Annex to the Contract
DATA PROCESSING AGREEMENT
This Data Processing Agreement ("DPA") is entered into by and between the Controller and the Processor as defined in the Contract, of which it forms an integral part (each a "Party" and collectively the "Parties").
WHEREAS
A. in carrying out the Services, as defined in the Contract, the Processor may have access to or process personal data used by the Controller pursuant to the UK Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("UK GDPR") and other applicable data protection laws and provisions;
B. the Processor acts, on the basis of the Contract, as data processor pursuant to article 28 of the UK GDPR;
C. article 28 of the UK GDPR provides for that the Controller and the Processor shall enter into a DPA, which determines purposes, scope and duration of the data processing, nature of the personal data processed, categories of data subjects, undertakings and rights of the Controller and the Processor;
D. this DPA governs such data processing activities in order to comply with the UK GDPR and applicable data protection laws.
Now, therefore between the Parties it is agreed as follows:
1. Definitions
For the purposes of this DPA, terms and definitions as used by the UK GDPR shall apply. In addition, the following terms and definitions shall have the following meaning:
"Controller" shall mean the Client, which determines the purposes and means of processing Personal Data in accordance with Article 4(7) of the UK GDPR.
"Processor" shall mean Lupa Pets, which processes Personal Data on behalf of the Controller in accordance with Article 4(8) of the UK GDPR and the terms of this DPA;
"Data Breach" shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which affects the personal data of the Controller covered by this DPA, as defined by article 4, n. 12 of the UK GDPR;
"Sub-processor" shall mean any further processor, located within or outside the EU/EEA, that is engaged by the Processor as a sub-contractor for the performance of the Services or parts of the Services on behalf of the Controller, provided that such Sub-processor has access to the personal data of the Controller exclusively for purposes of carrying out the subcontracted Services on behalf of the Controller.
"Data Protection Laws" shall mean the UK GDPR, the Data Protection Act 2018 and all applicable legislation concerning data protection in general.
2. Recital and Annexes
Recitals and annexes are an integral part of this Agreement.
3. Scope of the DPA
The Controller appoints LUPA PETS, which accepts, as Processor, according to article 28 of the UK GDPR and to the Data Protection Laws in general. This DPA sets forth the subject-matter, the duration of the processing, the nature and purposing of the processing by the Processor on behalf of the Controller, the type of personal data and categories of data subjects, the obligations and rights of the Controller with reference to the personal data as specified hereinbelow.
4. Subject matter of the processing
The personal data processed (hereinafter the "Personal Data") may include:
a. the following categories of data subjects: Controllers' clients, Controller's employees, consultants, collaborators, contractors, third parties in general.
b. the following categories of data: name, surname, date and country of birth, company, address, contact data, such as phone number, email address, appointments, bank accounts, fiscal code, IP address, usage data connected with the use of the online services (such as IP Address, device IP, type of browser used). In addition, as per the Controller's employees the following data may be processed: workplace address, working schedules, authorisation level, and qualifications.
The Personal Data shall be processed only for the correct performing of the Services.
5. General responsibilities of the Parties
5.1 Responsibilities of the Controller
5.1.1 The Controller is responsible to confirm that the processing activities relating to the Personal Data, as specified in the Contract and in this DPA, are lawful, fair and transparent in relation to the data subjects, as set out in article 4 above. The Controller acknowledges and agrees that it is solely responsible for any claims, damages or penalties arising from the failure to identify a lawful basis for sharing Personal Data, including gathering consent where required, or for any other non-compliance with Data Protection Laws related to the collection and sharing of data subjects' data.
5.2 Obligations of the Processor
5.2.1 The Processor is obliged to implement technical and organisational measures to protect Personal Data before processing data on behalf of the Controller, in accordance with article 32 of the UK GDPR with specific reference to risks of unintentional or illegal destruction, loss, alteration, unauthorised disclosure or access. The Processor must document those measures in writing and periodically review them at least annually to ensure they remain current and complete.
5.2.2 The Processor agrees and warrants that it will process the Personal Data on behalf of the Controller and in compliance with its instructions and this DPA. If it cannot provide such compliance for whatever reasons, it agrees to inform promptly the Controller of its inability to comply, in which case, the Controller is entitled to suspend the transfer of data and/or terminate the Contract and this DPA.
5.2.3 The Processor may amend the technical and organizational measures from time to time provided that the amended technical and organizational measures are not less protective than those set out in article 32 of the UK GDPR.
