Data Processing Agreement

Last updated: February 26, 2026

This Data Processing Agreement (the “DPA”) supplements the Agreement (as defined below) by and between Customer and Partium (both defined in the Agreement) for the sole purpose of reflecting the Parties’ agreement with regard to the processing of personal data by Partium and the requirements of relevant privacy and data protection laws. 

WHEREAS the Parties (or their respective Affiliates) have entered into the Partium Master Software License and Services Agreement or similar agreement (the “Agreement”); 

WHEREAS in connection with such Agreement, Partium and its Affiliates (hereinafter the “Processor”) will Process certain Personal Data on behalf of Customer (hereinafter the “Controller”);

THEREFORE, the Parties agree to enter into the terms of this DPA, in furtherance of, and without relieving, removing or replacing, a Party’s obligations or rights under the Data Protection Laws (as defined below).

Each Party acknowledges having sufficient legal capacity to execute the DPA.

1. DEFINITIONS

The terms “Controller”, “Processor”, “Data Subject”, “Member State”, “Personal Data”, “processing” and “Supervisory Authority” shall have the same meaning as in the General Data Protection Regulation 679/2016 (“GDPR”).
All capitalized terms not otherwise defined herein shall have the meanings set forth in the Agreement.

2. OBJECT AND TERM

This DPA regulates the processing of Personal Data by Partium and the Customer with respect data under the responsibility of the Controller and applies for the term of the Agreement and for as long as the Processor processes Personal Data on behalf of the Controller (the “Controller Personal Data”).
The purposes, the type of Personal Data, and categories of Data Subjects are as described below and in additional addenda executed by both Parties in the case of extending any Personal Data processing.

3. DATA PROTECTION LAWS COMPLIANCE

Each Party shall comply with all applicable laws relating to privacy and data protection, including the GDPR, the EU Privacy and Electronic Communications Directive (2002/58/EC) as implemented in each jurisdiction, and any amending or replacement legislation from time to time (collectively and individually, “Data Protection Laws”).

4. DATA ACCESSED AND PURPOSE OF THE PROCESSING

Partium has access to the type of personal data and the categories of Data Subjects described below in Annex I, for the purposes described therein.

5. RIGHTS AND RESPONSIBILITIES OF PARTIUM AS THE PROCESSOR

As established in the GDPR, Partium, as Processor, shall:

1. Process Controller Personal Data only based on documented instructions from the Controller, including transfers of Controller Personal Data to a third country or international organization, unless otherwise required to do so under Union law or applicable Member State law, which may be provided in writing, by email, or through secure online portals as agreed by the Parties. In such case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such information. The Processor shall promptly inform the Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
2. Ensure that all the persons authorized to process Controller Personal Data have undertaken to respect confidentiality or are subject to an obligation of confidentiality.
3. Shall implement and maintain the technical and organizational security measures (the "TOM") available to Controller at https://partium.io/legal/tom. The Processor shall not materially decrease the overall security of the services during the term of this DPA. The Processor shall notify the Controller in advance of any material change to the TOMs that could adversely affect the protection of Controller Personal Data.
4. Not to have recourse to another Processor, beside the ones authorized by the Controller.
5. Assist the Controller, taking into account the nature of the processing, through appropriate technical and organizational measures whenever possible, so that it can comply with its obligation to respond to requests for the exercise of the rights of the Data Subjects.
6. Shall assist the Controller, upon request, in carrying out data protection impact assessments (DPIAs) and, where applicable, prior consultations with Supervisory Authorities, taking into account the nature of processing and the information available to the Processor.
7. Make available to the Controller all information necessary to demonstrate compliance with the obligations established herein, as well as to allow and contribute to the performance of audits, including inspections, by the controller or other authorized auditors for the Controller.
8. Process the Controller Personal Data placed at the disposal of the Processor in a way that ensures that the personnel in charge follow the instructions of the Controller.
9. Where the Processor has adopted a code of conduct or certification mechanism approved under Article 40 or 42 of the GDPR, the Processor shall provide details of such adherence to the Controller upon request. 
10. Keep a record of processing activities in the case of processing Controller Personal Data that may pose a risk to the rights and freedoms of the Data Subject and / or in a non-occasional manner, or which involves the processing of special categories of data and / or data relating to convictions and infractions.
11. The Controller shall have the right to carry out inspections of the systems and information strictly necessary and only to the extent that they are related to the processing of the Controller Personal Data in consultation with the Processor or to have them carried out by inspectors to be named in individual cases, at the Controller’s own expense and bound by confidentiality agreements. The Controller shall remain fully responsible for the actions and omissions of any inspectors acting on its behalf. It shall have the right to satisfy itself of the Processor's compliance with this DPA in its business operations during normal business hours by means of spot checks, which must be notified in good time.
12. The Processor shall ensure that the Controller can satisfy itself of the Processor's compliance with its obligations pursuant to Art. 28 of the GDPR. The Processor undertakes to provide the Controller with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organizational measures.

