Data Processing Agreement (DPA)
Last Updated: October 31, 2025
between the Customer (“Controller”) and Solvedio, J.S.A. (“Processor”)
myhive Vajnorská 100B, 831 04 Bratislava, Slovak Republic
Email: legal@solvedio.com
1. Subject of Agreement
This agreement governs the processing of personal data by Solvedio, J.S.A. (“Processor”) on behalf of the Customer (“Controller”) in connection with the use of the SaaS platform Solvedio (“Service”), including the Daily Controls application.
The Processor processes data exclusively for the purpose of providing, maintaining and improving the Service, in compliance with GDPR (EU Regulation 2016/679).
This agreement forms an integral part of the Terms of Service and Privacy Policy.
2. Duration
The agreement is valid for the duration of the contractual relationship between the Customer and the Processor and, following its termination, until all personal data has been deleted in accordance with Article 11 of this agreement.
3. Purpose of Processing
The Processor processes personal data for the purposes of:
- user account management,
- recording and evaluating checks and controls,
- analytical and reporting functions,
- technical support and incident management,
- data backup and security.
4. Data Categories and Data Subjects
- Data: name, email, job title, organization, check/control data, notes, profile picture, logs.
- Data subjects: employees, collaborators and users of the Customer.
5. Controller Obligations
The Controller is responsible for the lawfulness of personal data processing and informing data subjects in accordance with Articles 13 and 14 of GDPR.
6. Processor Obligations
The Processor undertakes to:
- process data only on the basis of the Controller’s instructions;
- ensure confidentiality of authorized persons;
- implement appropriate technical and organizational measures (including encryption, access logs, backups);
- assist the Controller in exercising data subjects’ rights;
- promptly notify about any data protection breach;
- after contract termination, delete or return data to the Controller;
- notify the Controller if instructions would conflict with GDPR or other regulations;
- provide cooperation in DPIA, prior consultations and other supervisory actions to a reasonable extent.
Audit and Inspection
The Processor shall allow the Controller to conduct an audit or inspection of reasonable scope by prior agreement; it shall be conducted no more than once every 12 months, with 30 days’ notice, outside emergency situations, preferably remotely; costs are borne by the Controller. This does not limit the Controller’s right to audit following a security incident.
Government/Official Requests
If the Processor receives a binding request from a public authority to disclose personal data, it shall promptly inform the Controller (unless prohibited by law) and disclose only the minimum necessary scope of data.
7. Sub-processors
The Processor may engage additional sub-processors, in particular:
| Sub-processor | Purpose | Location | Legal Basis |
|---|---|---|---|
| Microsoft Azure | Hosting and computing | Germany (EU) | GDPR |
| AWS | Hosting and computing | Germany (EU) | GDPR |
| SendGrid | Sending notifications | EU/USA | GDPR (DPF/SCC) |
| OpenAI / Anthropic | AI analysis | EU/USA | GDPR (DPF/SCC) |
| Aspecta s.r.o. | Technical support | Slovakia | Internal DPA |
The Processor shall inform the Controller at least 30 days in advance of any intention to add or replace a sub-processor. The Controller may reasonably object for data protection reasons; in such case, the parties shall seek a resolution. If no resolution is found, the Controller may terminate the affected portion of the Service under the contract.
8. International Data Transfers
If personal data is transferred outside the EU/EEA, the Processor shall ensure that the transfer takes place only (i) to countries with an adequate level of protection by European Commission decision, or (ii) on the basis of Standard Contractual Clauses (SCC), or under the EU-US Data Privacy Framework, and shall adopt supplementary measures where necessary.
9. Security Measures
The Processor implements appropriate technical and organizational measures, in particular:
- encryption (TLS 1.3, AES-256),
- access management,
- regular backups,
- security logging and auditing.
10. Incidents
In the event of a personal data breach, the Processor shall promptly (no later than 48 hours) inform the Controller and provide all necessary information.
The notification shall include at minimum a description of the incident, categories and approximate number of affected individuals/records, probable consequences, and measures taken or proposed for remediation.
11. Data Deletion
After termination of the Service, the Processor shall delete all personal data within 30 days, unless the Controller requests export. Backups shall be deleted within 90 days. After these periods, data shall be irrevocably removed, including all copies from security backups and logs.
If the Processor is required to retain certain data due to a legal obligation, it shall keep it separately and secured, only for the necessary period and exclusively for fulfilling that obligation.
12. Legal Framework
This agreement is governed by the law of the Slovak Republic and EU Regulation 2016/679 (GDPR).
13. Effectiveness
The agreement becomes effective automatically upon activation or use of the Customer’s account.
By activating the account, the Customer confirms that they have reviewed this DPA and accept its terms as binding.
A signed version may be requested at legal@solvedio.com.