Data Processing Agreement (Controller–Processor)

2. Roles & Scope

(a) Roles. Customer is the Controller and Stellion OOD is the Processor with respect to Personal Data processed under the Agreement.

(b) Scope. The subject-matter, duration, nature and purpose of Processing, types of Personal Data and categories of Data Subjects are set out in Annex I (Details of Processing).

(c) Instructions. Stellion OOD shall process Personal Data only on documented instructions from Customer, including with respect to transfers of Personal Data to a third country or international organisation, unless required to do so by Applicable Law. In such case, Stellion OOD shall inform Customer of that legal requirement before Processing, unless the law prohibits such information on important grounds of public interest.

3. Confidentiality

Stellion OOD shall ensure that persons authorised to process Personal Data are subject to an appropriate duty of confidentiality (whether contractual or statutory) and receive appropriate data protection and security training.

4. Security

(a) Security Measures. Taking into account the state of the art, costs of implementation, the nature, scope, context and purposes of Processing as well as the risk to Data Subjects, Stellion OOD shall implement and maintain appropriate technical and organisational measures ("TOMs") to protect Personal Data, including measures set out in Annex II (Security Measures).

(b) Policies & Certifications. On request, and subject to confidentiality obligations, Stellion OOD will provide information reasonably necessary to demonstrate compliance (e.g., summaries of policies, third-party audit reports such as SOC 2/ISO 27001 if available, penetration test summaries).

5. Sub-processing

(a) Authorisation. Customer provides general written authorisation for Stellion OOD to engage Sub-processors. Current categories and an up-to-date Sub-processor list are set out in Annex III.

(b) Notice & Objection. Stellion OOD will provide prior notice of any intended changes concerning the addition or replacement of Sub-processors (e.g., via email or dashboard). Customer may reasonably object in writing within 10 business days of notice if the change would materially increase risk to Personal Data. If the Parties cannot reach a mutually acceptable solution, Customer may suspend the affected Processing or terminate the applicable Services (without penalty) solely with respect to the impacted functionality.

(c) Sub-processor obligations. Stellion OOD shall impose data protection obligations on Sub-processors by written contract that are no less protective than those set out in this DPA, including sufficient guarantees to implement appropriate TOMs. Stellion OOD remains fully liable for the performance of each Sub-processor’s obligations.

6. Assistance to Controller

(a) Data Subject Requests. Taking into account the nature of the Processing, Stellion OOD shall assist Customer by appropriate technical and organisational measures, insofar as possible, for the fulfilment of Customer’s obligations to respond to requests to exercise Data Subject rights under Applicable Data Protection Laws. If Stellion OOD receives a request directly from a Data Subject relating to Personal Data, Stellion OOD will promptly forward it to Customer (unless prohibited by law).

(b) Security & DPIAs. Stellion OOD shall assist Customer in ensuring compliance with obligations relating to security of Processing, Personal Data Breach notifications to supervisory authorities and affected individuals, data protection impact assessments, and prior consultations, taking into account the nature of Processing and information available to Stellion OOD.

7. Personal Data Breach

Stellion OOD shall notify Customer without undue delay (and in any event within 72 hours after becoming aware) of a Personal Data Breach affecting Personal Data processed on behalf of Customer. Such notification will include information reasonably available to Stellion OOD to assist Customer in meeting its breach reporting obligations. Stellion OOD will promptly take steps to contain, investigate, and remediate the Breach.

8. Audits & Information Rights

(a) Documentation. Upon written request, Stellion OOD will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA.

(b) Audits. No more than once in any 12-month period (unless required by a Supervisory Authority or following a Personal Data Breach), Customer may audit Stellion OOD’s compliance with this DPA. Audits shall be: (i) on at least 30 days’ written notice; (ii) conducted during normal business hours; (iii) subject to reasonable confidentiality, security, and health & safety requirements; and (iv) limited to systems and facilities used to process Customer Personal Data. As a first step, Customer agrees to exhaust independent third-party audit reports (e.g., SOC 2 Type II, ISO 27001 certificates) or questionnaires. On-site audits are at Customer’s expense and shall not unreasonably interfere with Stellion OOD’s business operations. Auditors must be independent and not a competitor of Stellion OOD.