6. DATA SUBJECTS' EXERCISE OF THEIR RIGHTS

If the Processor receives a request from a Data Subject relating to Controller Personal Data or exercises any of the rights established in the Data Protection Laws, the Processor shall promptly, and in any case within three (3) business days, notify Controller if it receives a request from a Data Subject to exercise any right under Data Protection Laws (including rights of access, rectification, objection, erasure, or data portability) (each a "Data Subject Request").

Processor shall not respond to any Data Subject Request except on the documented instructions of Controller or as required by Data Protection Laws to which the Processor is subject. In the latter case, the Processor shall, to the extent legally permitted, inform the Controller of that legal requirement before responding to the request.

Taking into account the nature of the processing, Processor shall assist Controller by providing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to Data Subject Requests in accordance with Data Protection Laws. Such assistance shall include:

1. providing Controller with the ability to extract, amend, or delete Personal Data directly through the Service; or

2. where the Controller cannot move or delete the data themselves, performing such actions upon Controller's written request.

Assistance provided by Processor in connection with Data Subject Requests shall be at Controller's sole expense, unless the request was necessitated by an error or breach of this DPA by the Processor.

7. SUBCONTRACTING

As Processor, Partium shall not provide access to any subcontractor (data sub-processor) to Controller Personal Data, with the exception of the sub-contractors indicated in Annex II. The Processor ensures that an agreement with the sub-contractors mentioned in Annex II is in place which is sufficient to require it to process personal data in accordance with the applicable provisions of this agreement and applicable law, imposing the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures as required by Article 28 GDPR.

The Processor shall inform the Controller in advance of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes on reasonable grounds within 30 days of notice. In case of a justified objection, the Parties will discuss in good faith alternative solutions; if none can be found, the Controller may terminate the affected services upon written notice and subject to the terms set out in the Agreement.

8. INTERNATIONAL TRANSFER OF CONTROLLERS PERSONAL DATA

No international transfer of Controller Personal Data may be performed, with the exception of the transfers to the international sub-contractors mentioned in Annex II.

Any international transfer of Controller Personal Data outside the European Economic Area (EEA) shall be subject to appropriate safeguards, such as the European Commission’s Standard Contractual Clauses, an adequacy decision, or other mechanisms approved under Data Protection Laws.

The Processor shall notify the Controller without undue delay if it believes it can no longer comply with the applied transfer mechanism and shall suspend the relevant transfers unless otherwise instructed by the Controller. The Processor shall provide evidence of such safeguards to the Controller upon request. 

9. SECURITY BREACH OF THE CONTROLLER PERSONAL DATA

Insofar as there exists an instruction from a competent Supervisory Authority, a development of a national legislation or a delegated act, in the event of a security breach of the Controller Personal Data, the Processor shall notify Controller of such breach without undue delay, and in any case, no later than 48 hours after becoming aware of the personal data breach. Such notice shall, at a minimum, include the information required by Article 33(3) of the GDPR. Processor shall take immediate reasonable steps to mitigate the effects of the breach and shall provide regular updates to Controller as additional information becomes available.

10. TERMINATION, RESOLUTION AND EXPIRATION

In the event of termination, resolution or expiration of the relation between the Parties, the Processor shall not keep the Controller Personal Data unless otherwise legally required to do so.

Otherwise, upon termination, resolution or expiration of the DPA, or when no longer legally required to keep the data, the Processor shall, at the choice of the Controller and upon the Controller’s written request, destroy or return to the Controller all Controller Personal Data and any copy of it, as well as any support or other document containing any Controller Personal Data. The protocol of the deletion shall be submitted upon request.

 

 

ANNEX I - TYPE AND CATEGORIES OF DATA

In accordance with the provisions set out in herein and in the GDPR, Partium can access and process the type and category of Personal Data provided by the Controller set out hereunder:

Nature of processing: organization, storage, consultation, use, disclosure by transmission, restriction, erasure, or destruction.

Purpose of processing: storing the data on and authorizing access to the Software.

ANNEX II - LIST OF SUB-PROCESSORS

The list of subcontractors having access to Controller Personal Data and international transfers is made available to Controller at https://trust.partium.io/subprocessors.

Such list may be updated by Processor from time to time subject to prior notice to the Controller and the objection right set out in the ‘Subcontracting’ section above.