Data Processing Agreement

1. Definitions

Terms have the meanings defined in Article 4 GDPR:

“Data Controller” means the entity that determines the purposes and means of processing personal data.

“Data Processor” means Cardiac Purr (2info sp. z o.o.), which processes personal data on behalf of the Data Controller.

“Data Subject” means an identified or identifiable natural person whose personal data is processed.

“Personal Data Breach” has the meaning given in Article 4(12) GDPR.

2. Roles and Data Governance

2.1 Controller and Processor

Cardiac Purr acts as Data Processor under Article 28 GDPR when processing personal data on behalf of a Data Controller. The Data Controller determines the purposes and means of processing. Both parties maintain records of processing activities as required by Article 30 GDPR.

2.2 Processing Instructions

Cardiac Purr processes personal data only on the documented instructions of the Controller, unless required to do so by EU or Polish law, in which case Cardiac Purr shall inform the Controller of that legal requirement before processing, unless such disclosure is prohibited on grounds of public interest.

3. Processing Activities

3.1 Purpose Limitation

We process personal data only for documented instructions from the Controller, including:

  • Service provision and maintenance
  • Customer support (legitimate interest basis, balanced against user rights)
  • Security and fraud prevention (vital interest / legal obligation)
  • Compliance with applicable EU and Polish law, including DSA obligations

3.2 Data Minimization

Following EDPB guidelines on data minimization:

  • We pseudonymize data where possible (Article 4(5) GDPR)
  • Data retention follows strict time limits (Article 5(1)(e) GDPR)
  • We collect only the minimum data necessary for the specified purpose

3.3 Confidentiality

We ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, in accordance with Article 28(3)(b) GDPR.

4. Data Subject Rights

We assist Controllers in fulfilling rights under Articles 15–22 GDPR, taking into account the nature of the processing and the information available to us.

4.1 Right to Erasure (Article 17) — EDPB 2025 Enforcement Priority

The EDPB selected Article 17 as a 2025 coordinated enforcement priority. Our procedures include:

  • 30-day response time (extendable to 60 days with prior notification under Article 12(3) GDPR)
  • Assessment of exceptions under Article 17(3) GDPR
  • Cascading deletion across backup and archival systems

4.2 Right to Data Portability (Article 20)

We provide personal data in structured, commonly used, machine-readable formats (JSON, CSV), including direct provision to another controller where technically feasible and instructed by the Controller.

5. Subprocessors and International Transfers

5.1 Subprocessor Governance

We maintain a current list of subprocessors, available upon written request to legal@cardiac-purr.com. All subprocessors:

  • Are bound by data protection obligations no less protective than those in this DPA, pursuant to Article 28(4) GDPR
  • Comply with the EU Data Act (Regulation (EU) 2023/2854) where applicable
  • Undergo prior security and compliance vetting

5.2 International Transfers

For transfers of personal data to third countries outside the EEA, we rely on:

  • EU–US Data Privacy Framework (DPF): The adequacy decision was upheld by the EU General Court on 3 September 2025 (Case T-553/23, Latombe v. Commission). An appeal has been filed before the CJEU on 31 October 2025 and remains pending. The DPF adequacy decision is fully operative during appeal proceedings. We maintain SCCs as a parallel safeguard for all US transfers.
  • Standard Contractual Clauses (SCCs): European Commission Decision 2021/914 of 4 June 2021 — Module 2 (controller to processor) or Module 1 (controller to controller) as applicable.
  • Transfer Impact Assessments (TIAs) are conducted for all third-country transfers in accordance with EDPB Recommendations 01/2020.

6. Security and Breach Notification

6.1 Technical and Organisational Measures

We implement Article 32 GDPR measures appropriate to the risk, including:

  • Encryption of data at rest (AES-256) and in transit (TLS 1.3)
  • Pseudonymization and strict access controls
  • Regular penetration testing and vulnerability assessments
  • Staff data protection training and confidentiality obligations

6.2 Personal Data Breach Response

Under Articles 33–34 GDPR and Polish notification requirements:

  • We notify the Controller without undue delay and, where feasible, no later than 48 hours after becoming aware of a Personal Data Breach, to allow the Controller to meet the 72-hour notification deadline to the supervisory authority under Article 33 GDPR
  • Notification to data subjects without undue delay where a high risk to their rights and freedoms exists (Article 34 GDPR), coordinated with the Controller

7. Data Return and Deletion

Upon termination or expiry of this DPA, or upon the Controller's request:

  • We return or securely delete all personal data processed on behalf of the Controller, at the Controller's election
  • Deletion certificates are provided upon request
  • Retention of personal data by us continues only where required by EU or Polish law, with the legal basis and retention period documented in writing

8. Audit and Compliance

We provide the Controller with all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits and inspections, including:

  • Annual compliance reports for high-risk processing activities
  • Documentation of processing activities (Article 30 GDPR) upon request
  • Cooperation with EDPB coordinated enforcement investigations
  • Readiness for UODO inspections

9. Contact and Supervisory Authorities