3. Data Processing Addendum (DPA)
Service Provider:
- Company: Envoo d.o.o., matična št. 6195407000, davčna št. SI45695539
- Registered office: Cesta dolomitskega odreda 10c, 1000 Ljubljana, Slovenija
- Contact: info@relayplan.com
3.1. Subject and Duration
The Processor processes personal data on behalf of the Controller for the duration of the contract for providing RelayPlan.
3.2. Nature and Purpose of Processing
Hosting, storage, organization, access, transmission, backups, and support.
3.3. Types of Data and Categories of Subjects
Data relating to employees, contractors, users, suppliers, etc., entered by the Controller.
3.4. Processor Obligations
- Process data only per documented instructions from the Controller.
- Maintain confidentiality and appropriate technical and organizational measures (TOMs).
- Assist the Controller with data subject rights, incident response, and DPIAs.
- Delete or return personal data at termination unless retention is required by law.
3.5. Sub‑processors
- The Processor may engage sub‑processors with prior notice. All must have equivalent contractual obligations.
- See Annex A – Sub‑processors for the current list.
3.6. Data Transfers Outside the EEA
Where applicable, transfers rely on appropriate safeguards (e.g., SCCs) and additional risk assessments.
3.7. Security Incidents
Processor shall promptly notify the Controller of any personal data breach and provide details required by GDPR Article 33.
3.8. Audits
The Controller may request relevant compliance information or perform one audit per year (or upon justified suspicion), without disclosure of trade secrets.
Annex A – Sub‑processors (example)
- Stripe Payments Europe, Ltd. – payments, EEA/US (SCC).
- Hetzner Online GmbH – hosting, EU/EEA.
- [Email provider] – transactional emails.
- [Analytics] – aggregated analytics.
Annex B – Technical and Organizational Measures (summary)
TLS encryption, tenant isolation, RBAC, 2FA, audit logs, backups, access controls, least privilege, patching, and vulnerability management.