This Data Processing Agreement (the "DPA") governs how Oleksandr Koniev Strataforge (Jednoosobowa działalność gospodarcza, a sole proprietorship registered in CEIDG in Poland, VAT-registered, with its registered seat at ul. Złota 75A lok. 7, 00-819 Warszawa and tax identification number NIP 5214165020, REGON 544734689) processes personal data on behalf of a client. Strataforge acts as the processor; the client acts as the controller.

It is required by Article 28(3) of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") whenever Strataforge processes personal data that the client controls, for example contact-form submissions hosted on a client site, a client customer database, or analytics tied to identifiable users.

This DPA can be signed on its own or attached as an annex to a master services agreement (an "MSA") or a statement of work. Where it sits under an MSA, that MSA is the "Main Agreement" referenced below. The categories of data, data subjects, server locations and current sub-processors are set out in the Subprocessors page and in the schedule attached on execution. This DPA is entered into between two businesses and governs a controller-to-processor relationship.

Strataforge processes personal data only on the controller's documented instructions, never for its own purposes.

1. Subject matter, roles and duration

The client is the controller and decides why and how the personal data is processed. Strataforge is the processor and processes that data only to deliver the services under the Main Agreement, on the controller's documented instructions, and never for any purpose of its own (GDPR Article 28(3)).

The subject matter is the processing Strataforge performs to deliver the agreed services, for example hosting a website with a lead-capture form, integrating a CRM, backing up a customer database, operating a client platform, or producing privacy-respecting traffic analytics.

• Nature of processing: automated for technical operations such as storage, indexing and backup; manual for technical maintenance and incident intervention.
• Duration: for the term of the Main Agreement, until it ends, then subject to the return-or-deletion step in section 10.
• Categories of data and data subjects: contact details, online identifiers (IP, cookies), and the controller's commercial data; relating to the controller's customers, their staff, and website users. The exact scope is fixed in the schedule for each engagement.
• Special-category data (GDPR Article 9) and criminal-offence data (Article 10) are not processed unless the parties agree an addendum with additional safeguards first.

2. Cookies and electronic-communications consent

Where the services place or read cookies or similar identifiers on a user's terminal equipment, or use online identifiers such as IP addresses for analytics, the obligation to obtain the user's prior consent under Polish electronic-communications law (PKE, the cookie / terminal-equipment consent rule) rests with the controller, except for strictly necessary purposes that are exempt from consent.

As the processor, Strataforge configures, places and reads those cookies and identifiers only on the controller's documented instructions, for example by deploying the consent banner, the consent categories and the analytics configuration the controller specifies. Strataforge does not decide the lawful basis for, or the scope of, any cookie or identifier on the controller's behalf. The controller is responsible for the lawfulness of its consent mechanism and for the underlying GDPR legal basis.

3. Our obligations as processor

Strataforge undertakes the eight obligations that GDPR Article 28(3)(a) to (h) requires of every processor. We treat these as the core of this DPA: if any one were missing, the agreement would not be GDPR-compliant.

• (a) Process personal data only on the controller's documented instructions, including for any transfer to a third country, and tell the controller promptly if we believe an instruction breaches data-protection law.
• (b) Ensure that everyone authorised to process the data is bound by confidentiality or a statutory duty of secrecy.
• (c) Implement the technical and organisational security measures required by GDPR Article 32, summarised in section 4.
• (d) Engage sub-processors only under the conditions of GDPR Article 28(2) and (4), as set out in section 5.
• (e) Assist the controller, by appropriate technical and organisational measures, in responding to data subject rights requests, as set out in section 6.
• (f) Assist the controller in meeting its own GDPR obligations on security, breach notification, data protection impact assessments and prior consultation (Articles 32 to 36), as set out in sections 6 and 8.
• (g) Return or delete all personal data at the end of the services, as set out in section 10.
• (h) Make available the information needed to demonstrate compliance and allow for and contribute to audits, as set out in section 9.

Independently of helping the controller with its own record, Strataforge keeps its own processor record of all categories of processing carried out on the controller's behalf under GDPR Article 30(2), and makes it available to the controller and to the competent supervisory authority (the Polish UODO where Strataforge is supervised in Poland) on request.

4. Security and technical measures

Strataforge implements and maintains technical and organisational measures appropriate to the risk, in line with GDPR Article 32(1). Where a populated catalogue of those measures is attached for an engagement it forms a schedule to this DPA ("Schedule 2"); that schedule, when attached, is reviewed at least once a year and after any material infrastructure change or security incident, and is mapped to the ISO/IEC 27001:2022 controls so an auditor can trace each measure. The summary below applies whether or not a Schedule 2 has been attached.

