Data Processing Agreement (DPA) for Vonde Pro App

Effective Date: March 17, 2025

This Data Processing Agreement (“Agreement”) is entered into between:

Data Controller: The user or client of Vonde Technology services (“Data Controller”)

and

Data Processor: Vonde Technology, operated by KMAK Kelet-Magyarországi Adatközpont Kft. (“Data Processor”)

  1. Definitions

Terms defined by GDPR (Regulation EU 2016/679) apply to this Agreement:

  • “Personal Data”: any information relating to an identified or identifiable natural person.
  • “Processing”: any operation performed on Personal Data, such as collecting, storing, modifying, transmitting, or deleting data.
  • “Data Breach”: Unauthorized access, alteration, disclosure, or loss of personal data.
  1. Subject and Duration of Processing

The Data Processor processes personal data exclusively to provide the following services:

  • Digital business card (Biopage) creation and management
  • URL shortening
  • NFC and QR code management
  • Apple/Google Wallet integration

Data processing continues as long as the services are provided or until the termination of services by the Data Controller.

  1. Categories of Personal Data Processed
  • Contact Information: Name, email address, phone number
  • Transaction and subscription details (if applicable)
  • Technical data: IP addresses, device identifiers, OS information
  • Usage data and analytics
  1. Data Processor Obligations

The Data Processor agrees to:

  • Process personal data solely on documented instructions from the Data Controller.
  • Maintain strict confidentiality of personal data.
  • Ensure all personnel processing personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures to protect personal data, including but not limited to encryption, secure storage, access controls, and regular security audits.
  • Notify the Data Controller promptly and without undue delay in case of data breaches, providing all necessary information to assist the Data Controller in meeting its obligations under the GDPR.
  • Allow Data Controller to conduct audits or inspections with reasonable prior notice to verify compliance with this Agreement.
  • Inform the Data Controller immediately of any requests by data subjects or authorities related to the processed personal data.
  • Comply with the GDPR and all other applicable data protection laws and regulations.
  1. Sub-processors

The Data Processor may engage the following sub-processors:

  • Amazon Web Services (AWS): cloud infrastructure provider
  • Google (Firebase, AdMob, Analytics): analytics and advertising services

The Data Processor ensures that sub-processors adhere to the same data protection obligations outlined in this agreement and remains liable for their actions and omissions. The Data Processor shall provide the Data Controller with a list of sub-processors and shall inform the Data Controller of any intended changes concerning the addition or replacement of other sub-processors, thereby giving the Data Controller an opportunity to object to such changes.

  1. Data Transfers

International transfers of data will comply with GDPR standards and include safeguards such as EU Standard Contractual Clauses or other appropriate transfer mechanisms to ensure an adequate level of protection.

  1. Data Controller Obligations

The Data Controller is responsible for:

  • Ensuring a valid legal basis for processing personal data.
  • Informing data subjects about data processing activities in a transparent manner.
  • Responding to data subjects’ requests and fulfilling obligations under GDPR or relevant data protection regulations, including but not limited to providing access, rectification, erasure, restriction, portability, and the right to object to processing.
  1. Security Measures

The Data Processor implements technical and organizational measures to ensure the security of personal data, including:

  • Encryption of personal data both in transit and at rest.
  • Secure storage of personal data.
  • Access controls to personal data, limiting access to authorized personnel only.
  • Regular security audits and vulnerability assessments.
  • Implementation of appropriate authentication and authorization mechanisms.
  • Regular data backups and disaster recovery procedures.
  1. Data Breach Notification

In case of a data breach, the Data Processor will notify the Data Controller without undue delay, and in any event, within 72 hours of becoming aware of the breach. The notification will include all relevant information required under the GDPR, such as the nature of the breach, the categories and number of data subjects concerned, the likely consequences, and the measures taken or proposed to be taken to address the breach. The Data Processor will cooperate fully with the Data Controller in addressing and mitigating the breach.

  1. Data Subject Rights

The Data Processor assists the Data Controller in fulfilling obligations concerning data subjects’ rights, including access, rectification, erasure, restriction, portability, and objections to processing, by providing the Data Controller with the necessary information and tools to respond to data subject requests.

  1. Termination and Data Deletion

Upon termination of the service, the Data Processor will either delete or return all personal data, based on the Data Controller’s documented instructions, unless retention is required by Union or Member State law to which the Data Processor is subject.

  1. Audits and Inspections

The Data Controller may conduct audits, upon reasonable prior written notice, to verify compliance with this Agreement. The Data Processor shall provide reasonable assistance and access to information necessary for the Data Controller to conduct such audits.

  1. International Transfers

The Data Processor ensures compliance with international data transfer standards, including the use of Standard Contractual Clauses or other appropriate mechanisms, and will implement additional safeguards as necessary to ensure an adequate level of protection for personal data transferred outside the European Economic Area (EEA).

  1. Data Breach Notification

The Data Processor notifies the Data Controller of any data breach without undue delay, and in any event, within 72 hours of becoming aware of the breach, and cooperates fully in addressing and mitigating the breach.

  1. Governing Law

This Agreement shall be governed by applicable EU data protection laws, including the GDPR, and any other relevant jurisdictional regulations.

  1. Updates to this Agreement

We reserve the right to update this Agreement periodically. Updates will be communicated clearly to the Data Controller, and the Data Controller shall have the right to object to such changes.

  1. Contact Information

For any queries related to this Data Processing Agreement, please contact:

KMAK Kelet-Magyarországi Adatközpont Kft.

H-5000 Szolnok, Szapáry utca 20.

Email: [email protected]

By utilizing Vonde Technology services, both parties agree to adhere to the terms specified in this Data Processing Agreement.