Data Processing Agreement (DPA)

This Data Processing Agreement ("Agreement") is entered into by and between FreshBeautyTech OU, operating Maker Meet ("Data Controller"), and its service providers ("Data Processor"), collectively referred to as "the Parties."

This Agreement ensures compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), regarding the processing of personal data.

1. Scope and Purpose of Processing

1.1. Purpose

The Data Processor shall process personal data only to provide services related to Maker Meet, as instructed by the Data Controller.

1.2. Categories of Data Subjects

• Users of Maker Meet, including individuals registering for, participating in, and engaging with the platform.

1.3. Types of Personal Data

• Names, email addresses, professional profiles, work experience, topics of interest, IP-based location data, device information, and cookies.
• Any other information provided by users or generated through platform activities.

1.4. Processing Activities

• Data storage, matching, meeting facilitation, analytics, notifications, newsletters, and marketing activities.

2. Obligations of the Data Processor

2.1. Compliance

The Data Processor shall comply with applicable data protection laws and only process personal data based on documented instructions from the Data Controller.

2.2. Confidentiality

All individuals processing personal data on behalf of the Data Processor must commit to confidentiality.

2.3. Sub-Processors

• The Data Processor may engage sub-processors with prior authorization from the Data Controller.
• Approved sub-processors include Supabase, among others.

2.4. Security Measures

The Data Processor shall implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or destruction.

3. Data Breach Notification

3.1. Obligation to Notify

The Data Processor shall notify the Data Controller of any personal data breach within 72 hours of becoming aware of the breach.

3.2. Details of Notification

The notification shall include:

• The nature of the breach
• Categories and approximate number of data subjects and records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

4. International Data Transfers

4.1. Transfers Outside the EU

• The Data Processor shall ensure that any transfer of personal data outside the EU complies with applicable data protection laws.
• Where necessary, the Data Processor shall rely on mechanisms such as Standard Contractual Clauses (SCCs) or equivalent safeguards.

5. Rights of Data Subjects

5.1. Assistance

The Data Processor shall assist the Data Controller in responding to data subject requests, including access, rectification, deletion, and portability of data, as required under GDPR.

6. Retention and Deletion

6.1. Upon Termination

• The Data Processor shall, at the choice of the Data Controller, either delete or return all personal data upon termination of services.
• Non-personal data may be retained for statistical or analytical purposes, as permitted by law.

7. Audits and Inspections

7.1. Access

The Data Controller may request audits or inspections to verify the Data Processor's compliance with this Agreement.

7.2. Cooperation

The Data Processor shall provide all necessary information to demonstrate compliance and allow audits by the Data Controller or its designated auditor.

8. Liability and Indemnity

8.1. Liability

The Data Processor shall be liable for damages resulting from non-compliance with this Agreement or applicable data protection laws.

8.2. Indemnity

The Data Processor shall indemnify the Data Controller against claims resulting from breaches of this Agreement.

9. Duration and Termination

9.1. Duration

This Agreement remains in effect as long as the Data Processor processes personal data on behalf of the Data Controller.

9.2. Termination

Upon termination, the provisions regarding confidentiality, liability, and data retention shall remain in effect.

10. Governing Law

10.1. Jurisdiction

This Agreement is governed by the laws of Estonia. Any disputes shall be resolved in the courts of Tallinn, Estonia.

By using Maker Meet services or acting as a Data Processor, both Parties agree to the terms outlined in this Agreement.