1. Definitions
- "Controller" means the Customer that uses the services and determines the purposes and means of the processing of personal data.
- "Processor" means Ksenoria OÜ, which processes personal data on behalf of the Controller through ModuPage where applicable.
- "Data Protection Laws" means the GDPR and other applicable privacy or data protection laws that govern the processing covered by this DPA.
- "Personal Data" means information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the services.
- "Sub-processor" means a third-party processor engaged by the Processor to help provide, secure, maintain, or support the infrastructure of the services.
2. Scope and compliance
This DPA applies exclusively where Ksenoria OÜprocesses personal data as a Processor on behalf of the Customer in connection with customer-created projects, templates, assemblies, word collections, uploaded assets, previews, exports, or other workflow content handled through ModuPage.
Both Parties agree to comply with applicable Data Protection Laws in relation to the processing covered by this DPA.
3. Processor's obligations
The Processor contractually commits to the following operational and processing boundaries:
- Instructions: the Processor will process personal data only on documented instructions from the Controller, unless otherwise required by applicable law.
- Confidentiality: the Processor will ensure that persons authorized to process personal data are bound by confidentiality obligations or are under an appropriate statutory duty of confidentiality.
- Security measures: the Processor will implement appropriate technical and organizational measures proportionate to the risks of the processing.
- Data subject requests: taking into account the nature of the processing, the Processor will assist the Controller with reasonable technical and organizational measures where possible.
- Personal data breaches: the Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the processing covered by this DPA.
- Deletion or return: at the Controller's choice and subject to legal, operational, backup, and security retention needs, the Processor will delete or return personal data after the end of the relevant services within a reasonable period.
4. Sub-processors
The Controller grants a general written authorization to the Processor to engage Sub-processors to run cloud, storage, authentication, billing, analytics, security, communications, monitoring, and related infrastructure or support functions of the platform.
Information about relevant Sub-processors may be made available on request through support@modupage.com.
Where appropriate, the Processor may inform the Controller of material additions or replacements of Sub-processors in a reasonable way, including by policy, documentation, or direct communication.
5. Audits and information
The Processor will make available information reasonably necessary to demonstrate compliance with the obligations described in this DPA and applicable Data Protection Laws.
To the extent an audit is legally required, the Parties will work together in good faith to scope it reasonably, protect other customers, preserve confidentiality, and minimize operational disruption. Unless mandatory law requires otherwise, audits will be at the Controller's expense and on reasonable advance notice.
6. Governing law and jurisdiction
This DPA is governed by the laws of Estonia. Any dispute arising out of or in connection with this DPA will be subject to the competent courts associated with that governing law, unless mandatory law requires otherwise.
7. Contact
For data protection or DPA inquiries, contact support@modupage.com.