Data Processing Agreement (DPA)

Effective Date: 24/12/2024

• Definitions
• Roles and Responsibilities
• Processing of Personal Data
• Security Measures
• Sub-Processing
• Data Subject Rights
• Data Breach Notification
• Data Transfers
• Termination and Deletion
• Liability and Indemnity
• Governing Law
• Contact Information

This Data Processing Agreement ("DPA") is an agreement between:

1. Controller: The entity that determines the purposes and means of the processing of Personal Data (referred to as "You" or "Controller").
2. Processor: Veranet OÜ, a company registered in Estonia, operating the Veranet and VeraChat platforms (referred to as "We," "Us," or "Processor").

This DPA is incorporated into and forms part of the Terms of Service (ToS) governing the use of our services.

Definitions

1.1 Personal Data: Any information relating to an identified or identifiable natural person processed under this DPA.
1.2 Processing: Any operation performed on Personal Data, including collection, storage, use, and deletion.
1.3 Controller and Processor: As defined under the EU General Data Protection Regulation (GDPR).
1.4 Sub-Processor: Any third party engaged by the Processor to process Personal Data.

Roles and Responsibilities

2.1 Controller's Responsibilities:

• Ensure that the collection and sharing of Personal Data with the Processor comply with applicable laws.
• Define the purposes and lawful basis for processing.

2.2 Processor's Responsibilities:

• Process Personal Data only in accordance with the Controller's instructions.
• Implement technical and organizational measures to ensure the security of Personal Data.

Processing of Personal Data

3.1 Purpose: The Processor processes Personal Data solely to provide services under the Terms of Service.
3.2 Categories of Data: Includes user account details, communication records, and usage data.
3.3 Duration: Personal Data will be processed for the duration of the service relationship unless otherwise required by law.

Security Measures

The Processor will implement appropriate measures to protect Personal Data, including but not limited to:

• Encryption of data at rest and in transit.
• Regular security audits and risk assessments.
• Restricting access to authorized personnel only.

Sub-Processing

5.1 Authorized Sub-Processors: The Controller authorizes the use of Sub-Processors including:

• Stripe (payment processing)
• Google Analytics (data analytics)
• HubSpot (marketing)
• Amazon Web Services (cloud services)
• Microsoft Azure (LLM-provider)

5.2 Sub-Processor Obligations: Sub-Processors must comply with the same data protection obligations as set out in this DPA.

Data Subject Rights

The Processor will assist the Controller in fulfilling data subject rights under GDPR, including:

• Access, rectification, or deletion of Personal Data.
• Responding to objections or requests for data portability.

Data Breach Notification

The Processor will notify the Controller without undue delay upon becoming aware of any Personal Data Breach affecting the Controller's data.

Data Transfers

The Processor ensures that all data transfers outside the European Economic Area (EEA) comply with GDPR requirements, including the use of Standard Contractual Clauses (SCCs) or similar mechanisms.

Termination and Deletion

Upon termination of services, the Processor will:

• Return all Personal Data to the Controller upon request.
• Permanently delete all Personal Data from our systems, unless required by law to retain it.

Liability and Indemnity

The Processor's liability for breaches of this DPA will be subject to the limitations set out in the Terms of Service.

Governing Law

This DPA will be governed by the laws of Estonia.

Contact Information

For questions about this DPA, please contact:

Veranet OÜ
Email: support@veranet.io
Address: Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 15551

By using our services, you agree to this DPA.