Legal Agreement

    Data Processing Agreement

    Controller–Processor terms governing the processing of personal data under the Pricemind Services.

    Effective: 12 July 2025
    Processor: Stellion OOD
    GDPR · UK GDPR · CCPA/CPRA
    This Data Processing Agreement ("DPA") forms part of, and is subject to, the Master Services Agreement, Terms of Service, Order Form, or other written or electronic agreement between Stellion OOD and the Customer governing the provision and use of the Pricemind Services (the "Agreement").
    Processor

    Stellion OOD (ЕИК/UIC: 206104538)

    Cherni Vrah Blvd 107, Sofia, Bulgaria, 1407

    Legal representative: Petar Atanasov

    Controller

    The Customer as defined in the Agreement governing the Pricemind Services.

    1. Definitions

    Terms used but not defined in this DPA have the meanings given in the Agreement or, where applicable, the EU General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), and the California Consumer Privacy Act of 2018 as amended by the CPRA ("CCPA/CPRA").

    • "Applicable Data Protection Laws" — all laws and regulations relating to the processing of Personal Data under the Agreement, including GDPR, UK GDPR, FADP, CCPA/CPRA, and any similar state laws in the United States.
    • "Personal Data" — any information relating to an identified or identifiable natural person that is processed by Stellion OOD on behalf of Customer under the Agreement.
    • "Processing/Process", "Data Subject", "Controller", "Processor", "Supervisory Authority", and "Personal Data Breach" have the meanings given in GDPR.
    • "Sub-processor" — any third party engaged by Stellion OOD that processes Personal Data on Stellion OOD's behalf in connection with the Services.

    2. Roles & Scope

    (a) Roles. Customer is the Controller and Stellion OOD is the Processor with respect to Personal Data processed under the Agreement.

    (b) Scope. The subject-matter, duration, nature and purpose of Processing, types of Personal Data and categories of Data Subjects are set out in Annex I (Details of Processing).

    (c) Instructions. Stellion OOD shall process Personal Data only on documented instructions from Customer, including with respect to transfers of Personal Data to a third country or international organisation, unless required to do so by Applicable Law.

    3. Confidentiality

    Stellion OOD shall ensure that persons authorised to process Personal Data are subject to an appropriate duty of confidentiality (whether contractual or statutory) and receive appropriate data protection and security training.

    4. Security

    (a) Security Measures. Taking into account the state of the art, costs of implementation, the nature, scope, context and purposes of Processing as well as the risk to Data Subjects, Stellion OOD shall implement and maintain appropriate technical and organisational measures ("TOMs") to protect Personal Data, including measures set out in Annex II (Security Measures).

    (b) Policies & Certifications. On request, and subject to confidentiality obligations, Stellion OOD will provide information reasonably necessary to demonstrate compliance (e.g., summaries of policies, third-party audit reports such as SOC 2/ISO 27001 if available, penetration test summaries).

    5. Sub-processing

    (a) Authorisation. Customer provides general written authorisation for Stellion OOD to engage Sub-processors. Current categories and an up-to-date Sub-processor list are set out in Annex III.

    (b) Notice & Objection. Stellion OOD will provide prior notice of any intended changes concerning the addition or replacement of Sub-processors. Customer may reasonably object in writing within 10 business days of notice. If the Parties cannot reach a mutually acceptable solution, Customer may suspend the affected Processing or terminate the applicable Services (without penalty).

    (c) Sub-processor obligations. Stellion OOD shall impose data protection obligations on Sub-processors by written contract that are no less protective than those set out in this DPA. Stellion OOD remains fully liable for the performance of each Sub-processor's obligations.

    6. Assistance to Controller

    (a) Data Subject Requests. Taking into account the nature of the Processing, Stellion OOD shall assist Customer by appropriate technical and organisational measures for the fulfilment of Customer's obligations to respond to Data Subject rights requests. If Stellion OOD receives a request directly, it will promptly forward it to Customer.

    (b) Security & DPIAs. Stellion OOD shall assist Customer in ensuring compliance with obligations relating to security of Processing, Personal Data Breach notifications, data protection impact assessments, and prior consultations.

    7. Personal Data Breach

    Stellion OOD shall notify Customer without undue delay (and in any event within 72 hours after becoming aware) of a Personal Data Breach affecting Personal Data processed on behalf of Customer.

    Such notification will include information reasonably available to Stellion OOD to assist Customer in meeting its breach reporting obligations. Stellion OOD will promptly take steps to contain, investigate, and remediate the Breach.

