Data Protection Agreement

This Data Processing Agreement (the “DPA”) is concluded between Bubty and Customer (each a “Party” and collectively the “Parties”) as part of the terms and conditions and agreed on the signing date (the “Effective Date”).

Definitions:

• bubty.com – Bubty’s SaaS application used to provide the Services

• Customer Personal Data – any Personal Data Processed by Bubty on behalf of Customer in connection with the provision of Services;

• Data Protection Laws – all data protection laws which apply to and govern the Processing of Customer Personal Data, to the extent applicable, including but not limited to the GDPR and California Consumer Privacy Act (CCPA);

• GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

• Personal Data, Process(ing), Controller, Processor, Data Subject, Personal Data Breach shall have the meaning ascribed to them in the GDPR;

• Services – the services provided by Bubty to Customer under the Terms of Use;

• Sub-Processor – any person (including any third party, but excluding an employee of Bubty) appointed by or on behalf of Bubty to Process Customer Personal Data on behalf of Customer in connection with the provision of the Services.

Any capitalised terms not otherwise defined in this DPA shall have the meaning given to them in the Terms of Use .

Applicability

1. This DPA applies to the Processing of Customer Personal Data exchanged between the Parties in the context of the provision of Services. An overview of the categories of Customer Personal Data, the categories of Data Subjects, and the nature and purposes for which the Customer Personal Data are being processed is provided in Annex 1.

2. Customer is Controller and Bubty is Processor in relation to the Processing of Customer Personal Data. Bubty will only process the Customer Personal Data on documented instructions of Customer. Bubty shall immediately notify Customer if, in its opinion, any instruction infringes this DPA, Data Protection Laws or other applicable laws. Such notification will not constitute a general obligation on the part of Bubty to monitor or interpret the laws applicable to Customer, and such notification will not constitute legal advice to Customer.

3. The Parties have entered into the Terms of Use in order to benefit from the capabilities of the Processor in processing the Customer Personal Data for the purposes set out in Annex 1. Bubty shall be allowed to exercise its own discretion in the selection and use of any means as it considers necessary to pursue those purposes, provided that all such discretion is compatible with the requirements of this DPA and in particular Customer’s documented instructions.

4. Customer warrants that it has all necessary rights to provide the Customer Personal Data to Bubty for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in Data Protection Laws support the lawfulness of the transfer and Processing at all times. To the extent required by Data Protection Laws, Customer is responsible for ensuring that all necessary privacy notices are provided to Data Subjects. Customer is responsible for ensuring that the Processing of Customer Personal Data it chooses to Process in bubty.com is permissible under Data Protection Laws and other applicable laws, and consistent with applicable requirements.

5. For the avoidance of doubt, Customer acts as a Data Controller including with respect to Personal Data provided by Data Subjects invited to bubty.com by Customer (e.g. freelancers) and all Personal Data provided by such Data Subjects will be deemed to constitute Customer Personal Data provided to Bubty by Customer to which all the terms of this DPA shall apply. Any actions relating to Customer Personal Data in bubty.com taken by Data Subjects such as freelancers (e.g. providing, updating, or deleting Customer Personal Data) will be deemed to have been approved by Customer.

Confidentiality

1. Bubty shall treat all Customer Personal Data as confidential and it shall inform all its employees, agents, and Sub-Processors engaged in Processing of the Customer Personal Data of the confidential nature of the Customer Personal Data. Bubty shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.

2. Bubty shall not retain, use, or disclose the Customer Personal Data for any purpose other than for the purposes outlined in this DPA and the Terms of Use, and shall in particular not retain, use, or disclose the Customer Personal Data for a commercial purpose other than providing to Customer the Services in a manner consistent with the requirements specified in this DPA and the Terms of Use. Bubty shall also not sell the Customer Personal Data and shall not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Bubty and Customer in a manner inconsistent with the terms of this DPA. Bubty shall also not combine the Customer Personal Data that it receives from, or on behalf of, Customer with Customer Personal Data that it receives from, or on behalf of, a third party, or collects from its own interaction with the respective Data Subject.

Security

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and Bubty shall implement appropriate technical and organisational measures to ensure a level of security of the Processing of Customer Personal Data appropriate to the risk. These measures shall include the security measures outlined in Annex 3.

Contracting with Sub-Processors

1. Customer authorises Bubty to appoint Sub-Processors in accordance with this Section 4. For the avoidance of doubt, any such appointment consistent with the requirements of this Section 4 shall constitute documented instructions within the meaning and for the purpose of this DPA.

2. Customer authorises Bubty to engage the Sub-Processors listed in Annex 2 for service-related Customer Personal Data Processing consistent with the activities described in Annex 1, including transfers to a third country, including a country outside of the European Economic Area without an adequate level of protection, as determined by the European Commission, insofar as applicable requirements of Data Protection Laws are met, such as the implementation of European Commission-approved Standard Contractual Clauses, where applicable.

3. Bubty shall inform Customer of any addition or replacement of such Sub-Processors giving Customer an opportunity to object to such changes. If Customer sends the Processor a written objection notice, setting forth a reasonable basis for objection, the Parties will make a good-faith effort to resolve Customer’s objection. In the absence of a resolution, Bubty will make commercially reasonable efforts to provide Customer with the same level of service described in the Terms of Use, without using that Sub- Processor to process Customer Personal Data. If Bubty’s efforts are not successful within a reasonable time, each Party may terminate the portion of the service which cannot be provided without the sub-processor, and Customer will be entitled to a pro-rated refund of the applicable Services fees.

4. Bubty shall ensure that the Sub-Processor is bound by a written contract including terms which offer at least the same level of protection as offered by Bubty under this DPA, and must in particular impose on its Sub- Processors the obligation to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of applicable Data Protection Laws.

5. Notwithstanding any authorisation by Customer within the scope of this Section 4, Bubty shall remain fully liable vis-à-vis Customer for the performance of any such Sub-Processor that fails to fulfil its data protection obligations.

Assistance to Customer

1. Bubty shall assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the Data Subject’s rights under the Data Protection Laws.

2. Taking into account the nature of processing and the information available to Bubty, Bubty shall assist Customer in ensuring compliance with obligations pursuant to Section 3 (Security), as well as other Customer obligations under Data Protection Law that are relevant to the Processing of Customer Personal Data, including notifications to a supervisory authority or to Data Subjects, the process of undertaking a Data Protection Impact Assessment, and with prior consultations with supervisory authorities, as might be needed.

Data Breach Notification

1. If Bubty becomes aware of a Personal Data Breach affecting Customer Personal Data, it shall promptly notify Customer about the incident, shall at all times cooperate with Customer, and shall follow Customer’s instructions with regard to such Personal Data Breach in order to enable Customer to perform a thorough investigation into the incident, and to take suitable further steps in respect of the Personal Data Breach, including communicating details of the Data Breach to supervisory authorities and/or Data Subjects, as might be needed. 

Returning or Destruction of Customer Personal Data

1. Upon termination of this DPA, upon Customer’s written request, or upon fulfilment of all purposes agreed in the context of the Services whereby no further Customer Personal Data Processing is required, Bubty shall, at the discretion of Customer, either delete or return all Customer Personal Data to Customer, and destroy or return any existing copies.

Auditing and Assistance with Information

1. Bubty shall make available to Customer all information necessary to demonstrate compliance with Bubty’s obligations and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. Unless otherwise required by a supervisory authority of competent jurisdiction, Customer shall be entitled on giving at least 30 days’ notice to Bubty to carry out, or have carried out by a third party who has entered into a confidentiality agreement with Bubty, audits of Bubty´s premises and operations as these relate to the Customer Personal Data.

2. Bubty shall provide Customer and/or Customer´s auditors with access to any information relating to the Processing of Customer Personal Data as may be reasonably required by Customer to ascertain Bubty´s compliance with this DPA.

Duration and Termination

1. Bubty shall process Customer Personal Data until the date of expiration or termination of the agreement under the Terms of Use, unless instructed otherwise by Customer, or until such data is returned or destroyed on instruction of Customer in accordance with Section 7.

Miscellaneous

This DPA shall come into effect on the Effective Date

1. Except as modified within this DPA, the terms of the Terms of Use shall remain in full force and effect, and supplement the terms of this DPA. In the event of a conflict between any provisions of the Terms of Use and the provisions of this DPA, the provisions of this DPA shall govern and control.

2. Should any provision of this DPA is found to be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

   1. Customer (including any Data Subjects invited to bubty.com by Customer, such as freelancers) may not use bubty.com to store or otherwise Process information governed by the Payment Card Industry Data Security Standard (PCI DSS), such as cardholder data, in the absence of an express prior written authorisation by Bubty.
       

Annex 1: Customer Personal Data Processing details 

Types of Customer Personal Data may include at the discretion of Customer:

• basic contact information, such as first and last name, email address, phone number, home address and country of residence

• role within the organisation of Customer;

• photos;

• professional information, such as employment history, education, professional skills, equipment used, work location preferences, social media accounts, professional/personal website, project portfolio, language proficiency

• information relating to the provision of services by a freelancer to Customer, such as hourly rate, payout details (e.g. amount and currency) and history;

• information typically seen on an invoice, such as bank account number (IBAN), home address, VAT registration number, tax identification number and other similar mandatory state registrations, where applicable;

• logs about work performance and other data produced and recorded within bubty.com as a result of using the Services as intended over a period of time;

• free-text information (e.g. notes and freelancer bio);

• attachments, such as CVs/resumes, documents from onboarding flow (e.g. NDA), compliance reports – and all information contained therein;

• any other data provided as (or within) an attachment or free-form text at the discretion of Customer or a Data Subject.

Categories of Data Subjects may include:

• freelancers/contractors;

• Customer account representatives.

Nature and purpose of the Customer Personal Data Processing:

• provision of Services to Customer on bubty.com

Annex 2: Approved Sub-Processors

Purposes of Processing:

Google Cloud Platform - GCP: To provide cloud infrastructure and platform services that support hosting and system monitoring.

• MailerLite: To manage contact information for marketing purposes and to send out newsletters and campaigns.

• KVK: To maintain and provide access to business registration details and company information. • Sentry: To monitor infrastructure for ensuring system reliability and performance.

• Pipedrive: To manage customer relationships and sales processes through a web-based CRM system.

• Google Analytics: To analyze website traffic and user behavior for improving service offerings.

• Stripe: To process payments and manage transactions.

Categories of Data Subjects and Personal Data:

Data Subjects: Clients, employees, suppliers, website users.

• Personal Data Categories: Contact details, financial information, user interaction data, employment details, IP addresses.

Categories of Recipients:

Internal Recipients: Marketing team, IT support team, Customer service, Finance department.

• External Recipients: External auditors, Regulatory authorities, Third-party service providers.

Transfers to Third Countries:

Data Transfer Countries: EU

Retention Schedules:

• Customer Data: Retained for the duration of the customer relationship plus 1 years according to legal requirements.

• Employee Data: Retained for the duration of employment plus 1 years for compliance with labor laws.

• Financial Data: Retained for 7 years to comply with tax legislation.

Technical and Organizational Security Measures:

Data Encryption: Use of end-to-end encryption for data in transit and at rest.
Access Controls: Implementation of role-based access control (RBAC) to ensure only authorized personnel have access to personal data.

• Data Backup: Regular data backups to prevent loss in case of an incident. I

ncident Response Plan: A defined process for responding to data breaches or security incidents.

Data Processing Activities:

Activity Log: Maintaining a log of all processing activities, including data collection, data entry, data access, data analysis, data sharing, and data deletion.

• Data Impact Assessments: Regular assessments to evaluate the risks associated with processing activities, especially when introducing new processing activities or technologies.

Compliance Documentation:

Consent Records: Where processing is based on consent, maintaining records of when and how consent was obtained.

• Data Processing Agreements: Contracts with third-party service providers that process personal data on behalf of your company.

• Policies and Procedures: Documentation of data protection policies, procedures, and training materials.
 

Annex 3: Security Measures 

Bubty shall:

1. ensure that the Customer Personal Data can be accessed only by authorised personnel for the purposes set forth in Annex 1 of this DPA;

2. take all reasonable measures to prevent unauthorised access to the Customer Personal Data through the use of appropriate physical and logical (passwords) entry controls, securing areas for data processing, and implementing procedures for monitoring the use of data processing facilities;

3. build in system and audit trails;

4. use secure passwords, network intrusion detection technology, encryption and authentication technology, secure logon procedures and virus protection;

5. account for all the risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorised or unlawful storage, processing, access or disclosure of Customer Personal Data;

6. ensure pseudonymisation and/or encryption of Customer Personal Data, where appropriate;

7. maintain the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

8. maintain the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident;

9. implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing of Customer Personal Data;

10. monitor compliance on an ongoing basis;

11. implement measures to identify vulnerabilities with regard to the processing of Customer Personal Data in systems used to provide Services to Customer;

12. provide employee and contractor training to ensure ongoing capabilities to carry out the security measures established in policy.