Data Processing Addendum (DPA)

Data Processing Addendum (DPA)

Last Updated: October 28, 2025

This Data Processing Addendum („DPA”) forms part of the services agreement between Mažoji bendrija Ecom sprendimai („Processor”) and the Client („Controller”) and reflects the parties’ agreement with regard to the processing of Personal Data in accordance with GDPR requirements.

1. Definitions

  • Personal Data: As defined in GDPR Article 4(1)
  • Processing: As defined in GDPR Article 4(2)
  • Controller: The client who determines purposes and means of processing
  • Processor: Ecom Solutions, processing data on behalf of Controller

2. Scope and Purpose of Processing

The Processor shall process Personal Data only:

  • On documented instructions from the Controller
  • For the specific purposes outlined in the services agreement
  • In compliance with GDPR and applicable data protection laws

3. Data Subject Rights

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under GDPR, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to data portability
  • Right to object

4. Security Measures

The Processor implements appropriate technical and organizational measures, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security testing and audits
  • Incident response procedures
  • Staff training on data protection

5. Sub-Processors

The Processor may engage sub-processors (e.g., cloud hosting providers) with Controller’s consent. All sub-processors are bound by equivalent data protection obligations.

Current sub-processors may include:

  • AWS (cloud hosting)
  • Google Cloud Platform (cloud hosting)
  • Microsoft Azure (cloud hosting)

6. Data Transfers

Personal Data will be processed within the European Economic Area (EEA). Any transfers outside the EEA will be protected by appropriate safeguards (Standard Contractual Clauses, adequacy decisions, etc.).

7. Data Breach Notification

The Processor shall notify the Controller without undue delay (within 24 hours) upon becoming aware of a personal data breach.

8. Data Deletion

Upon termination of services, the Processor shall delete or return all Personal Data to the Controller, unless legal retention is required.

Contact for DPA Inquiries

Email: dpo@ecomsolutions.cc
For a signed DPA specific to your project, please contact us.

Į viršų