Data Processing Agreement

Effective date: 17 Mar 2026

This Data Processing Agreement (hereinafter "DPA") constitutes an annex to the General Terms of Service of the Deratix service (hereinafter "Terms") and governs the mutual rights and obligations of the parties regarding the processing of personal data pursuant to Art. 28 of Regulation (EU) 2016/679 (GDPR).

1. Parties and their roles

1.1. Controller (Customer): A natural or legal person – entrepreneur who has entered into a contract with the Provider under the Terms and inputs personal data into the Service.
1.2. Processor (Provider): Deratix s. r. o., with its registered office at Štúrova 1359/12, 900 28 Ivanka pri Dunaji, Slovak Republic, Company ID: 57512833.
1.3. The Customer is the Controller of the personal data entered into the Service. The Provider processes such data solely according to the Customer's instructions and to the extent necessary to provide the Service.

2. Subject matter and purpose of processing

2.1. The Provider processes personal data solely for the purpose of providing the Service under the Terms, in particular:

• operating the Deratix application (SaaS),
• storing and displaying DDD protocols,
• generating PDF documents,
• managing the Customer's client database,
• sending system email notifications.

3. Categories of data subjects and personal data

3.1. Data subjects:

• the Customer's clients (recipients of DDD services),
• the Customer's employees and technicians.

3.2. Categories of personal data:

• identification data (name, surname, company ID, tax ID),
• contact data (email, phone, address),
• location data (GPS coordinates during service delivery),
• signatures (electronic, in PDF documents),
• photo documentation (photographs from completed work),
• DDD activity data (type of treatment, materials used, findings).

4. Obligations of the Processor

The Processor undertakes to:

• 4.1. Process personal data solely on the basis of documented instructions from the Controller, including transfers to third countries.
• 4.2. Ensure that persons authorised to process personal data are bound by a confidentiality obligation.
• 4.3. Implement appropriate technical and organisational measures to ensure the protection of personal data (see Section 7).
• 4.4. Not engage another processor without the prior written consent of the Controller (see Section 5).
• 4.5. Assist the Controller in fulfilling its obligations under Articles 32–36 GDPR.
• 4.6. Notify the Controller without undue delay of any personal data breach, no later than 48 hours from becoming aware of it.
• 4.7. Delete all personal data within 30 days after the termination of the Service, unless legal requirements mandate retention.
• 4.8. Provide the Controller with all information necessary to demonstrate compliance with Art. 28 GDPR and allow for audits.

5. Sub-processors

5.1. The Controller grants the Processor a general written authorisation to engage the sub-processors listed in the table below. The Processor shall inform the Controller of any changes to sub-processors at least 14 days in advance by email. The Controller has the right to object.

5.2. Current list of sub-processors:

Sub-processor	Location / Data location	Purpose
Hetzner Online GmbH	Germany (EU)	Server and database hosting
SFTPCloud.io	Frankfurt, Germany (EU)	Encrypted data backups
MechanicWeb Inc.	USA → Data: Germany (EU)	Server infrastructure management
cPanel / Softaculous	USA → Data: Germany (EU)	Server environment management
Emailit (emailit.com)	EU	Transactional email delivery

5.3. For sub-processors headquartered in the USA, data is physically stored exclusively in the EU (Germany). Transfers are based on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

6. Obligations of the Controller

The Controller undertakes to:

• 6.1. Ensure a lawful legal basis for the processing of data entered into the Service.
• 6.2. Fulfil the information obligation towards data subjects.
• 6.3. Respond to data subjects' requests to exercise their rights.
• 6.4. Not enter special categories of data (Art. 9 GDPR) into the Service beyond what is necessary for DDD activities.

7. Technical and organisational measures (TOMs)

The Processor implements and maintains the following measures:

Encryption and transfer:

• client-server communication is encrypted using TLS 1.2+,
• backups are encrypted using AES-256,
• databases are accessible only from the server's internal network.

Access control:

• access to data is governed by a role-based access control system (RBAC),
• every access is recorded in an audit trail,
• passwords are stored exclusively in hashed form (bcrypt).

Availability and recovery:

• automatic daily backups to a geographically separate storage (SFTPCloud, Frankfurt),
• 24/7 availability monitoring,
• guaranteed uptime of 99.5% monthly (see Terms).

Organisational measures:

• personnel with access to personal data are bound by confidentiality,
• regular software updates and security patches,
• incident response procedures.

8. Duration of processing and deletion

8.1. This DPA is effective for the entire duration of the service agreement under the Terms.
8.2. After termination of the Service, the Processor shall delete all Customer personal data within 30 days. A confirmation of deletion shall be provided upon request.
8.3. The Customer is obliged to export their data before the Service ends (see Section 9 of the Terms – Data Export).

9. Audits

9.1. The Controller has the right to conduct an audit of compliance with this DPA, no more than once per year, with at least 30 days' prior notice.
9.2. The audit may be conducted by the Controller or by an independent auditor appointed by the Controller, bound by confidentiality.
9.3. The costs of the audit shall be borne by the Controller, unless the audit reveals a material breach of this DPA.

10. Final provisions

10.1. This DPA shall be governed by Slovak law and the GDPR.
10.2. In case of conflict between this DPA and the Terms, this DPA shall prevail to the extent relating to personal data protection.
10.3. Questions regarding personal data protection: support@deratix.com