• Pseudonymisation and encryption (Article 32(1)(a)): AES-256 encryption at rest for databases, file storage, backups and logs; TLS 1.3 in transit for all web, API and database traffic; pseudonymisation of personal identifiers in analytics and, where feasible, before any data reaches an external API.
• Confidentiality, integrity, availability and resilience (Article 32(1)(b)): role-based least-privilege access, mandatory multi-factor authentication on administrative accounts, audit logging, segregated development, staging and production environments, a managed web application firewall with rate-limiting, and prompt security patching.
• Restoring availability after an incident (Article 32(1)(c)): encrypted backups at a frequency appropriate to risk, kept in EEA regions, with quarterly restore testing and documented recovery objectives.
• Regular testing and evaluation (Article 32(1)(d)): automated dependency, secret and code scanning, at least annual external penetration testing of production applications, and continuous monitoring of security policy compliance.

5. Sub-processors

The controller gives Strataforge general written authorisation to engage the sub-processors listed on the Subprocessors page, which records each provider's purpose, server location and transfer basis. These are infrastructure, database, analytics, communications, payment and, where expressly in scope, AI providers (GDPR Article 28(2)).

Before adding or replacing a sub-processor, Strataforge gives the controller advance notice (default 30 days). The controller may object in writing within 14 days. If we cannot agree an alternative in good faith, the controller may terminate the affected part of the Main Agreement. This keeps the controller's right to object real, as GDPR Article 28(2) requires.

Every sub-processor is bound by data-protection obligations at least equivalent to ours, by contract or other legal act (GDPR Article 28(4)). Where a sub-processor fails to meet those obligations, Strataforge remains fully liable to the controller for that failure, as the final sentence of Article 28(4) provides.

Where an engagement uses AI providers as sub-processors, the parties allocate the EU AI Act transparency obligations (Regulation (EU) 2024/1689, Article 50, applicable from 2 August 2026 under Article 113) as follows. The controller, as the operator deciding the purpose, is responsible for the end-user notices that an interaction is with an AI system, for marking AI-generated or AI-manipulated synthetic audio, image, video or text as artificially generated in a machine-readable form, for any deep-fake or AI-generated public-interest text disclosure, and for the timing of first exposure to the user. Strataforge, on the controller's documented instructions, configures and enables the provider features that make those notices and markings technically possible, and tells the controller where a chosen provider cannot meet a required marking.

6. Assisting the controller

Strataforge helps the controller meet the data subject rights under GDPR Articles 12 to 22, including access, rectification, erasure, restriction, portability, objection, and withdrawal of consent (Article 28(3)(e)). If we receive a request directly from a data subject, we forward it to the controller within 3 business days and do not respond ourselves unless the controller instructs us in writing.

• Records of processing: we provide the controller with the information it needs for its own record under GDPR Article 30(1).
• Data protection impact assessments: we provide the information the controller needs to carry out a DPIA under GDPR Article 35.
• Prior consultation: we support the controller in any prior consultation with the UODO or other competent supervisory authority under GDPR Article 36 where required.
• Breach notification: we support notification under GDPR Articles 33 and 34, as set out in section 8.

Routine assistance within ordinary administrative limits is included in the fees under the Main Agreement. Assistance beyond that is charged at Strataforge's hourly rate, with the scope and cost agreed in writing first.

7. International transfers

Strataforge does not transfer personal data outside the European Economic Area (the "EEA") without a lawful basis under Chapter V of the GDPR. Where a transfer happens, it relies on one of the recognised mechanisms.

• A Commission adequacy decision (GDPR Article 45), including the EU-US Data Privacy Framework for certified US recipients.
• The Commission's 2021 standard contractual clauses (GDPR Article 46(2)(c); Commission Implementing Decision (EU) 2021/914), with the module appropriate to the relationship selected per recipient, typically Module Two for our controller-to-processor transfers and Module Three where a sub-processor is itself a processor.
• Binding corporate rules (GDPR Article 47) where applicable.
• The narrow derogations in GDPR Article 49, used only in exceptional cases.

For transfers to US recipients certified under the Data Privacy Framework, we verify and record that the certification is active and in scope, with the verification date, the covered scope and the server region, and we keep a fallback standard contractual clauses module ready for each such recipient. For transfers outside the Framework or to other third countries without an adequacy decision, we add supplementary technical measures such as encryption, pre-transfer pseudonymisation and strict data minimisation. The transfer basis for each sub-processor is shown on the Subprocessors page.

8. Personal data breaches

GDPR Article 33(2) requires a processor to notify the controller of a personal data breach without undue delay. Strataforge commits to a stricter, defined service level: an initial notification within 24 hours of becoming aware, with whatever facts are then known, and a full notification within 48 hours, save where the facts genuinely cannot be established in time, in which case we keep the controller updated on a rolling basis.

The full notification covers the elements aligned to GDPR Article 33(3): the nature of the breach, the categories and approximate numbers of data subjects and records affected, a contact point, the likely consequences, and the measures taken or proposed to address and mitigate it.

