Data Processing Agreement

GDPR-Compliant Data Processing Terms

Processing Relationship

When providing AI automation and software development services, Zodbyte OÜ may act as a data processor on your behalf. You remain the data controller, determining the purposes and means of personal data processing.

This agreement supplements our main service agreement and ensures GDPR compliance for any personal data processing activities.

Data Processing Scope

We process personal data only as necessary to deliver our services, including customer information, employee data, or end-user data within your systems. Processing activities include storage, analysis, integration, and automation according to your instructions.

Data categories may include contact information, business communications, system usage data, and any personal data within your existing business processes we automate.

Security Measures

We implement appropriate technical and organizational security measures including encryption, access controls, regular security assessments, and staff training. Data is processed in secure environments with restricted access.

We maintain ISO 27001-aligned security practices and conduct regular security reviews to ensure continued protection of personal data.

Data Subject Rights

We assist you in responding to data subject requests for access, rectification, erasure, portability, and other GDPR rights. We provide necessary technical and organizational measures to facilitate these requests.

Data subjects can exercise their rights by contacting you directly or through our designated contact channels as specified in project agreements.

Sub-processors & International Transfers

We may engage sub-processors for specific technical services, always under equivalent data protection obligations. We maintain a list of authorized sub-processors and notify you of any changes.

Data processing occurs primarily within the EU/EEA. Any international transfers comply with GDPR requirements including adequacy decisions or appropriate safeguards.

Incident Response & Breach Notification

We maintain incident response procedures and will notify you without undue delay of any personal data breach, typically within 24 hours of becoming aware. We provide all necessary information to assess and report the breach to authorities if required.

We assist in breach investigation, containment, and remediation activities as specified in our security incident response plan.

Data Return & Deletion

Upon service termination, we return or securely delete all personal data unless legally required to retain it. We provide certification of deletion when requested and technically feasible.