Data Processing Agreement (DPA)
Annex No. 2 to the Planislav Terms of Service | Version: 1.0 | Effective date: 12.06.2026
The Polish version of this document is the binding version.
This Data Processing Agreement (the DPA) is entered into between the User (the Controller) and IPT Supply Chain Innovations Sp. z o.o., with its registered office in Warsaw, ul. Hoża 86/410, 00-682 Warsaw, Poland, KRS 0001242724, NIP (Tax ID) 7011315076, REGON 544821431 (the Processor or the Service Provider).
The DPA forms an integral part of the Agreement for the provision of the Planislav Service concluded on the basis of the Planislav Terms of Service (the Terms). The DPA is concluded in electronic form upon conclusion of the Agreement (acceptance of the Terms), in accordance with Article 28(9) GDPR. Capitalised terms not defined in the DPA have the meaning given to them in the Terms.
DATA PROCESSING AGREEMENT (DPA)
§ 1. Definitions
- Entrusted Data — personal data of third parties contained in the Content entered into the Service by the Controller (in particular data contained in sales data, inventory data and supplier data), in respect of which the Controller acts as controller within the meaning of Article 4(7) GDPR.
- Documented instructions — the Agreement together with the Terms and the DPA, the configuration and instructions issued by the Controller through the features of the Service, and requests submitted to the Service Provider's contact address.
- Sub-processor of Entrusted Data — a third party to whom the Processor further entrusts the processing of Entrusted Data; the current list is set out in Schedule A to the DPA.
§ 2. Subject matter, nature and purpose of processing
- The Controller entrusts the Processor with the processing of Entrusted Data solely for the purpose of, and to the extent necessary for, providing the Service, i.e. import, storage, analysis, generation of forecasts and purchasing recommendations, presentation of results in the User panel, export, and creation of backups.
- The processing is of a continuous nature and is carried out by automated means within the IT systems of the Processor and its Sub-processors.
- The Processor does not use Entrusted Data for its own purposes, in particular for marketing purposes. Aggregated and anonymised statistical analyses that do not allow the identification of natural persons do not constitute personal data and are not covered by the DPA.
- Data minimisation: the provision of the Service does not require the transfer of personal data of the Controller's end customers (sales data aggregated at SKU level is sufficient for analysis). Where possible, the Controller should provide data stripped of personal data or pseudonymised.
§ 3. Duration of processing
- The DPA remains in force for the duration of the Agreement. Upon termination or expiry of the Agreement, the Processor processes Entrusted Data only to the extent and for the period described in § 8.
§ 4. Types of personal data and categories of data subjects
The entrustment covers the following types of data and categories of data subjects:
| Scope | Description |
|---|---|
| Types of data | Identification data (name, surname, business name), contact data (e-mail address, telephone number, address), transactional data (order history and value, dates, order and SKU identifiers) — to the extent such data actually appear in the Content entered by the Controller. |
| Categories of data subjects | The Controller's end customers, the Controller's business partners and suppliers (including persons representing them), and the Controller's employees and associates whose data appear in the Content. |
| Special categories of data | The Service is not intended for the processing of special categories of data (Article 9 GDPR) or data relating to criminal convictions (Article 10 GDPR). The Controller undertakes not to enter such data into the Service. |
§ 5. Obligations of the Processor
The Processor undertakes that it shall:
- process Entrusted Data only on Documented instructions from the Controller, unless required to do so by European Union or Polish law — in such a case, unless that law prohibits it, the Processor shall inform the Controller of that legal requirement before processing;
- immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other data protection provisions;
- ensure that persons authorised to process Entrusted Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and limit access to Entrusted Data to persons for whom such access is necessary;
- implement and maintain the technical and organisational measures required pursuant to Article 32 GDPR, appropriate to the risk, including in particular: encryption of connections (TLS/HTTPS), role-based access control, separation of environments, security event monitoring, regular software updates, and backups;
- taking into account the nature of the processing, assist the Controller insofar as this is possible — by appropriate technical and organisational measures, including the features of the Service — in fulfilling the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III GDPR; any request from a data subject addressed directly to the Processor shall be forwarded to the Controller without undue delay, no later than within 7 business days;
- taking into account the nature of processing and the information available to it, assist the Controller in ensuring compliance with the obligations pursuant to Articles 32–36 GDPR;
- after becoming aware of a personal data breach concerning Entrusted Data, notify the Controller without undue delay, and no later than within 48 hours, providing the information referred to in Article 33(3) GDPR to the extent available, and supplement it progressively as further information becomes available;
- make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for audits on the terms set out in § 9;
- upon termination of the provision of the Service, delete or return Entrusted Data on the terms set out in § 8.
