Archbridge
PLEN ← Home
Working draft (beta). A template data processing agreement - it requires final legal review before being made available. The agreement covers personal data that the User (as controller) enters into Rooms; it is concluded with Users who are entrepreneurs (Pro, Team, Business plans). The Polish version is binding - this English text is for convenience only. Items marked [like this] still need to be completed.

Contents

  1. § 1. Parties and definitions
  2. § 2. Subject and purpose
  3. § 3. Duration, data, categories of persons
  4. § 4. Obligations of the Processor
  5. § 5. Sub-processing
  6. § 6. Transfers to third countries
  7. § 7. Assistance to the Controller. Audit
  8. § 8. Personal data breaches
  9. § 9. Deletion or return of data
  10. § 10. Liability. Final provisions

Data Processing Agreement (DPA)

Working draft · an annex to the Archbridge Terms · URES sp. z o.o. · The Polish version prevails.

§ 1. Parties and definitions

  1. This data processing agreement (the Agreement or DPA) is concluded between:
    • URES sp. z o.o., with its registered office in Warsaw, ul. Złota 75A/7, 00-819 Warsaw, Poland, KRS 0001016567, NIP 5214003808 - as the Processor, and
    • the User who is an entrepreneur, has concluded a contract for the Archbridge service and enters into Rooms personal data of which they are the controller - as the Controller.
  2. The Agreement is concluded when the Controller accepts its content at purchase or in the Account management panel, at the latest before entering personal data of third parties into a Room. [to be determined: how the Agreement is concluded - at purchase / on request; plans covered: Pro, Team, Business]
  3. Capitalised terms not defined in the Agreement have the meaning given to them in the Archbridge Terms and in the GDPR (Regulation (EU) 2016/679). The Agreement constitutes the entrustment of processing within the meaning of Article 28 GDPR.
  4. The Agreement covers solely personal data contained in the User Content entered into Rooms, in respect of which the User is the controller. It does not cover Account data or billing data, of which URES sp. z o.o. is the controller (see the Privacy Policy).

§ 2. Subject and purpose of the entrustment

  1. The Controller entrusts the Processor with processing the personal data contained in the User Content, to the extent and for the purpose necessary to provide the Archbridge service in accordance with the Terms.
  2. Nature of processing: technical storage, transmission between Room participants and making available under Human Oversight, as well as making backups - solely to the extent necessary for the Service to operate.
  3. The Processor processes data solely on the Controller's documented instructions. Using the Service in accordance with the Terms and the configuration settings made by the Controller are deemed such an instruction. The Processor does not use the data for its own purposes, in particular does not analyse it or use it to train artificial-intelligence models.
  4. If the Processor is required to process by Union or Polish law, it informs the Controller before processing, unless that law prohibits such information on important grounds of public interest.

§ 3. Duration, type of data and categories of persons

  1. Duration of processing: for the term of the contract for the Service and - for individual Content - for the retention period applicable to the chosen Plan, after which the data is deleted in accordance with § 9.
  2. Type of personal data: data contained in the Content entered by the Controller into Rooms - its scope is determined by the Controller. It may in particular include identification and contact data, professional data and the content of correspondence. The Service is not intended for processing special categories of data (Article 9 GDPR) - the Controller is responsible for any such data being entered.
  3. Categories of data subjects: determined by the Controller; they may in particular include the Controller's employees, associates, clients and contractors, and other persons whose data the Controller enters into Rooms.

§ 4. Obligations of the Processor

In accordance with Article 28(3) GDPR, the Processor undertakes to:

  1. process the data solely on the Controller's documented instructions (§ 2(3));
  2. ensure that persons authorised to process the data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality;
  3. apply technical and organisational measures ensuring a level of security appropriate to the risk (Article 32 GDPR), including: transmission encryption (TLS/HTTPS), OAuth 2.1 authentication, controlling access to Rooms with separate secrets, storing data in infrastructure located in the European Union (files in R2 storage with EU jurisdiction), and access control, backups and monitoring;
  4. observe the conditions for engaging sub-processors (§ 5);
  5. assist the Controller, as far as possible, through appropriate technical and organisational measures, in fulfilling the obligation to respond to data subjects' requests to exercise their rights (§ 7);
  6. assist the Controller in ensuring compliance with the obligations under Articles 32-36 GDPR (security, breach notification, impact assessment, prior consultation), taking into account the nature of processing and the information available;
  7. at the end of the provision of the Service, delete or return the data in accordance with § 9;
  8. make available to the Controller the information necessary to demonstrate compliance with Article 28 GDPR and allow for audits in accordance with § 7.

