Data Processing Addendum (DPA)
GDPR Article 28 · Last updated: 2026-05-14 · Effective date: TBD (on counsel sign-off)
This document is a working draft pending review by external counsel. It is not enforceable until the effective date below is replaced with a real date. For commercial commitments, refer to the executed agreement we send with your order form. Effective date: TBD — adopting on counsel sign-off.
This DPA forms part of the Order Form between you (“Controller”) and Advisio s.r.o. (“Processor”, “we”) and governs Processor's handling of personal data in connection with the platform service. Where any provision of the Order Form conflicts with this DPA on data protection, this DPA prevails. Terms in italics have the meaning given in Article 4 GDPR.
1. Subject matter, nature and purpose
Processor processes personal data on behalf of Controller exclusively for the purpose of providing the platform service described in the Order Form: reporting, audit, and analytics on advertising and ecommerce data the Controller chooses to connect. Processing operations include storage, structuring, retrieval, and erasure.
2. Duration
The DPA takes effect on the Order Form effective date and ends 30 days after the subscription terminates (the export-grace window). Article 28 obligations continue for any period during which residual personal data is retained — e.g. in time-limited backups.
3. Categories of data subjects and personal data
Data subjects:
- Controller's authorised users (your employees).
- Controller's end-users (visitors / customers of Controller's websites), to the limited extent their identifiers are exposed by the connected advertising platforms.
Categories of personal data:
- Account data (email, name, locale, timezone, hashed password, 2FA enrolment status).
- Authentication credentials (OAuth refresh tokens, API keys; envelope-encrypted at rest).
- Audit-log entries (IP address, user agent, action metadata).
- Aggregated daily metrics by campaign — no individual end-user PII is ingested.
4. Controller's obligations
- Comply with applicable data protection laws as Controller.
- Ensure a lawful basis for any personal data made available to Processor.
- Provide accurate and lawful processing instructions through the Order Form, this DPA, and the standard product interfaces.
- Respond to data-subject rights requests, with Processor's assistance under §6.
5. Processor's obligations
Processor will:
- process personal data only on documented Controller instructions and the necessary operations described in §1;
- ensure persons authorised to process are bound by confidentiality;
- implement the technical and organisational measures in Annex 2;
- not engage a new sub-processor without Controller's prior general authorisation per §7;
- assist Controller, taking the nature of processing into account, in fulfilling its Article 32–36 obligations;
- at Controller's choice, delete or return all personal data after termination, subject to retention required by law (e.g. tax records);
- make available all information necessary to demonstrate compliance and allow audits per §9;
- inform Controller without delay if an instruction infringes data-protection law.
6. Assistance to Controller
Processor assists Controller, by appropriate technical and organisational measures and to the extent reasonably possible, in responding to requests for the exercise of data-subject rights (Articles 15–22), including via self-service endpoints such as GET /api/v1/auth/me/export/. Processor also assists with security (Art. 32), breach notification (Art. 33–34), DPIA (Art. 35), and prior consultation (Art. 36).
7. Sub-processors
Controller grants Processor general authorisation to engage the sub-processors listed at the public sub-processors page, which forms Annex 3. Processor will notify Controller at least 30 days before adding or replacing a sub-processor. Controller may object on reasonable data-protection grounds; if the parties cannot agree on a remedy, Controller may terminate the affected services without penalty for the remainder of the term.
Processor remains fully liable to Controller for any sub-processor's performance of its data-protection obligations.
8. International transfers
Production data stays within the European Economic Area. Where a sub-processor processes data outside the EEA, Processor relies on:
- Standard Contractual Clauses (Commission Implementing Decision 2021/914), incorporated by reference; and
- the EU-US Data Privacy Framework where applicable (for US-based recipients certified under the Framework).
9. Audits
Processor will make available the information necessary to demonstrate compliance with Article 28, including recent third-party audit reports (when available) under NDA. Controller may, with at least 30 days' written notice and no more than once per 12 months, conduct an audit at its own cost, during normal business hours, in a manner that does not disrupt operations and respects the confidentiality of other customers. Regulator-mandated audits are permitted without these limits.
10. Personal data breach
Processor will notify Controller without undue delay — and in any event within 72 hours of becoming aware — of a personal data breach affecting Controller's data. The notification will include the categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed.
11. Return / deletion on termination
Within 30 days of termination, Controller may export Customer Data via the standard product interfaces. After that window Processor deletes all personal data from production systems within 30 days and from backups by their natural expiry (max 6 months). Processor will confirm deletion in writing on request, subject to statutory retention requirements (e.g. tax invoices retained 10 years per Czech law).
12. Liability and signing
Each party's liability under this DPA is subject to the limits and exclusions in the Terms of Service. For a signed DPA (countersigned PDF), contact dpa@advisio.cz.
Annex 1 — Details of processing
- Subject matter
- Provision of the platform reporting and audit service.
- Duration
- Subscription term + 30-day export grace + backup expiry (max 6 months).
- Nature & purpose
- Storing, structuring, retrieving, aggregating, and erasing personal data to deliver dashboards, audits, and notifications.
- Categories of data subjects
- Controller's authorised users; in limited cases Controller's end-users via campaign-level identifiers from connected platforms.
- Categories of data
- Account data, authentication credentials (encrypted), audit-log entries, aggregated campaign metrics.
Annex 2 — Technical & organisational measures (Art. 32)
- Pseudonymisation & encryption
- TLS 1.3 in transit; AES-128 (Fernet) at rest, per-record DEKs wrapped by a master key held in a KMS (production).
- Confidentiality
- Mandatory 2FA for staff; least-privilege access; Postgres row-level security across all tenant-scoped tables; append-only audit log enforced by DB trigger.
- Integrity
- Database-level UPDATE/DELETE triggers on audit tables; cryptographic signing of session tokens; rotating JWT refresh tokens.
- Availability & resilience
- Daily encrypted Postgres backups (7d / 4w / 6mo rotation); ClickHouse partition-based retention; structured logs + Sentry alerting; documented incident-response plan.
- Regular testing
- CI runs ruff + mypy + Django checks + pytest on every PR; quarterly restore drill from backup; annual penetration-test plan (third-party).
- Vendor management
- DPA in place with every sub-processor (see Annex 3); 30-day advance notice of any change with right to object.
Annex 3 — Sub-processors
- Current list
- Maintained at our public /sub-processors page — covers infrastructure (Hetzner, Cloudflare, Sentry), connected data sources (Google, Meta, Microsoft, Sklik, Heureka, Shopify / Shoptet / WooCommerce), and operational tooling (Stripe, ComGate, Superfaktura).