Data Processing Agreement

1 Definitions

For the purposes of this Data Processing Agreement ("DPA"):

• "Controller" means the entity that determines the purposes and means of processing personal data
• "Processor" means the entity that processes personal data on behalf of the Controller
• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on personal data
• "GDPR" means the General Data Protection Regulation (EU) 2016/679

2 Scope and Purpose

This DPA applies to the processing of personal data by VibeTraffic (Z MARIN) as a processor on behalf of our customers (controllers) in connection with our website performance auditing and monitoring services.

3 Data Processing Details

3.1 Categories of Personal Data

We process the following categories of personal data on behalf of our customers:

• Email addresses and names (for account management)
• Usage data (scan counts, feature utilization)
• Website URLs and technical performance metrics
• IP addresses (for security and fraud prevention)

3.2 Categories of Data Subjects

Personal data relates to:

• Our customers and their authorized users
• End users of websites being audited (minimal data only)

3.3 Processing Purposes

Personal data is processed for:

• Providing website performance auditing services
• Account management and customer support
• Service improvement and analytics
• Security and fraud prevention
• Compliance with legal obligations

4 Processor Obligations

4.1 Processing Instructions

We will process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to third countries or international organizations, unless required to do so by EU or Member State law.

4.2 Confidentiality

We ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit and at rest
• Access controls and authentication systems
• Regular security assessments and updates
• Secure data centers within the EU
• Incident response and breach notification procedures

5 Sub-Processors

We may engage sub-processors to assist in providing our services. We ensure that any sub-processor is bound by the same data protection obligations as set out in this DPA.

5.1 Current Sub-Processors

5.2 Sub-Processor Changes

We will notify the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.

6 Data Subject Rights

We will assist the Controller in fulfilling data subject rights under GDPR:

• Right of access to personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing

7 Data Breach Notification

In the event of a personal data breach, we will:

• Notify the Controller without undue delay after becoming aware of the breach
• Provide detailed information about the nature of the breach
• Assist the Controller in meeting their breach notification obligations
• Cooperate with supervisory authorities as required

8 Data Protection Impact Assessments

We will assist the Controller in carrying out data protection impact assessments and prior consultations with supervisory authorities where required by GDPR.

9 Audit Rights

We will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

10 Data Retention and Deletion

We will:

• Retain personal data only for as long as necessary for the purposes outlined in this DPA
• Delete or return all personal data to the Controller upon termination of services
• Delete existing copies unless storage is required by EU or Member State law

11 International Transfers

Any transfer of personal data to third countries will be subject to appropriate safeguards as required by GDPR, including:

• Adequacy decisions by the European Commission
• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules
• Certification schemes and codes of conduct

12 Liability and Indemnification

Each party's liability for damages arising from this DPA shall be subject to the limitations and exclusions set forth in the main Terms of Service. Each party shall indemnify the other against claims arising from its breach of this DPA.

13 Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with Croatian law. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Split, Croatia.

14 Contact Information

For questions about this DPA or data protection matters, contact us: