Data Processing Agreement (DPA)

Customer is the controller (or business) and Prodvo is the processor (or service provider) for personal data submitted to the platform under the main service agreement.

This DPA applies to personal data processed in connection with workspace operation, workflow execution, metadata logging, and support activity.

Prodvo processes personal data only on documented instructions from customer, including instructions communicated through product configuration, API requests, and support tickets.

If Prodvo believes an instruction violates applicable data protection law, Prodvo will notify customer unless prohibited by law.

Prodvo implements technical and organizational safeguards appropriate to risk, including access controls, encryption safeguards, environment segregation, and incident response procedures.

Security controls may evolve, provided overall protection is not materially reduced.

Customer authorizes Prodvo to use subprocessors for infrastructure, support, and operational delivery, subject to written agreements imposing data protection obligations materially equivalent to this DPA.

Prodvo remains responsible for subprocessors' performance of data protection obligations.

Customer is responsible for determining a lawful basis for processing and for ensuring that instructions provided to Prodvo are lawful, documented, and aligned with applicable data protection law.

• Customer remains responsible for data quality, accuracy, and permitted collection.
• Customer should avoid sending special category or highly regulated data unless expressly covered by written terms.
• Customer must configure workspace access using least-privilege principles.

Where personal data is transferred internationally, Prodvo will use recognized legal transfer mechanisms required by applicable law.

Taking into account the nature of processing, Prodvo will provide reasonable assistance to customer for handling data subject rights requests and regulatory obligations.

• Assistance may include search, export, correction, restriction, or deletion support.
• Customer remains responsible for evaluating request validity and issuing final responses to data subjects unless required otherwise by law.

Prodvo will notify customer without undue delay after confirming a security incident affecting customer personal data and provide available details necessary for customer legal compliance.

Notification includes known incident scope, likely impact, and remediation steps in progress, subject to legal and security constraints.

Upon termination of services, Prodvo will return or delete customer personal data according to contractual terms and lawful retention obligations.

Customer may request deletion workflows and account closure through approved support channels.

Prodvo will make available information reasonably necessary to demonstrate compliance with this DPA, including security documentation appropriate to the customer plan and legal requirements.

Where contractually available, audits may be performed under confidentiality and security safeguards.

Prodvo maintains processor records required by applicable law and cooperates with supervisory authority inquiries to the extent legally required.

Customer and Prodvo will coordinate in good faith where regulatory communications, complaints, or investigations involve customer personal data processed under this DPA.

Liability under this DPA is subject to the allocation and caps in the applicable master service or commercial agreement, unless prohibited by law.

If this DPA conflicts with the main agreement on data protection issues, this DPA prevails for those issues.