a written agreement with each sub-processor that imposes obligations equivalent to those imposed on Codesi under this Agreement, particularly regarding the provision of suffici guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Applicable Data Protection Laws.

5. Data Subject Rights

5.1. Assistance with Data Subject Requests

5.1.1. Obligation to Assist: Codesi, in its role as Data Processor, shall assist the Business Client (the Data Controller) in fulfilling its obligations to respond to requests from Da Subjects exercising their rights under Applicable Data Protection Laws, including but not limited to rights of erasure.

5.1.2. Notification of Requests: If Codesi receives a request directly from a Data Subje related to Personal Data processed on behalf of the Business Client, Codesi shall promptly notify the Business Client without undue delay. Codesi shall not respond to any such Data Subject request without the prior written consent of the Business Client, except as required by Applicable Data Protection Laws.

5.2. Timing and Costs of Assistance

5.2.1. Prompt Action: Codesi shall respond promptly to any request from the Business Client for assistance in dealing with a Data Subject request, taking into account the nature of the processing and the timeframe within which the Business Client is required to respond under Applicable Data Protection Laws.

5.2.2. Costs: Where such assistance incurs additional costs beyond the scope of the services provided under this Agreement, Codesi may charge the Business Client a reasonable fee for providing such assistance, provided that any such fees are agreed upon in advance between the parties.

6. Data Breaches

6.1. Notification of Data Breaches

6.1.1. Prompt Notification: In the event of a Personal Data Breach, Codesi shall notify the Business Client without undue delay and, where feasible, not later than 48 hours after becoming aware of the breach. This notification shall include, at a minimum, the nature of the breach, the categories and approximate number of Data Subjects concerned, the categories and approximate number of Personal Data records concerned, the likely consequences of the breach, and the measures taken or proposed to be taken by Codesi to address the breach.

6.1.2. Ongoing Communication: Codesi shall keep the Business Client informed of any developments related to the breach, including the results of any investigation and the measures taken to mitigate its potential adverse effects.

6.2. Assistance with Breach Notification Obligations

6.2.1. Compliance Support: Codesi shall assist the Business Client in ensuring compliance with its obligations under Applicable Data Protection Laws regarding the notification of Personal Data Breach to a supervisory authority and, where applicable, to the Data Subjects concerned. This assistance may include providing relevant information and documentation about the breach and the steps taken to mitigate its impact.

7. Mutual Assistance and Audits

7.1. Assistance with Compliance

7.1.1. General Assistance: Codesi shall assist the Business Client in ensuring compliance with the Business Client’s obligations under Applicable Data Protection Laws, particularly in relation to data security, impact assessments, breach notifications, and responding to Da Subject requests. This assistance shall include providing access to relevant records and documentation that demonstrate Codesi's compliance with its obligations under this Agreement.

7.1.2. Data Protection Impact Assessments: Upon request, Codesi shall provide the Business Client with reasonable assistance in carrying out data protection impact assessments and prior consultations with supervisory authorities, as required by Applicable Data Protection Laws. This assistance may include providing necessary information about processing activities, security measures, and any associated risks.

7.2. Audit Rights

7.2.1. Right to Audit: The Business Client has the right to have Codesi’s data processing activities audited to ensure compliance with the terms of this Agreement and Applicable Data Protection Laws. Such audits must be conducted by an independent, reputable audit firm mutually agreed upon by both parties.

7.2.2. Conducting Audits: Audits shall be conducted with reasonable prior notice (at least 30 days) to Codesi, during regular business hours, and in a manner that minimizes disruption to Codesi’s operations. The audit firm will be required to enter into a confidentiality agreement with Codesi that includes confidentiality obligations equivalent to those set out in this Agreement.

7.2.3. Frequency of Audits: Audits may be conducted no more than once per year, except in cases where there is a reasonable suspicion of a breach of this Agreement or Applicable Data Protection Laws, or if required by a Supervisory Authority.

7.2.4. Access to Information: Codesi shall provide the audit firm with access to a information necessary to demonstrate compliance with its obligations under this Agreement. This includes records of processing activities, security measures, and any relevant certifications or third-party audit reports.

7.2.6. Remediation: If the audit reveals any deficiency in Codesi’s compliance with its obligations under this Agreement or Applicable Data Protection Laws, Codesi shall promptly take corrective actions to address the deficiency. The parties shall mutually agree on the timeline for implementing such corrective actions.

8. Term and Termination

8.1. Duration of the Agreement

This Data Processing Agreement (DPA) shall commence on the effective date of the main service agreement between Codesi and the Business Client and shall continue in full force and effect for as long as Codesi processes Personal Data on behalf of the Business Client under the main service agreement.

8.2. Data Deletion Upon Termination

Codesi shall securely delete all Personal Data processed on behalf of the Business Client within 30 days following the termination of this DPA, unless the Business Client requests the return of the data or unless storage of the Personal Data is required by Applicable Data Protection Laws.

9. Liability

9.1. Limitation of Liability

9.1.1. Cap on Liability: To the maximum extent permitted by Applicable Data Protection Laws, the total aggregate liability of Codesi (the Data Processor) to the Business Client (the Data Controller) under this DPA, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall not exceed the total amount paid by the Business Client to Codesi under the main service agreement during the 12 months immediately preceding the event giving rise to the claim.

9.1.2. Exclusion of Certain Damages: Codesi shall not be liable to the Business Client for any indirect, incidental, special, punitive, or consequential damages, or for any loss of profits, revenue, data, or use, even if Codesi has been advised of the possibility of su damages.

9.1.3. Exclusions and Limitations: The limitations of liability in this section shall apply to the maximum extent permitted by law.

9.2. Contribution to Liability

9.3.1. Shared Responsibility: The parties acknowledge that the Business Client’s instructions and decisions regarding the processing of Personal Data play a significant role in the compliance with data protection obligations. Therefore, Codesi shall not be held liable for any damages arising from or in connection with processing activities that are the result of instructions given by the Business Client, unless such instructions are inconsistent with or contrary to Applicable Data Protection Laws.

9.3.2. Mitigation of Liability: The Business Client agrees to take all reasonable steps to mitigate any loss or damage that may arise from any breach of this DPA or Applicable Data Protection Laws.

10. Miscellaneous

This DPA is subject to provisions of Section 14 “Miscellaneous” of the Terms mutatis mutandis which are incorporated herein by reference.