9. Return & Deletion of Data

Upon termination or expiry of the Agreement (or upon Customer’s written request at any time), Stellion OOD shall delete or return all Personal Data processed on behalf of Customer and delete existing copies within 60 days, unless Applicable Law requires storage of the Personal Data. Deletion from backups will occur on the next scheduled rotation within 30–45 days. On request, Stellion OOD will provide a deletion certificate.

10. International Data Transfers

(a) General. Stellion OOD may transfer and process Personal Data outside the country where it was collected. All such transfers shall comply with Applicable Data Protection Laws.

(b) EEA/Swiss/UK Transfers. To the extent Stellion OOD or its Sub-processors transfer Personal Data subject to the GDPR or FADP to a country that does not provide an adequate level of data protection, the Parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) (the "SCCs") are incorporated by reference into this DPA as set out in Exhibit A, with Module Two (Controller-to-Processor) (and Module Three (Processor-to-Processor) for onward transfers) selected as applicable. For UK transfers, the UK International Data Transfer Addendum to the EU SCCs ("UK Addendum") issued by the ICO is incorporated as set out in Exhibit A.

(c) Supplementary Measures. Where required, Stellion OOD will implement appropriate supplementary measures and provide reasonable assistance with transfer impact assessments.

11. CCPA/CPRA and US State Privacy Laws

• Where Stellion OOD processes Personal Information of California residents on behalf of Customer, Stellion OOD acts as a Service Provider/Contractor (as defined in CCPA/CPRA) and shall not (i) sell or share Personal Information, (ii) retain, use, or disclose Personal Information for any purpose other than for the specific business purpose of performing the Services or as otherwise permitted by the CCPA/CPRA, (iii) combine Personal Information with other data except as permitted for Service Providers (e.g., to detect security incidents or improve service quality), or (iv) retain, use or disclose Personal Information outside of the direct business relationship with Customer.
• Stellion OOD certifies it understands and will comply with the obligations of a Service Provider/Contractor.
• Stellion OOD will notify Customer if it determines it can no longer meet its obligations under the CPRA, and Customer may take reasonable steps to stop and remediate unauthorised use.
• Comparable restrictions shall apply for other US state privacy laws to the extent applicable.

12. Liability & Indemnity

The Parties’ aggregate liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement; provided that nothing in this DPA limits a Party’s liability where such limitation is not permitted by Applicable Data Protection Laws.

13. Order of Precedence; Changes

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of the conflict with respect to data protection and privacy matters. Stellion OOD may update this DPA to reflect changes in law or our processing practices. We will notify Customer of material updates as required by the Agreement.

Annex II — Security Measures (summary)

• Encryption in transit (TLS 1.2+) and at rest where supported;
• Access controls: role-based access; least privilege; MFA for administrative access;
• Network security: segmentation, firewalling, DDoS protections where applicable;
• Logging and monitoring; vulnerability and patch management; secure SDLC;
• Business continuity and disaster recovery; regular backups and tested restores;
• Employee confidentiality undertakings and security awareness training;
• Vendor due diligence and sub-processor contractual safeguards;
• Incident response plan and breach notification procedures.

Annex III — Authorised Sub‑processors (at DPA effective date)

Exhibit A — SCCs and UK Addendum (incorporation by reference)

The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference with Module Two (Controller-to-Processor) and Module Three (Processor-to-Processor) as applicable. The UK International Data Transfer Addendum (version issued by the UK ICO) is also incorporated for UK transfers. The Parties agree to complete the appendices with the details in Annex I and Annex II of this DPA, and designate Customer as the data exporter and Stellion OOD as the data importer.