§ 6. Obligations and representations of the Controller
- The Controller represents that it is the controller of the Entrusted Data and that it processes and entrusts such data lawfully, in particular that it has a legal basis for the processing and has fulfilled its information obligations towards the data subjects.
- The Controller shall enter into the Service only data whose processing in the Service is lawful, and shall apply the data minimisation principle described in § 2(4).
- The Controller is responsible for the accuracy, scope and currency of the Entrusted Data and for the content of the instructions issued to the Processor.
§ 7. Sub-processors
- The Controller grants a general authorisation (Article 28(2) GDPR) for the further entrustment of the processing of Entrusted Data to the Sub-processors listed in Schedule A.
- The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 14 days in advance — via the Account panel or by e-mail — thereby giving the Controller the opportunity to object.
- In the event of an objection, if the parties fail to reach an agreement, the Controller may terminate the Agreement before the date on which the new Sub-processor begins processing, on the terms provided for in the Terms.
- The Processor shall impose on each Sub-processor — by way of a contract or other legal act — the same data protection obligations as set out in the DPA, in particular the obligation to implement the measures referred to in Article 32 GDPR, and shall remain fully liable to the Controller for the performance of that Sub-processor's obligations.
§ 8. Deletion and return of data after termination of the Agreement
- Upon termination or expiry of the Agreement, the Controller may, within 30 days, independently export the Content (including Entrusted Data) using the export features available in the Service.
- After the expiry of the period referred to in paragraph 1, the Processor shall delete the Entrusted Data from production environments, unless European Union or Polish law requires their further storage.
- Entrusted Data contained in backups shall be deleted within the standard backup rotation cycle, no later than 90 days after deletion from production environments, and until that time shall not be processed for any purpose other than disaster recovery.
§ 9. Audits
- Upon the Controller's written request, the Processor shall make available the information and documentation necessary to demonstrate compliance with Article 28 GDPR. The audit right shall in the first instance be exercised by way of written responses and the provision of documentation.
- If the information referred to in paragraph 1 proves insufficient, the Controller (or an auditor authorised by it who is not a competitor of the Service Provider) may carry out an audit: no more than once every 12 months (unless the audit follows an established breach), upon at least 14 days' prior notice, on business days and during working hours, in a manner that does not unreasonably disrupt the Processor's operations.
- The audit shall not include access to data of the Processor's other customers, information constituting trade secrets of third parties, or the infrastructure of Sub-processors (in that respect, the Sub-processors' certificates and audit reports shall be made available, where available). The costs of the audit shall be borne by the Controller.
§ 10. Transfers outside the European Economic Area
- Entrusted Data shall be transferred to a third country only subject to the safeguards required under Chapter V GDPR, in particular on the basis of standard contractual clauses (SCCs) or an adequacy decision (including certification under the EU–US Data Privacy Framework).
- Up-to-date information on processing locations and transfer mechanisms is set out in Schedule A.
§ 11. Liability
- The parties' liability under the DPA is subject to the limitations provided for in § 11 of the Terms, to the extent permitted by mandatory provisions of law.
- Paragraph 1 does not limit the parties' liability towards data subjects arising under Article 82 GDPR.
§ 12. Final provisions
- In matters not regulated in the DPA, the provisions of the Terms and the provisions of Polish law and the GDPR shall apply.
- Amendments to the DPA shall be made in the manner provided for amendments to the Terms (§ 15 of the Terms).
- If any provision of the DPA proves invalid or ineffective, the remaining provisions shall remain in force.
- The DPA has been drawn up in Polish and English language versions; in the event of discrepancies, the Polish version shall prevail.
Schedule A — Sub-processors of Entrusted Data
| Sub-processor | Function | Location | Transfer mechanism |
|---|---|---|---|
| Render Services, Inc. | Hosting of the database and backend application (storage and processing of Entrusted Data) | EU (Frankfurt) — PostgreSQL instance; company established in the USA | SCCs + DPF |
| Vercel Inc. | Hosting of the frontend layer (transmission of data between the browser and the Service) | USA / global CDN | SCCs + DPF |
Note: Clerk Inc. (authentication) and Stripe Payments Europe, Limited (payments) process Users' data for which the Service Provider acts as controller (Account and payment data) and do not process Entrusted Data — the full list of entities processing data in connection with the Service is set out in Annex No. 1 to the Terms of Service and in the Privacy Policy.