This Data Processing Agreement (“Agreement” or “DPA”) forms part of the Terms and Conditions and is entered into between:
Asset Payments Sp. z o.o., Bohaterów Warszawy 23/2, 02-495 Warsaw, Poland (“Processor”)
and the customer using the Service (“Controller”).
This Agreement applies where the Processor processes Personal Data on behalf of the Controller in the course of providing the Service, in accordance with Article 28 of Regulation (EU) 2016/679 (“GDPR”).
Terms used but not defined in this Agreement shall have the meaning given to them in the GDPR or the Terms and Conditions.
The subject matter of this Agreement is the processing of Personal Data by the Processor on behalf of the Controller for the purpose of providing the Service.
This Agreement remains in force for the duration of the underlying service agreement.
The Processor provides a SaaS platform that receives webshop order data via webhooks and forwards such data to third-party systems (including CRM, accounting, fiscal, or management platforms) as configured by the Controller.
Processing activities include receiving, storing temporarily, transforming, and transmitting data in an automated manner.
The Controller determines the purposes and means of processing Personal Data. The Processor processes Personal Data only on documented instructions from the Controller, unless required to do so by Union or Member State law.
The Controller represents and warrants that:
The Processor shall:
The Controller authorizes the Processor to engage subprocessors, including but not limited to: cloud infrastructure providers, payment processors, and email delivery services.
The Processor shall ensure that subprocessors are bound by data protection obligations equivalent to those set out in this Agreement.
Personal Data may be transferred outside the European Economic Area only where appropriate safeguards are in place, including standard contractual clauses or other lawful mechanisms.
The Processor implements technical and organizational measures appropriate to the risk, including access controls, encryption where appropriate, and monitoring of systems.
The Processor shall assist the Controller, to the extent reasonably possible, in fulfilling requests from data subjects to exercise their rights under GDPR.
In the event of a personal data breach, the Processor shall notify the Controller without undue delay after becoming aware of the breach.
The Controller may audit the Processor’s compliance with this Agreement only where required by law and upon reasonable prior written notice.
Audits shall not unreasonably interfere with the Processor’s business operations.
Upon termination of the Service, the Processor shall delete or return Personal Data in accordance with the Privacy Policy and applicable law, unless retention is required by law.
Liability under this Agreement is subject to the limitations set forth in the Terms and Conditions. Nothing in this Agreement increases the Processor’s liability beyond what is required by GDPR.
This Agreement is governed by the laws of Poland. Any disputes shall be resolved exclusively by the courts of Warsaw, Poland.
In the event of a conflict between this Agreement and the Terms and Conditions, this Agreement shall prevail with respect to data protection matters only.
For data protection matters, please contact office @ assetpayments.com