Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Prodia Systems Ltd ("Processor") and the Customer ("Controller") and applies where Prodia processes personal data on the Controller's behalf in connection with the Service. It is entered into in accordance with Article 28 GDPR.

1. Subject matter, duration, nature and purpose

Subject matter: provision of the Prodia platform. Duration: the term of the Agreement plus the period required to return or delete personal data. Nature and purpose: hosting, analysing and improving Customer code and related artefacts.

2. Categories of data subjects and personal data

• Data subjects: Controller's authorised users, contributors, end users and any individuals referenced in Customer Data.
• Personal data: identifiers, contact data, professional data, technical identifiers, any personal data incidentally contained in source code, logs or repositories.

3. Controller instructions

Prodia will process personal data only on documented instructions from the Controller, including the Agreement, the configuration of the Service and any instructions given via support. Prodia will notify the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law.

4. Confidentiality

Prodia ensures that personnel authorised to process personal data are subject to appropriate confidentiality obligations.

5. Security (Art. 32 GDPR)

• Encryption of personal data in transit and at rest.
• Role-based access control and the principle of least privilege.
• Logging, monitoring and intrusion detection.
• Regular testing and assessment of technical and organisational measures.
• Business continuity and disaster recovery procedures.

6. Sub-processors

The Controller authorises Prodia to engage sub-processors. A current list is available on request. Prodia will notify the Controller of intended changes and give the Controller the opportunity to object on reasonable grounds related to data protection. Prodia imposes data-protection obligations on each sub-processor no less protective than those in this DPA.

7. Data-subject requests

Prodia will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data-subject rights.

8. Assistance to the Controller

Prodia will assist the Controller in ensuring compliance with Articles 32 to 36 GDPR, taking into account the nature of processing and the information available.

9. Personal-data breaches

Prodia will notify the Controller without undue delay after becoming aware of a personal-data breach affecting Customer Data, with the information reasonably necessary for the Controller to comply with its notification obligations.

10. Return or deletion

On termination of the Service, Prodia will, at the Controller's choice, delete or return all personal data and delete existing copies, unless storage is required by EU or Irish law.

11. Audits

Prodia will make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and will allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to reasonable confidentiality and security requirements.

12. International transfers

Where Prodia transfers personal data outside the EEA, it will do so on the basis of an adequacy decision or the EU Standard Contractual Clauses (2021/914) with appropriate supplementary measures.

13. Governing law

This DPA is governed by the laws of Ireland and is subject to the jurisdiction clause of the underlying Terms.