Data Processing Addendum

Definitions

• “Controller” means the entity that determines the purposes and means of the processing of personal data.
• “Processor” means the entity that processes personal data on behalf of the Controller.
• “Data Subject” means an individual who is the subject of personal data.
• “Personal Data” means any information relating to a Data Subject that identifies or can be used to identify the Data Subject.
• “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means.

Introduction

The Data Processing Terms set out below apply to the processing of personal data by Proximity LP, the operator of the Proxima Analytics service (the "Service"), on behalf of subscribers to the Service who are subject to the General Data Protection Regulation (GDPR) and use the Service with an active account in accordance with the Proxima Analytics terms and conditions. These Data Processing Terms should be read in conjunction with the Proxima Analytics terms and conditions, which can be found at proxima.so/terms.

As the processor of personal data on behalf of our subscribers, we are responsible for implementing appropriate technical and organizational measures to protect the personal data we process. We will only process the personal data in accordance with our subscribers' instructions and will not use it for any other purpose without their prior consent. We will assist our subscribers in fulfilling their obligations under the GDPR, including their obligations to respond to requests from individuals exercising their rights under the GDPR.

All terms used in these Data Processing Terms that coincide with terms used in the GDPR will have the same meaning as assigned to them in the GDPR.

Purpose and Subject Matter

As the processor of personal data on behalf of our subscribers, we will only process the personal data for the purposes of providing the Service in accordance with the Proxima Analytics terms and conditions. We will anonymise and aggregate personal data when using data to provide, improve, or modify the Services. The processing of personal data will be limited to the categories of personal data that are facilitated by the Service, for the purposes specified above, and only to the extent necessary to fulfil those purposes. This will include IP addresses and browsers’ User-Agents.

The categories of data subjects will be visitors to websites where our subscribers have incorporated the Service. Additional information on how we implement privacy-by-design, anonymisation and data minimisation can be found on our website at proxima.so/data. We do not store, modify, or share any personal data. We also do not use any personal data for any purpose other than to provide the Service. The stored information is obfuscated, encrypted and anonymised and is not linked to individual users, authorities, or other entities using the Service.

Scope of Processing

The Processor will process the Personal Data only for the specific purposes and in accordance with the instructions set forth in this DPA.

The Processor will not disclose the Personal Data to any third party, unless required by law or with the prior written consent of the Controller.

Your Rights and Obligations as Controller

As the Controller of your personal data, you agree and warrant that:

1. You have a legal basis for submitting the personal data to us for processing, and that you are responsible for the accuracy, integrity, content, and legality of the personal data processing, including the legality of any third-country transfer or additional instructions.
2. The processing of personal data is not in violation of the GDPR and any local laws applicable to you.
3. You are the party responsible for notifying the relevant regulatory authorities and/or data subjects in the event of a personal data breach, in accordance with the GDPR and other applicable data protection regulations.
4. You have carried out a risk assessment and determined that the Service's security measures are appropriate and proportionate for the applicable processing.
5. We, as the Processor, have provided sufficient guarantees in terms of logical, technical, and organisational security measures.

Our Obligations as Processor

As the Processor of your personal data, we will:

1. Only process the personal data in accordance with these Data Processing Terms, the Proxima Analytics Terms and Conditions, or your reasonable written instructions.
2. Ensure that persons authorised to process the personal data are subject to adequate confidentiality obligations.
3. Ensure that every IP address and User Agent processed is anonymised, not stored, and not used for any purpose other than to provide the Service. This information will be processed on EU-owned and controlled servers and will not be transferred outside the EU. This measure is in response to the Schrems II ruling (C-311/18 - Facebook Ireland and Schrems).
4. Implement appropriate security measures when processing personal data, in accordance with GDPR article 32.
5. Provide reasonable assistance, to the extent possible, with your obligations under GDPR articles 32 to 36 and for the fulfilment of your obligation to respond to requests from data subjects exercising their rights under the GDPR.
6. Notify you without undue delay in the event of a personal data breach and assist in providing the information necessary for you to comply with your obligations under GDPR articles 33 and 34.
7. Unless prohibited by law, notify you of any government access requests and only disclose personal data to government authorities or third parties when strictly necessary to comply with a legally binding request.

Audit

You accept and acknowledge that security audits and inspections may be performed by an independent third party. We will conduct regular self-audits of our data processing activities and systems, as well as our technical and organizational measures. The results of any audits or inspections will be made available to you upon request, and we will provide reasonable assistance in providing additional information if the audit results are not satisfactory for you to demonstrate compliance with applicable data protection regulations.

Use of Sub-Processors

We will enter into written agreements with our sub-processors to ensure that any processing of personal data carried out by a sub-processor is governed by the same obligations and limitations as those set out in these Data Processing Terms.

Our current list of sub-processors is included in Appendix 1, for which you have provided us with your prior and specific authorisation. You have also provided us with your general written authorisation to change an existing sub-processor or add a new one. We will provide 14 days' notice of any plans to change an existing sub-processor or add a new one. You have the right to object to such an addition or change, and must do so by terminating your use of the Service.

Deletion of Data

Due to the nature of our Services, we do not store or retain any personal data that we process on your behalf. In the event that your account expires or is terminated, all personal data will be automatically and securely deleted in accordance with applicable laws and regulations. This ensures that your personal data is not retained by us for any longer than necessary.

Duration and Termination

These terms shall come into effect upon the date of execution. If this Agreement is terminated or expires, the data processor shall remain bound by their confidentiality obligations. This means that the data processor must continue to protect any personal data that was processed during the course of the agreement, even after it has been terminated or expired.

Governing Law and Jurisdiction

This Data Privacy Policy and our processing of your personal data will be governed by the laws of Greece. Any disputes arising under or in connection with this Data Privacy Policy will be subject to the exclusive jurisdiction of the courts of Greece.

Severability

If any provision of this Data Privacy Policy is found to be invalid or unenforceable, that provision will be enforced to the maximum extent possible, and the remaining provisions will remain in full force and effect.

Appendix 1

The following sub-processors are used to operate the Service: