Back

Data Processing Agreement (GDPR) – BidCraft.io

Data Processing Agreement (DPA)

Version: 1.0

This DPA forms an integral part of the BidCraft.io Service Agreement/Terms and is concluded in documentary form by acceptance (checkbox) during the order process.

§1. Roles of the parties

The Customer is the Controller of personal data processed in connection with data entered into the Service.
BidCraft.io (the Provider) is the Processor.

§2. Subject and duration of processing

The Controller entrusts the Processor with the processing of personal data in connection with the provision of the SaaS Service.
Processing continues for the term of the Agreement and for any technically justified period of data deletion thereafter, as set out in §10.

§3. Scope: categories of data, data subjects and processing activities

Data subjects: the Controller’s employees/collaborators, contact persons of counterparties, system users, and other individuals whose data the Controller enters into the Service.
Categories of data: identification and contact data (e.g. name, email, phone), organisational data (job title, company), account identifiers, event logs, IP address, and other data entered by the Controller.
Processing activities: recording, storage, organisation, retrieval (incidentally for support), modification (on Controller instructions), deletion.

§4. Controller instructions

The Processor processes data only on documented instructions from the Controller, unless required by law.
Instructions include in particular: Service configuration, User actions, support requests, and instructions communicated in writing (email/ticket).

§5. Confidentiality and authorisation

The Processor ensures that persons authorised to process data are bound by confidentiality.
Access to data is limited to what is necessary (least privilege).

§6. Support access to DB/logs

The Processor may access logs and/or the database only where necessary for: (a) diagnosing and resolving reported issues, (b) security and continuity, (c) incident response.
Access is generally provided upon the Controller’s request; in emergencies, the Controller is informed without undue delay.

§7. Security measures (Art. 32 GDPR)

The Processor implements appropriate technical and organisational measures, in particular:

encryption in transit (TLS/HTTPS),
access control and roles,
monitoring and event logging,
infrastructure safeguards and updates,
incident response procedures.

§8. Subprocessors – OVH

The Controller consents to the use of subprocessor OVHcloud (OVH) for hosting/infrastructure.
The Processor ensures that OVH provides at least equivalent data protection measures.
The Processor will inform the Controller of any change of subprocessor at least 14 days in advance, allowing the Controller to object on justified grounds.

§9. Transfers outside the EEA

Data is processed within the EEA as a rule.
Where a transfer outside the EEA is necessary, the Processor will ensure an appropriate legal basis (e.g. SCCs) and inform the Controller.

§10. Deletion/return of data after termination

After termination of the Agreement, the Processor deletes personal data or provides the Controller with the possibility to export it, where the Service supports it.
Data may be retained longer only where required by law.

§11. Assistance with data subject rights and Controller obligations

The Processor assists the Controller, where possible, in fulfilling data subject rights (Arts. 12–22 GDPR) and in impact assessments and consultations, where relevant.
The scope of assistance is limited by the technical capabilities of the Service.

§12. Data breaches

The Processor notifies the Controller of a personal data breach without undue delay after becoming aware of it, together with available information needed to comply with Arts. 33–34 GDPR.

§13. Audits

The Controller may audit no more than once per year, after agreeing a date (at least 14 days’ notice).
Audits must not compromise the security of other customers or the Processor’s business secrets.

Back