Data Processing Agreement (DPA)

Last Updated: [Date]

This Data Processing Agreement ("DPA") forms part of the Terms of Service between tehnoinvestai ("Processor" or "we") and the user ("Controller" or "you") using our Services where we process Personal Data on your behalf.

This DPA applies where and only to the extent that tehnoinvestai processes Personal Data subject to GDPR or UK GDPR on behalf of the Controller in the course of providing the Services.

1. Definitions

Terms like "Personal Data," "Data Subject," "Processing," "Controller," "Processor," and "Personal Data Breach" shall have the meanings ascribed to them in the General Data Protection Regulation (EU) 2016/679 ("GDPR") or the UK equivalent ("UK GDPR").

2. Processing of Personal Data

2.1 Roles: The parties acknowledge that for the purposes of this DPA, the Controller is the controller and tehnoinvestai is the processor of any Personal Data processed on behalf of the Controller.

2.2 Controller's Instructions: tehnoinvestai shall only Process Personal Data on behalf of and in accordance with the Controller’s documented instructions, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Controller’s initial instructions are set out in this DPA and the Terms of Service.

2.3 Details of Processing:

• Subject matter and duration of the Processing: Providing the Services to the Controller for the duration specified in the Terms of Service.
• Nature and purpose of the Processing: Collecting, storing, organizing, analyzing (via AI where applicable), and displaying Personal Data as necessary to provide the financial literacy courses, tools, and support Services requested by the Controller.
• Type of Personal Data: Name, email address, contact details, payment information (processed by third-party), account usage data, learning progress, voluntarily provided financial information or goals, IP address, browser information, cookie data.
• Categories of Data Subjects: Users of the Controller who access the tehnoinvestai Services (e.g., employees, customers, students of the Controller, depending on context - typically the individual user is the Controller in this B2C setup).

3. Processor's Obligations

tehnoinvestai agrees to:

• Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in our Privacy Policy.
• Respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor (sub-processor). Where tehnoinvestai engages a sub-processor, it shall impose the same data protection obligations as set out in this DPA on that sub-processor. A list of current sub-processors can be provided upon request.
• Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR.
• Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
• At the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

4. Controller's Obligations

The Controller warrants that:

• It has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including the GDPR/UK GDPR.
• It has obtained all necessary consents or has other lawful bases for the processing of Personal Data by tehnoinvestai pursuant to this DPA and the Services.
• It will provide clear and documented instructions to tehnoinvestai regarding the processing of Personal Data.

5. Data Transfers

Where the processing involves the transfer of Personal Data outside the European Economic Area (EEA) or the UK, such transfers shall be conducted in compliance with Chapter V of the GDPR/UK GDPR, potentially relying on adequacy decisions, Standard Contractual Clauses (SCCs), or other appropriate safeguards.

6. Term and Termination

This DPA will commence on the date the Controller agrees to the Terms of Service and will remain in effect until the termination or expiration of the Services agreement, unless terminated earlier in accordance with its terms.

7. Governing Law

This DPA shall be governed by the laws of England and Wales.

8. Contact

For any questions regarding this DPA, contact [email protected].

« Back to Home