Effective Date: 24 May 2026 — Version 1.1 (updated 29 May 2026)
This Data Processing Agreement (DPA) supplements the Terms of Service between the Customer ("Data Controller") and PennaSystems ("Data Processor") to ensure compliance with GDPR Article 28.
The Processor processes personal data solely on behalf of the Controller to provide the SaaS platform. Processing occurs only upon documented instructions via the Controller's use of the platform.
The Processor ensures appropriate technical measures, including TLS encryption in transit and AES-256 encryption at rest.
Notification: In the event of a personal data breach, the Processor shall notify the Controller without undue delay, and no later than 48 hours after becoming aware of the breach, enabling the Controller to fulfill its regulatory obligations.
The Controller provides general authorization for the use of subprocessors (listed at pennapay.com/legal/subprocessors). The Processor will notify registered users via email at least 30 days prior to adding a new subprocessor. If the Controller objects, they may terminate their subscription before the change takes effect.
The Processor commits to hosting the primary database and file storage within the EU/EEA. Transfers to third countries are strictly limited to necessary sub-processing operations and are safeguarded by GDPR Chapter V mechanisms, relying on EU Standard Contractual Clauses (SCCs) or adequacy decisions like the EU-US Data Privacy Framework (DPF).
The Controller has the right to verify compliance. As the Processor is a micro-enterprise (PMV), this is primarily fulfilled by providing documentation. If the Controller requests a physical audit, the parties shall agree in advance on the reasonable scope and allocation of costs, ensuring the Controller's audit rights are not frustrated.
Upon termination of the subscription, the Processor will delete all Controller data (including end-client data) from its systems within a reasonable timeframe, unless continued storage is legally required.