Data Processing Agreement


Effective Date: 29 June, 2025

This Data Processing Agreement ("Agreement" or "DPA") is entered into by and between:


1. Parties

1.1 The Client ("Controller"), a business entity that determines the purposes and means of processing personal data.

1.2 Kredista Sp. z o.o., trading as TermsEngine ("Processor"), a company registered in Poland, providing legal content, audit and compliance services.

1.3 This Agreement supplements the primary service agreement or Terms of Service ("Principal Agreement") between the Client and TermsEngine.


2. Subject matter and duration

2.1 This DPA governs personal data processed by the Processor on behalf of the Controller.

2.2 The processing will last for the duration of the Principal Agreement or until data is deleted or returned in accordance with this DPA.


3. Nature and purpose of processing

3.1 The Processor processes data exclusively for delivering services outlined in the Principal Agreement.

3.2 Processing activities may include: reviewing legal documents, customising templates, generating content, conducting audits, and providing written recommendations.

3.3 The Processor will not use personal data for its own purposes.


4. Categories of data subjects and personal data

4.1 Data subjects may include website visitors, clients, customers, business representatives or end users.

4.2 Categories of personal data may include: name, email, phone number, company name, role, browser metadata, or IP address.

4.3 The Controller must not provide any special category data unless a separate written agreement is in place.


5. Responsibilities of the controller

5.1 The Controller ensures all data provided is lawfully collected and that individuals have been informed as required under applicable data protection law.

5.2 The Controller confirms a legal basis exists for the Processor to process the data as instructed.


6. Obligations of the processor

6.1 The Processor shall only process data on documented instructions from the Controller.

6.2 The Processor shall ensure confidentiality of data, and restrict access to authorised personnel who are subject to binding confidentiality obligations.

6.3 The Processor shall implement technical and organisational measures to ensure a level of security appropriate to the risk.

6.4 The Processor shall assist the Controller in responding to data subject requests under Articles 12–23 of the GDPR.

6.5 Upon termination, the Processor shall delete or return all personal data at the Controller's request unless required by law to retain it.

6.6 The Processor shall maintain records of processing in accordance with Article 30(2) of the GDPR.


7. Subprocessing

7.1 The Processor may use subprocessors to fulfil its obligations under this Agreement.

7.2 As of the Effective Date, approved subprocessors may include:
 7.2.1 Google Workspace (communications and document storage)
 7.2.2 Stripe (billing platform)
 7.2.3 Calendly (appointment scheduling)
 7.2.4 Notion (project management)
 7.2.5 OpenAI (content generation – only pseudonymised inputs)

7.3 The Processor shall ensure each subprocessor is subject to the same obligations regarding data protection.

7.4 The Processor shall notify the Controller of any intended changes to subprocessors. The Controller may object within fourteen (14) days with reasonable grounds.


8. International transfers

8.1 The Processor shall store personal data within the European Economic Area (EEA).

8.2 If any transfer outside the EEA occurs, the Processor will ensure compliance with Chapter V of the GDPR, including the use of Standard Contractual Clauses or adequacy decisions.


9. Data breaches

9.1 The Processor will notify the Controller without undue delay upon becoming aware of a personal data breach.

9.2 The notification shall describe the nature of the breach, likely consequences, and mitigation steps taken.


10. Audit and inspection

10.1 Upon reasonable request, the Processor shall provide documentation sufficient to demonstrate compliance with this DPA.

10.2 The Controller may conduct audits with at least thirty (30) days' notice, subject to confidentiality obligations.


11. Termination and data return

11.1 Upon expiry or termination of the Principal Agreement, the Processor shall, at the Controller's election:
 11.1.1 Return all personal data to the Controller, or
 11.1.2 Permanently delete such data from its systems.

11.2 The above shall not apply where retention is required by law.


12. Liability

12.1 Each party remains liable under the applicable provisions of the GDPR and this DPA.

12.2 The Processor shall only be liable for damage caused by processing where it has not complied with the lawful instructions of the Controller or applicable law.


13. Governing law and jurisdiction

13.1 This Agreement is governed by the laws of Ireland, unless otherwise specified in the Principal Agreement.

13.2 Any disputes shall be subject to the exclusive jurisdiction of the courts of Ireland.


14. Miscellaneous

14.1 This DPA forms part of the Principal Agreement. In case of conflict, the terms of this DPA shall prevail.

14.2 If any provision of this Agreement is held to be invalid, the remainder shall remain in full force and effect.


This Agreement becomes binding upon execution of the Principal Agreement or commencement of services by the Processor.