Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer" or "Controller") and Konty ("Processor") and defines the responsibilities and obligations related to the processing of personal data in accordance with applicable data protection laws.

By using Konty's services, you accept the data processing terms described in this document.

2. Definitions

• Personal Data: any information relating to an identified or identifiable natural person
• Controller: Customer who determines the purposes and means of processing personal data
• Processor: Konty who processes personal data on behalf of the Controller
• Data Subject: an identified or identifiable natural person to whom the personal data relates
• Processing: any operation or set of operations performed on personal data

3. Subject Matter and Duration of Processing

Konty will process personal data on behalf of the Customer solely for the purposes of providing point-of-sale software services, which includes:

• Sales and transaction management
• Inventory and stock management
• Customer data recording and management
• Reporting and analytics generation
• Technical support and system maintenance

This DPA remains in effect during the term of the Konty service agreement and terminates upon the termination of the agreement.

4. Processor Obligations (Konty)

Konty undertakes to:

• Process personal data only in accordance with documented instructions from the Customer
• Ensure that persons authorized to process personal data are committed to confidentiality
• Implement appropriate technical and organizational measures to protect the data
• Not engage other sub-processors without prior written consent from the Customer
• Assist the Customer in fulfilling data subjects' requests to exercise their rights
• Assist the Customer in ensuring compliance with data protection legal obligations
• Delete or return all personal data to the Customer after the end of service provision
• Make available to the Customer all information necessary to demonstrate compliance

5. Controller Obligations (Customer)

The Customer undertakes to:

• Be responsible for the lawfulness of personal data processing
• Provide clear and documented instructions regarding data processing
• Ensure that there is a legal basis for data processing
• Inform data subjects about processing in accordance with the law
• Respond to data subjects' requests related to their rights

6. Data Security

Konty implements the following data protection measures:

7. Sub-processors

Konty may engage third parties (sub-processors) to perform certain processing activities. Current sub-processors include:

• Cloud infrastructure and hosting providers
• Payment and financial service providers
• Analytics and monitoring service providers

Konty will inform the Customer of any planned change in sub-processors and provide an opportunity to object. All sub-processors will be contractually bound to the same data protection obligations as Konty.

8. Data Breaches

In the event of a personal data breach, Konty will:

• Without undue delay, and no later than 72 hours after becoming aware, notify the Customer of the breach
• Provide all relevant information about the nature and scope of the breach
• Take appropriate measures to mitigate and remediate the consequences
• Document all incidents and measures taken
• Cooperate with the Customer in notifying competent authorities and data subjects, if necessary

9. Data Subject Rights

Konty will assist the Customer in fulfilling data subjects' requests for:

• Access to personal data
• Rectification of inaccurate data
• Erasure of data ("right to be forgotten")
• Restriction of processing
• Data portability
• Objection to processing

Konty will respond to requests within a reasonable time, typically within 30 days, unless additional time is needed for complex requests.

10. International Data Transfers

If Konty transfers personal data outside the country where it was collected, it will ensure appropriate safeguards in accordance with applicable laws, including:

• Standard contractual clauses approved by competent authorities
• Transfer to countries with adequate level of data protection
• Specific derogations provided by law

11. Audit and Inspection

Konty will allow the Customer or their authorized auditor to conduct audits of data protection measures, subject to reasonable notice and respect for business confidentiality and security requirements of Konty's systems.

Konty will regularly conduct internal audits and provide relevant certificates and evidence of compliance upon Customer's request.

12. Data Return and Deletion

After the end of service provision, Konty will, at the Customer's choice:

• Return all personal data to the Customer in a structured, standard, and machine-readable format
• Securely delete all personal data from its systems, including all copies

Deletion will be performed within 90 days after the termination of the agreement, unless law requires retention of certain data.

13. Liability and Limitations

Konty is liable for damages caused by breach of this DPA in accordance with the general terms of service.

Konty will not be liable for breaches caused by:

• Unlawful instructions from the Customer
• Actions of the Customer or their employees
• Force majeure or circumstances beyond Konty's control

14. Amendments

Konty reserves the right to amend this DPA to comply with legal changes or changes in business operations. You will be notified of any significant changes at least 30 days in advance.

Continued use of the service after the changes take effect constitutes acceptance of the amended DPA.

15. Contact Information

For all questions related to data processing, you can contact us:

16. Governing Law

This Data Processing Agreement is governed by the laws of the country of operation, including applicable data protection legislation. Any disputes will be subject to the jurisdiction of competent courts.