We cooperate with the controller on its notification to the UODO or other competent supervisory authority (GDPR Article 33) and, where a breach is likely to result in high risk, on any communication to data subjects (GDPR Article 34), including the carve-outs in Article 34(3). We do not notify the authority or data subjects on our own initiative unless the controller instructs us in writing. As a contractual matter, and to support the controller's own breach-documentation duty under GDPR Article 33(5), Strataforge keeps an internal record of the breaches it becomes aware of, including the facts, effects and remedial action; this record supports but does not discharge the controller's Article 33(5) file. A dedicated emergency channel is used for these notices.

9. Audit rights

The controller may audit Strataforge's compliance with the GDPR and this DPA, including by requesting the information needed to demonstrate compliance, inspecting security documentation, certificates and measures reports, and conducting an on-site inspection (GDPR Article 28(3)(h)). Strataforge cannot block a justified audit or inspection; any agreement required below relates only to its timing and logistics, never to whether the audit may take place.

• Notice: at least 14 days in advance, except in urgent circumstances such as immediately after a breach.
• Frequency: no more than once a year, unless justified by a security incident or substantiated concerns.
• Conduct: the parties agree the timing and logistics of an on-site inspection so it does not unduly disrupt operations or breach the confidentiality of other clients' data; external auditors sign an equivalent confidentiality undertaking. This coordination cannot be used to refuse or indefinitely delay a justified audit.
• Costs: a routine yearly audit is on the controller; an expanded audit or one triggered by a documented DPA breach attributable to Strataforge is on us. Cost allocation never limits the controller's statutory right to audit under Article 28(3)(h).

10. Return or deletion of data

When the Main Agreement ends for any reason, GDPR Article 28(3)(g) requires Strataforge to return or delete the personal data. The controller chooses within 14 days of termination; if it makes no choice, we permanently delete by default.

• Return: we return the data in the agreed format, typically an SQL dump or CSV export, within 30 days of termination.
• Deletion: we permanently delete the data from our systems, including backups, within 60 days of termination, and confirm the deletion in writing.
• Legal retention: we keep data only where the law requires it, for example the retention of invoices and tax records for the duration of the tax limitation period, which for a Polish sole proprietorship is 5 years from the end of the calendar year in which the payment deadline fell (VAT Act Article 112; Tax Ordinance Article 86 paragraph 1 and Article 70 paragraph 1; and, for entities subject to it, Article 74 of the Polish Accounting Act); retained data stays subject to this DPA until deleted.
• Anonymised data: data processed so that data subjects can no longer be identified is not subject to return or deletion and may be kept for statistical purposes.

11. Liability and recourse

Strataforge is liable to data subjects under GDPR Article 82 to the extent of its own infringements, and to the controller for breach of this DPA within the liability limits in the Main Agreement, with the usual carve-outs for wilful misconduct, gross negligence, and breach of confidentiality. No limit in the Main Agreement reduces a data subject's mandatory rights under GDPR Article 82 or a party's liability for damage caused intentionally.

Where the controller and Strataforge are both involved in the same processing that causes damage, GDPR Article 82(4) makes each fully liable to the data subject so the data subject is effectively compensated, and Article 82(5) lets the party that paid recover the others' share of responsibility between them. Article 82(4) and (5) ground recourse for compensation of damage only. Any reimbursement between the parties of a UODO administrative fine (GDPR Article 83) is a separate contractual allocation that follows the breaching party; because a fine is a public-law sanction, the enforceability of inter-party reimbursement for it is uncertain under Polish law and is subject to confirmation, and nothing here shifts a fine that the law imposes personally on a party.

12. Precedence, form and amendments

On any matter of personal data protection, this DPA prevails over the Main Agreement. This DPA is governed by the law of the Republic of Poland and the GDPR; where they conflict, the GDPR prevails. The competent court is the one named in the Main Agreement.

This DPA governs a business-to-business controller-to-processor relationship and the liability limits referenced from the Main Agreement are set on that basis. Where, exceptionally, a counterparty qualifies as a consumer or a prosumer under Polish law, the mandatory protections that cannot be excluded continue to apply, including the abusive-clause rules of Articles 385 zn. 1 to 385 zn. 3 of the Polish Civil Code, the prosumer extension in Article 385 zn. 5, and the prohibition in Article 473 paragraph 2 on excluding liability for damage caused intentionally, together with the mandatory GDPR liability above.

GDPR Article 28(9) requires this DPA to be in writing, including in electronic form. That is a lighter threshold than the strict Polish written form under sanction of nullity. Documentary form (forma dokumentowa under Article 77 zn. 2 of the Polish Civil Code), satisfied by an advanced electronic signature or by email with confirmation of receipt, is therefore sufficient, and the stricter electronic form with a qualified electronic signature (forma elektroniczna under Article 78 zn. 1) may be used where a party prefers it. Amendments may be made in the same documentary form. Confidentiality, return or deletion, audit, liability, governing law and notices survive termination.

13. Contact

For data-protection questions, to request this DPA for signature, or for the schedule of categories, sub-processors and security measures, contact Strataforge at alex@strataforge.co. To understand how we handle personal data more broadly, see our Privacy Policy and the Subprocessors page.