Data Processing Addendum

Version 1.0 · Effective date: March 1, 2025

This Data Processing Addendum (“DPA”) supplements the Terms of Service (the “Agreement”) between Thinkle (“Processor”), operated by 3RZ d.o.o., and the customer subscribing to the Services (“Controller”). Capitalized terms have the meanings set out in the Agreement unless otherwise defined in this DPA.

1. Scope

This DPA applies to the extent Thinkle processes Personal Data subject to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, the California Consumer Privacy Act (CCPA), or other similar privacy laws on behalf of the Controller.

2. Roles & Responsibilities

Controller determines the purposes and means of processing Personal Data. Processor processes Personal Data only on documented instructions from Controller, including with respect to cross-border transfers, subject to this DPA and applicable law.

3. Processing Instructions

Processor will process Personal Data solely to provide, maintain, and improve the Services, prevent or address technical and security issues, and comply with legal obligations. If Processor is required by law to process Personal Data beyond Controller instructions, it will inform Controller unless prohibited.

4. Confidentiality

Processor ensures personnel with access to Personal Data are bound by confidentiality obligations and receive appropriate training on privacy and security requirements.

5. Security

Processor implements technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. Such measures include access controls, encryption in transit, audit logging, vulnerability management, and regular risk assessments.

6. Subprocessors

Controller authorizes Processor to engage subprocessors necessary to deliver the Services, including hosting, data storage, analytics, customer support, and AI infrastructure vendors. Processor will ensure subprocessors are subject to obligations no less protective than this DPA and will remain liable for their performance. Processor will provide Controller with a list of current subprocessors upon request and notify Controller of material changes.

7. Data Subject Requests

Taking into account the nature of processing, Processor will assist Controller in responding to data subject requests to exercise their rights under applicable privacy laws. If a request is made directly to Processor, it will promptly notify Controller and await instructions, unless prohibited by law.

8. Incident Response

Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach. The notification will include reasonable details to enable Controller to comply with its own notification obligations. Processor will cooperate with Controller and take steps to remediate the incident.

9. Data Transfers

Where Processor transfers Personal Data outside the originating jurisdiction, it will ensure appropriate safeguards are in place, such as Standard Contractual Clauses or an adequacy decision. Processor will assist Controller in ensuring compliance with cross-border transfer requirements.

10. Audits

Upon reasonable written request and subject to confidentiality obligations, Processor will provide information necessary to demonstrate compliance with this DPA and allow for audits by Controller or an independent auditor, provided such audits occur no more than once per year and during normal business hours.

11. Return or Deletion

Upon termination of the Services, Processor will delete or return Personal Data in accordance with Controller instructions and applicable law, unless retention is required by law. Processor may retain aggregated or anonymized data that does not identify Controller or data subjects.

12. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Agreement, except to the extent prohibited by applicable law.

13. Conflict

If there is any inconsistency between the Agreement and this DPA, this DPA prevails to the extent of the conflict with respect to data protection obligations.

14. Contact

Data protection inquiries should be directed to rene@3rz.eu.

We use cookies and local storage to keep you signed in, remember preferences, and measure product usage. By clicking “Accept” you consent to non-essential tracking. You can learn more in our Cookie Policy.