Data Processing Addendum (DPA)

1. Parties and scope

1. This DPA is concluded between aveneo Dawid Morzyński — a Polish sole proprietorship registered with NIP 7792268011, ul. Dmowskiego 124, 60-124 Poznań (“aveneo”, “Processor”) — and the Customer that has entered into the CookieGuard Service agreement (“Controller”).
2. The DPA governs the Processor's processing of personal data on behalf of the Controller in connection with the Service (“Entrusted Data”).
3. It enters into force upon acceptance of CookieGuard's Terms or signature of a separate agreement with aveneo.

2. Subject, nature and duration

• Subject: provision of the cookie consent management service (CMP).
• Nature: automated electronic processing.
• Purpose: performing the agreement and supporting Controller's GDPR/ePrivacy obligations.
• Duration: the term of the Service agreement plus 30 days for export / deletion.
• Categories of data subjects: visitors to Controller's websites, dashboard users.
• Categories of data: anonymous visitor identifier, timestamps, country (from IP-Country headers), consent category choices, policy version, hash of the previous record (we do not store raw IPs).

3. Processor obligations

1. Process Entrusted Data only on documented Controller instructions.
2. Ensure that authorised personnel are bound by confidentiality.
3. Implement appropriate technical and organisational measures, including:
   • TLS 1.3 in transit and AES-256 at rest,
   • multi-factor authentication for production access,
   • access logging (Audit Log) with 12-month retention,
   • regular security testing and backups,
   • least-privilege policy for engineering.
4. Assist the Controller in fulfilling data-subject rights (Articles 12–22 GDPR).
5. Notify the Controller of personal-data breaches within 48 hours of detection.

4. Sub-processors

1. The Controller grants general authorisation for the Processor to use sub-processors listed at /legal/subprocessors (coming soon). Currently:
   • Stripe Payments Europe Ltd. (IE) — payments,
   • Hetzner Online GmbH (DE) — hosting,
   • Resend (US, SCC) — transactional email,
   • Cloudflare (US, SCC) — CDN and DDoS protection,
   • Sentry (US, SCC) — error telemetry.
2. The Processor announces additions or changes at least 30 days in advance. The Controller may object on reasonable grounds — in which case it may terminate the agreement.

5. International transfers

For US sub-processors we use the EU Commission-approved Standard Contractual Clauses (Decision 2021/914) plus additional safeguards (encryption, pseudonymisation). A Transfer Impact Assessment is documented and available on request.

6. Audits

1. The Controller may audit the Processor — itself or via an independent auditor — with 30 days' notice, once a year, during business hours, at the Controller's cost (unless the audit reveals a Processor breach, in which case the Processor bears the cost).
2. The Processor may satisfy the audit right by providing current security certifications and reports (e.g., SOC 2 Type II, ISO 27001 — when available).

7. Return or deletion of data

On termination, at the Controller's choice the Processor returns or deletes all Entrusted Data, including backups, within 30 days. A confirmation of deletion is issued. Exception: data required for the Processor's legal obligations (e.g., invoice records — 5 years) are kept until the end of the required period.

8. Liability

The Processor is liable for damage caused by non-performance or improper performance of this DPA. Aggregate liability is capped per the Terms (§ 8). The cap does not apply to wilful misconduct or liability towards data subjects.

9. Final provisions

1. Matters not regulated here are governed by the CookieGuard Terms, GDPR, and Polish law.
2. In case of conflict between this DPA and the Terms, this DPA prevails for matters of personal data protection.
3. Disputes are resolved by the court with jurisdiction over the Processor's seat.