Data Processing Agreement

This Data Processing Agreement ("DPA") forms an integral part of the Service Agreement ("Contract") between Auralenor, Unipessoal Lda. ("Processor") and the Client ("Controller"), as referenced in Section 8 and Section 14 of the Contract. It governs the processing of personal data carried out by the Processor on behalf of the Controller in the course of service delivery.

1. Definitions

For the purposes of this DPA, "Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Personal Data Breach" shall have the meanings given in the GDPR (Regulation (EU) 2016/679). "Sub-processor" means any third-party processor engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and Purpose of Processing

The Processor processes Personal Data solely for the purpose of providing the digital infrastructure services described in the Contract. Processing activities include: hosting and serving the Client's website, processing contact form submissions, managing booking or ordering data (where applicable), storing content uploaded by the Client, processing payments, and sending transactional communications.

The categories of Personal Data processed may include: names, email addresses, telephone numbers, addresses, tax identification numbers, payment details, IP addresses, browser metadata, and any other data submitted through the Client's digital infrastructure.

The categories of Data Subjects may include: the Client's customers, the Client's staff, website visitors, and individuals who interact with the Client's digital infrastructure.

3. Obligations of the Processor

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption at rest and in transit, access controls, and regular security assessments
• Assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR (access, rectification, erasure, portability, restriction, objection)
• Assist the Controller in ensuring compliance with data breach notification obligations under Articles 33 and 34 of the GDPR
• At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires further storage
• Make available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR, and allow for and contribute to audits and inspections

4. Sub-processors

The Controller provides general written authorization for the Processor to engage the sub-processors listed in Section 5 below. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes within 14 days. If the Controller objects and the Processor cannot reasonably accommodate the objection, the Controller may terminate the affected service.

The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor it engages, by way of a contract or other legal act under applicable law. The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations.

5. Authorized Sub-processors

The following sub-processors are authorized to process Personal Data on behalf of the Controller:

6. International Data Transfers

Personal Data is primarily processed within the European Union. Where data is transferred to sub-processors outside the EU/EEA, such transfers are protected by one or more of the following safeguards:

• EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914)
• EU-US Data Privacy Framework (where applicable)
• Adequacy decisions by the European Commission under Article 45 of the GDPR

7. Security Measures

The Processor implements the following technical and organizational measures:

• Encryption: all data in transit is encrypted via TLS 1.2+. Data at rest is encrypted using AES-256 (managed by the cloud infrastructure provider).
• Access control: role-based access with the principle of least privilege. Administrative access is restricted to authorized personnel with multi-factor authentication.
• Network security: firewall rules, IP-based rate limiting on all API endpoints, and automated threat detection.
• Backup and recovery: automated daily backups with point-in-time recovery capabilities. Backups are stored encrypted in a separate geographic region.
• Monitoring: real-time security monitoring, logging of access events, and automated alerting for anomalous activity.
• Incident response: documented incident response procedures with defined escalation paths and 72-hour breach notification capability.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach. The notification shall include: (a) a description of the nature of the breach including, where possible, the categories and approximate number of Data Subjects and records concerned; (b) the name and contact details of the data protection point of contact; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach.

9. Data Retention and Deletion

Upon termination of the Contract, the Processor shall delete all Personal Data processed on behalf of the Controller within 90 days, unless retention is required by applicable law (e.g., Portuguese tax law mandates 10-year retention of financial records). The Processor shall provide written confirmation of deletion upon the Controller's request.

10. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject requests under Articles 15 to 22 of the GDPR. The Processor shall promptly notify the Controller if it receives a direct request from a Data Subject and shall not respond to such request except on the Controller's documented instructions.

11. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 of the GDPR. The Controller may conduct audits, including inspections, at reasonable intervals and with reasonable advance notice. The Processor shall contribute to such audits at the Controller's reasonable expense.

12. Governing Law

This DPA is governed by the laws of the Portuguese Republic and the GDPR (Regulation (EU) 2016/679). Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions of the Contract.