Version 5.2 · Effective date:
Terms for processing third-party personal data when Hej Bóbr supports customer websites, forms, hosting, or publication.
Parties
The controller is the customer using the service in relation to third-party personal data collected or processed on customer websites. The processor is Seidr sp. z o.o., ul. Marsz. Józefa Piłsudskiego 74 / 320, 50-020 Wrocław, KRS 0001189184, NIP 8971958342. This DPA is an annex to the Terms or a separate agreement between the parties.
Subject matter and duration
The processing concerns personal data processed in connection with website creation, hosting, publication, contact forms, analytics, and technical support for customer websites. Processing lasts for the term of the main agreement and the period necessary to delete, return, or secure data after termination.
Nature and purpose
Processing includes storage, organisation, display, transmission, protection, deletion, export, and technical processing of data to provide services to the customer.
Categories of data subjects and data
- visitors to customer websites, form submitters, potential customers, employees, contractors, and customer representatives
- name, email, phone number, company name, message content, IP address, technical data, form data, and other data entered by the customer
Controller instructions
We process personal data only on documented instructions from the controller unless law requires otherwise. The Terms, account configuration, service settings, support tickets, and this DPA form documented instructions.
Processor obligations
- maintain confidentiality
- allow processing only by authorised persons
- apply appropriate technical and organisational measures
- reasonably assist with data-subject rights, breaches, DPIAs, and authority consultations
- delete or return data after termination unless law requires storage
- provide information necessary to demonstrate compliance
- allow audits within a reasonable scope after prior agreement
Security
- access control and authentication
- customer data separation where technically appropriate
- backups and encrypted transmission
- security monitoring, incident procedures, and administrative access restrictions
Subprocessors and right to object
The customer gives general authorisation to use subprocessors necessary to provide the service. The main subprocessors are published in the Subprocessor List.
Before adding a new subprocessor or replacing an existing one, the Service Provider informs the customer in the manner used in the service or by email. The customer may, within 7 days of being informed, raise a reasoned objection on genuine data-protection grounds. Absence of an objection within that period is treated as acceptance of the new subprocessor.
If a reasoned objection is raised, the parties will seek an alternative in good faith. Where no alternative is feasible and the objection prevents technically or economically reasonable provision of the service with that subprocessor, the Service Provider may terminate this DPA and the main agreement, in whole or in part, with effect at the end of the paid billing period, without contractual penalties or liability on that account.
Audits and their cost
The Service Provider allows the customer to audit compliance within a reasonable scope, no more than once a year, after agreeing the date, scope, and confidentiality terms in writing and with respect for the security of other customers' data. The Service Provider may first demonstrate compliance by providing current certificates, reports, or answers to a security questionnaire.
All costs of an audit initiated by the customer, including the cost of an external auditor and the reasonable cost of the working hours of Service Provider personnel involved in handling the audit, are borne in full by the customer. This does not apply to an audit made necessary by a confirmed personal data breach caused by the Service Provider.
Transfers, breaches, and liability
Transfers outside the EEA are covered by an appropriate legal mechanism where required. We will notify the controller of a personal data breach without undue delay after becoming aware of it.
The Service Provider's total liability under this DPA and for breach of data-protection law is subject to the same monetary cap as the Terms, namely the sum of net subscription fees paid by the customer in the 3 months preceding the event causing the damage. This cap covers recourse claims between the parties and does not exclude liability that cannot be excluded or limited under mandatory law, in particular liability towards data subjects and the supervisory authority.