§ 5. Sub-processing

  1. The Controller gives its general authorisation for the Processor to engage further processors (sub-processors) in order to provide the Service. As at the date of the Agreement these are:
    Sub-processorRoleLocation
    Cloudflare, Inc.infrastructure: Workers, Durable Objects, D1 database, KV, R2 file storageEU (D1 - Vienna; R2 - EU jurisdiction) and global infrastructure - see § 6
    Stripe Payments Europe, Limitedpayment handling (for billing data - as a separate controller)Ireland / USA - see § 6
  2. The Processor imposes on each sub-processor, by contract, data-protection obligations equivalent to those in this Agreement, in particular the obligation to provide sufficient guarantees to implement appropriate technical and organisational measures (Article 28(4) GDPR).
  3. The Processor informs the Controller of intended changes concerning the addition or replacement of sub-processors (via a message on the Website or in the Account panel), giving the Controller the opportunity to object. [to be determined: notice period for a sub-processor change, e.g. 14 days, and the effects of an objection]

§ 6. Transfers to third countries

  1. As a rule, data is processed within the European Economic Area. Some technical operations may involve transferring a limited scope of data outside the EEA (including global components of Cloudflare's infrastructure and Stripe's payment operations).
  2. Any transfer outside the EEA takes place solely on the basis of: a) a European Commission adequacy decision (Article 45 GDPR), in particular the EU-U.S. Data Privacy Framework, or b) standard contractual clauses approved by Commission Implementing Decision (EU) 2021/914 (Article 46 GDPR), together with additional safeguards where required. [to confirm: the current DPF status of the providers and the SCC concluded]

§ 7. Assistance to the Controller. Audit

  1. The Processor assists the Controller in handling data subjects' requests (access, rectification, erasure, restriction, portability, objection). If a request is sent directly to the Processor, it forwards it to the Controller promptly and does not respond to it on its own without the Controller's instruction.
  2. The Processor makes available to the Controller the information necessary to demonstrate compliance with Article 28 GDPR and allows the Controller or an authorised auditor to carry out an audit (including an inspection). An audit takes place after reasonable prior notice, during working hours, in a manner that does not disrupt the security and continuity of the Service or breach the confidentiality of other clients' data. [to be determined: audit procedure, costs, frequency, the option to demonstrate compliance via certificates/reports instead of an on-site inspection]

§ 8. Personal data breaches

  1. Having identified a personal data breach concerning the entrusted data, the Processor notifies the Controller without undue delay, no later than within a time enabling the Controller to comply with Article 33 GDPR. [to be determined: a specific time, e.g. without undue delay, no later than 48 hours after identification]
  2. The notification contains at least the information required by Article 33(3) GDPR to the extent available to the Processor. The Processor cooperates with the Controller in handling the breach and in any notification of the supervisory authority and the data subjects.

§ 9. Deletion or return of data

  1. At the end of the provision of the processing-related Service, the Processor - at the Controller's choice - deletes or returns the entrusted personal data and deletes existing copies, unless Union or Polish law requires the data to be stored.
  2. During the term of the Agreement, individual Content is deleted after the retention period applicable to the Plan expires, in accordance with the Terms; the Controller may delete Content themselves at any time.

§ 10. Liability. Final provisions

  1. Each Party is liable for damage caused by processing that infringes the GDPR on the terms set out in Article 82 GDPR. The liability limitations under the Terms apply to the extent permitted by mandatory law.
  2. The Agreement is an annex to the Archbridge Terms and applies for the term of the contract for the Service. Matters not regulated are governed by the GDPR, the Act on the Protection of Personal Data and the Terms.
  3. In the event of a conflict between the Agreement and the Terms as regards the entrustment of personal data processing, the Agreement prevails.
  4. The governing law is Polish law. Disputes are resolved by the court competent under the Terms.

Working draft of the template data processing agreement - before being made available to Users it requires approval by the data controller (URES) and a final legal review. In case of any discrepancy, the Polish version prevails.

© 2026 URES sp. z o.o. · Archbridge Terms · Privacy Policy · DPA · Home