5.2.4 The Processor agrees and warrants that it will deal promptly and properly with all inquiries from the Controller relating to its processing of the Personal Data and to abide by the advice of the Information Commissioners Office, or any other regulatory authority in place from time to time, with regard to the processing of the data transferred.
5.2.5 The Processor shall be obliged to ensure that persons authorized to process the Personal Data on behalf of the Controller, in particular employees of the Processor and any Sub-processors, including their employees, process such Personal Data in compliance with the Controller's instructions.
5.2.6 The Processor is obliged to provide to the Controller the respective information on records of processing activities relating to the services under this DPA, to the extent necessary for the Controller to comply with its obligation to maintain records of processing.
5.2.7 If so required by the Controller, the Processor shall provide assistance to the Controller in ensuring the Controller's compliance relating to data protection impact assessments, taking into account the nature of the processing and the information available to the Processor.
5.2.8 The Processor is obliged - at the choice of the Controller - to delete or return to the Controller all Personal Data which are processed by the Processor on behalf of the Controller under this DPA after the end of the Contract, and delete any existing copies. The Processor entitled to keep Personal Data for legitimate purposes, including but not limited to compliance with legal obligation or for other legitimate interest as provided for by the UK GDPR and Data Protection Laws, provided that those legitimate interests do not override the interests of the data subjects or the Controller.
5.3 The Parties are required to comply with those obligations under the UK GDPR and under any other applicable Data Protection Laws that apply to the Controller in its role as data controller or to the Processor in its role as data processor.
6. Instructions
As required by Section 5.2.2 of this DPA, the Processor is obliged to process the Personal Data on behalf of the Controller and in accordance with Controller's instructions, the Contract, and the Data Protection Laws, including with regard to transfers of Personal Data to a third country or an international organization, unless the Processor is required to do so by domestic law to which the Processor is subject.
7. Monitoring, audits, and inspections by the Controller
7.1 The Processor shall monitor its own compliance and the compliance of its employees and Sub-processors, if any, to this DPA and to the UK GDPR, also by making available to the Controller relevant information to such extent.
7.2 The Controller shall have the right to conduct audits, including on-site inspections, conducted by the Controller or another auditor mandated by the Controller (an "Audit"). Such Audit shall be carried out giving proper notice to the Processor with regards to the processing activities required by the provision of Services, no more than once annually, unless in case of a Data Breach, where the Controller shall have the right to conduct an expedited Audit upon reasonable notice, or when required by the applicable law or by the competent supervisory authority. On-Site Audit may be performed during regular business hours, without substantially disrupting the Processor's business operations and the Controller shall bear any costs arising out of it. The Processor shall provide all necessary documentation and access to ensure compliance verification.
8. Confidentiality commitments
The Processor ensures that persons authorized to process the Personal Data on behalf of the Controller, in particular employees of Processor and any Sub-processors, including their employees, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with reference to the Personal Data and processing activities regulated by this DPA. The Processor will also ensure that all of its employees have undertaken training on the Data Protection Laws and how it relates to their handling of the Personal Data and how it applies to their particular duties.
9. Notification obligation and Data Breach
9.1 In addition to other notification obligations provided for by this DPA, the Processor shall notify the Controller without undue delay about: (i) any legally binding request for disclosure of the Personal Data by a law enforcement authority, or any orders by courts and competent regulators/authorities relating to the processing of Personal Data under this DPA; (ii) any complaints or requests received directly from a data subject (e.g., regarding access, rectification, erasure, restriction of processing, data portability, objection to processing of data, automated decision-making) without responding to that request unless the Processor has been otherwise authorized to do so or otherwise required by applicable law; and (iii) any Data Breach relating to the Services provided by the Processor.
9.2 In any case, the Processor shall without undue delay communicate to the Controller that a Personal Data Breach has occurred, collecting and providing to the Controller all necessary information to allow the Controller to evaluate the Data Breach and adopt all necessary consequent measures, such as to notify the Data Breach to the supervisory Authority within 72 hours after having become aware of it.
10. Response to data subject requests
The Processor shall assist the Controller with the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights connected with the performance of the Contract.
11. Sub-processing
11.1 The Controller approves the Sub-processors in place at the commencement of this DPA. A current list of Sub-processors used by the Processor is available to the Controller upon request. The Processor may engage or replace Sub-processors at its sole discretion but must provide the Controller with at least 14 days' prior written notice before doing so. If the Controller objects to a new or replaced Sub-processor due to documented data protection concerns, it must notify the Processor in writing within 30 days of receiving the notice. The parties shall work in good faith to resolve the Controller's concerns. If no resolution is reached, the Controller may terminate the Contract by providing 30 days' written notice. The termination will take effect once this 30-day notice period expires. The Controller will not be liable for early termination fees or any ongoing obligations beyond the termination date, even if the Contract states otherwise.
11.2. The Processor undertakes to choose such Sub-processor diligently with special attention to its good standing and experience and the suitability of its technical and organizational measures. The Processor shall enter into a written contract with any Sub-processor and such contract shall impose upon the Sub-processor the same obligations as imposed by this DPA upon the Processor, to the extent applicable to the subcontracted Services. Upon the Controller's reasonable written request, the Processor shall provide the Controller with copies of the relevant excerpts from such contracts. Where the Sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.
12. Local law compliance
The Parties are committed to amend this DPA if required by the applicable Data Protection Laws, including decisions and guidelines of the competent data protection authorities.
13. Effectiveness, term and termination
This DPA shall have the same term as the Contract. Termination rights and requirements shall be the same as set forth in the Contract.
14. Google User Data: Sharing, Transfer, and Disclosure
14.1 Data Processing
Lupa Pets values your privacy and is committed to transparency regarding how we handle Google user data. This section specifically addresses how we process, share, transfer, and disclose Google user data in compliance with Google API Services User Data Policy and applicable data protection laws.
14.2 Collection and Use of Google User Data
When you authorize our application to access your Google account data, we only collect the specific data necessary to send emails on behalf of our clients as explicitly authorized by you. We collect only the minimum amount of data required for this specific functionality.
Lupa Pets acts solely as a processor of this data, enabling our clients to send emails through the Google accounts that you have explicitly authorized. We do not use this data for any other purpose.
We explicitly affirm that Google Workspace APIs and the Google user data accessed through these APIs are not used to develop, improve, or train generalized artificial intelligence (AI) and/or machine learning (ML) models. Any data accessed through Google Workspace APIs is used exclusively for providing the specific functionality authorized by you and for no other purposes.
14.3 Sharing of Google User Data
We do not share Google user data with any third parties, including service providers. Google user data is used exclusively to send emails on behalf of our clients as explicitly authorized by you.
The only exception to this policy is:
Legal Requirements: We may disclose your Google user data if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).
14.4 International Transfer of Google User Data
If we transfer your Google user data to servers or service providers located outside the UK/EEA, we ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses approved by the UK Information Commissioner's Office
- Ensuring the recipient country has been deemed to provide adequate protection for personal data by the UK authorities
- Where applicable, obtaining your explicit consent for the transfer
14.5 Data Retention and Deletion
We retain Google user data only for as long as necessary to provide you with our services or as required by law. Upon your request to delete your account or revoke access, we will promptly delete all Google user data associated with your account, unless retention is required by law.
14.6 Your Rights Regarding Google User Data
You have the right to:
- Access your Google user data that we process
- Correct inaccurate data
- Delete your data
- Restrict or object to processing
- Data portability
- Withdraw consent at any time
To exercise any of these rights regarding your Google user data, please contact us at [contact email].
14.7 Changes to This Google User Data Policy
We may update this Google User Data Policy periodically. We will notify you of any changes by posting the new policy on this page and updating the "Last Updated" date.
15. Other provisions
15.1 Each Party is liable for its obligations set out in this DPA and in applicable Data Protection Laws. Any liability arising out of or in connection with a violation of the obligations of this DPA or under applicable Data Protection Laws, shall be governed by the liability provisions set forth in, or otherwise applicable to, the Contract, unless otherwise provided within this DPA. If the liability is governed by the liability provisions set forth in, or otherwise applicable to, the Contract, for the purpose of calculating liability caps and/or determining the application of other limitations on liability, the Contract shall apply instead of this DPA.
15.2 This DPA shall be governed by the law of England and Wales. The place of jurisdiction for all disputes regarding this DPA shall be as determined by the Contract.
15.3 Should one or more provisions of this DPA be or be declared null and void, the validity of the remaining articles, provisions, terms and parts of this DPA, shall not in any way be affected. In any such event the Parties hereto shall, by an amendment to this DPA properly replace such provision by a reasonable new provision or provisions which, as far as legally possible, shall approximate what the Parties intended by such original provision and purpose thereof.
Last Updated: 25 March 2025