    8. Audits & Information Rights

    (a) Documentation. Upon written request, Stellion OOD will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA.

    (b) Audits. No more than once in any 12-month period (unless required by a Supervisory Authority or following a Personal Data Breach), Customer may audit Stellion OOD's compliance. Audits shall be on at least 30 days' written notice, during normal business hours, and subject to reasonable confidentiality requirements. Customer agrees to exhaust independent third-party audit reports (e.g., SOC 2 Type II, ISO 27001) first. On-site audits are at Customer's expense.

    9. Return & Deletion of Data

    Upon termination or expiry of the Agreement (or upon Customer's written request), Stellion OOD shall delete or return all Personal Data within 60 days, unless Applicable Law requires storage. Deletion from backups will occur on the next scheduled rotation within 30–45 days. On request, Stellion OOD will provide a deletion certificate.

    10. International Data Transfers

    (a) General. Stellion OOD may transfer and process Personal Data outside the country where it was collected. All such transfers shall comply with Applicable Data Protection Laws.

    (b) EEA/Swiss/UK Transfers. To the extent transfers are to countries without adequate data protection, the Parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference, with Module Two (Controller-to-Processor) and Module Three (Processor-to-Processor) selected as applicable. For UK transfers, the UK International Data Transfer Addendum is incorporated.

    (c) Supplementary Measures. Where required, Stellion OOD will implement appropriate supplementary measures and provide reasonable assistance with transfer impact assessments.

    11. CCPA/CPRA and US State Privacy Laws

    Where Stellion OOD processes Personal Information of California residents, it acts as a Service Provider/Contractor under CCPA/CPRA.
    • Stellion OOD shall not sell or share Personal Information.
    • Shall not retain, use, or disclose Personal Information for any purpose other than performing the Services.
    • Shall not combine Personal Information with other data except as permitted (e.g., to detect security incidents).
    • Shall not retain, use or disclose Personal Information outside of the direct business relationship with Customer.
    • Stellion OOD certifies it understands and will comply with these obligations.
    • Comparable restrictions apply for other US state privacy laws to the extent applicable.

    12. Liability & Indemnity

    The Parties' aggregate liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement; provided that nothing in this DPA limits a Party's liability where such limitation is not permitted by Applicable Data Protection Laws.

    13. Order of Precedence; Changes

    In the event of any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of the conflict with respect to data protection and privacy matters. Stellion OOD may update this DPA to reflect changes in law or processing practices, with notice as required by the Agreement.

    Annex I — Details of Processing

    Subject-matter & Duration
    Processing of Personal Data as necessary to provide the Services under the Agreement; for the term of the Agreement and for the period required for return/deletion per Section 9.
    Nature & Purpose
    Hosting, storage, analysis, retrieval, transmission and other processing operations required to provide and improve the Services; support; security; billing and account administration.
    Categories of Data Subjects
    Customer's authorised users, employees, contractors; end users of Customer where applicable; any other individuals whose Personal Data is submitted by Customer.
    Types of Personal Data
    Contact details (name, email), identifiers, usage data, support and communications data, and any Personal Data submitted by or on behalf of Customer.

    Processing Operations

    Collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, restriction, erasure, and destruction.

    Annex II — Security Measures (Summary)

    Encryption in transit (TLS 1.2+) and at rest where supported
    Access controls: role-based access; least privilege; MFA for admin access
    Network security: segmentation, firewalling, DDoS protections
    Logging and monitoring; vulnerability and patch management; secure SDLC
    Business continuity and disaster recovery; regular backups and tested restores
    Employee confidentiality undertakings and security awareness training
    Vendor due diligence and sub-processor contractual safeguards
    Incident response plan and breach notification procedures

    Annex III — Authorised Sub‑processors

    ProviderPurposeLocation(s)Transfer Mechanism
    Postmark (ActiveCampaign)Transactional email deliveryUnited States
    SCCs/UK Addendum
    Hetzner CloudCloud infrastructure and storageEU (Germany, Finland)
    No international transfer – EU only
    Linode (Akamai)Cloud infrastructure and storageEU region only
    No international transfer – EU only
    Hotjar Ltd.Product analytics, session recording, heatmapsEU (Malta, Ireland) with US transfers
    SCCs/UK Addendum

    Exhibit A — SCCs and UK Addendum

    The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference. Where applicable, the UK International Data Transfer Addendum to the EU SCCs is also incorporated. Customer Contact details, descriptions of data transfers, competent supervisory authority, and selected modules/options are completed in accordance with the Agreement and this DPA.