Data Processing Agreement
This Data Processing Agreement (“Agreement”) is an integral part of the use of the services provided by FitJourney.ai BV (“Processor”) and outlines the rights and obligations regarding the processing of personal data by the Processor on behalf of its customers (“Controller”). By using the services of FitJourney.ai BV, the Controller agrees to the terms of this Agreement.
Recitals
(A) The Controller acts as the data controller and determines the purposes and means of processing personal data.
(B) The Controller wishes to engage the Processor to provide certain services that involve the processing of personal data, as described in the principal service agreement.
(C) The Processor agrees to process personal data on behalf of the Controller in accordance with the terms of this Agreement and applicable data protection laws, including Regulation (EU) 2016/679 (General Data Protection Regulation or GDPR).
(D) The Parties wish to set out their respective rights and obligations concerning such data processing.
1. Definitions and Interpretation
1.1 Unless otherwise defined, the terms used in this Agreement shall have the following meanings:
-
"Agreement": This Data Processing Agreement and its appendices.
-
"Controller Personal Data": Any personal data processed by the Processor on behalf of the Controller under the principal agreement.
-
"Data Protection Laws": EU data protection laws and, where applicable, the data protection or privacy laws of any other country.
-
"GDPR": General Data Protection Regulation (EU) 2016/679.
-
"Personal Data Breach": A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
-
"Services": The services provided by the Processor as described in the principal agreement.
2. Subject and Scope of Processing
2.1 The Processor shall:
-
Process personal data only based on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required by law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.
-
Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2.2 The Controller instructs the Processor to process personal data for the purposes outlined in the principal agreement.
3. Security
3.1 The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to:
-
Pseudonymization and encryption of personal data.
-
Ensuring the confidentiality, integrity, availability, and resilience of processing systems and services.
-
Timely restoration of the availability and access to personal data in the event of a physical or technical incident.
-
Regular testing, assessing, and evaluating the effectiveness of technical and organizational measures.
3.2 Two-Factor Authentication (2FA):
The Processor offers customers the ability to enable two-factor authentication (2FA) to prevent unauthorized access to personal data. This option can be configured by the Controller through the settings of the provided services.
4. Subprocessors
4.1 The Processor shall not engage another processor (Subprocessor) without prior written authorization from the Controller.
4.2 The Controller authorizes the use of the following Subprocessors:
| Name | Country | Service |
|---|---|---|
| Amazon Web Services | Germany | Storage of user data |
| Render | Germany | Server infrastructure and database |
| Datadog | EU | Application monitoring and logging |
| OpenAI | EU | AI processing via Enterprise API |
| RubyRoid Labs | Poland | Software development and engineering |
4.3 The Processor shall ensure that each Subprocessor is subject to equivalent data protection obligations as outlined in this Agreement.
4.4 The Controller has the right to object to new Subprocessors within 30 days of notification.
5. Data Subject Rights
5.1 The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests, including access, rectification, or erasure of personal data.
5.2 The Processor shall promptly inform the Controller if it receives a request from a data subject.
5.3 The Processor shall provide tools and resources to facilitate the efficient handling of data subject requests.
6. Personal Data Breaches
6.1 The Processor shall notify the Controller without undue delay upon becoming aware of a personal data breach.
6.2 The notification shall at least include:
-
The nature of the breach, including the categories and approximate number of data subjects and records affected.
-
Contact details of the data protection officer or other relevant contact point.
-
The likely consequences of the breach.
-
Measures taken or proposed to address the breach and mitigate its effects.
6.3 The Processor shall assist the Controller in notifying the supervisory authorities and data subjects, where required.
7. Return or Deletion of Data
7.1 Upon termination or expiration of the principal agreement, the Processor shall, at the choice of the Controller, return or delete all personal data unless storage is required by law.
7.2 The Processor shall confirm the deletion in writing upon the Controller's request.
7.3 The Controller has the right to conduct an audit to verify the proper deletion of data.
8. Governing Law and Jurisdiction
8.1 This Agreement shall be governed by the laws of the Netherlands.
8.2 Any disputes arising in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of Amsterdam, Netherlands.
9. Acceptance of the Agreement
By using the services of FitJourney.ai BV, the Controller agrees to the terms of this Data Processing Agreement, including the responsibilities, obligations, and processing practices described herein.