This Data Processing Agreement (the “DPA”) is concluded between Furjar and Customer (each a “Party” and collectively the “Parties”) as part of the terms and conditions and agreed on the signing date (the “Effective Date”).

Definitions:

• furjar.com – Furjar’s SaaS application used to provide the Services

• Customer Personal Data – any Personal Data Processed by Furjar on behalf of Customer in connection with the provision of Services;

• Data Protection Laws – all data protection laws which apply to and govern the Processing of Customer Personal Data, to the extent applicable, including but not limited to the GDPR and California Consumer Privacy Act (CCPA);

• GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

• Personal Data, Process(ing), Controller, Processor, Data Subject, Personal Data Breach shall have the meaning ascribed to them in the GDPR;

• Services – the services provided by Furjar to Customer under the Terms of Use;

• Sub-Processor – any person (including any third party, but excluding an employee of Furjar) appointed by or on behalf of Furjar to Process Customer Personal Data on behalf of Customer in connection with the provision of the Services.

Any capitalised terms not otherwise defined in this DPA shall have the meaning given to them in the Terms of Use .

Applicability

This DPA applies to the Processing of Customer Personal Data exchanged between the Parties in the context of the provision of Services. An overview of the categories of Customer Personal Data, the categories of Data Subjects, and the nature and purposes for which the Customer Personal Data are being processed is provided in Annex 1.

Customer is Controller and Furjar is Processor in relation to the Processing of Customer Personal Data. Furjar will only process the Customer Personal Data on documented instructions of Customer. Furjar shall immediately notify Customer if, in its opinion, any instruction infringes this DPA, Data Protection Laws or other applicable laws. Such notification will not constitute a general obligation on the part of Furjar to monitor or interpret the laws applicable to Customer, and such notification will not constitute legal advice to Customer.

The Parties have entered into the Terms of Use in order to benefit from the capabilities of the Processor in processing the Customer Personal Data for the purposes set out in Annex 1. Furjar shall be allowed to exercise its own discretion in the selection and use of any means as it considers necessary to pursue those purposes, provided that all such discretion is compatible with the requirements of this DPA and in particular Customer’s documented instructions.

Customer warrants that it has all necessary rights to provide the Customer Personal Data to Furjar for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in Data Protection Laws support the lawfulness of the transfer and Processing at all times. To the extent required by Data Protection Laws, Customer is responsible for ensuring that all necessary privacy notices are provided to Data Subjects. Customer is responsible for ensuring that the Processing of Customer Personal Data it chooses to Process in furjar.com is permissible under Data Protection Laws and other applicable laws, and consistent with applicable requirements.

For the avoidance of doubt, Customer acts as a Data Controller including with respect to Personal Data provided by Data Subjects invited to furjar.com by Customer (e.g. freelancers) and all Personal Data provided by such Data Subjects will be deemed to constitute Customer Personal Data provided to Furjar by Customer to which all the terms of this DPA shall apply. Any actions relating to Customer Personal Data in furjar.com taken by Data Subjects such as freelancers (e.g. providing, updating, or deleting Customer Personal Data) will be deemed to have been approved by Customer.

Confidentiality

Furjar shall treat all Customer Personal Data as confidential and it shall inform all its employees, agents, and Sub-Processors engaged in Processing of the Customer Personal Data of the confidential nature of the Customer Personal Data. Furjar shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.

Furjar shall not retain, use, or disclose the Customer Personal Data for any purpose other than for the purposes outlined in this DPA and the Terms of Use, and shall in particular not retain, use, or disclose the Customer Personal Data for a commercial purpose other than providing to Customer the Services in a manner consistent with the requirements specified in this DPA and the Terms of Use. Furjar shall also not sell the Customer Personal Data and shall not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Furjar and Customer in a manner inconsistent with the terms of this DPA. Furjar shall also not combine the Customer Personal Data that it receives from, or on behalf of, Customer with Customer Personal Data that it receives from, or on behalf of, a third party, or collects from its own interaction with the respective Data Subject.

Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and Furjar shall implement appropriate technical and organisational measures to ensure a level of security of the Processing of Customer Personal Data appropriate to the risk. These measures shall include the security measures outlined in Annex 3.

Contracting with Sub-Processors

Customer authorises Furjar to appoint Sub-Processors in accordance with this Section 4. For the avoidance of doubt, any such appointment consistent with the requirements of this Section 4 shall constitute documented instructions within the meaning and for the purpose of this DPA.

Customer authorises Furjar to engage the Sub-Processors listed in Annex 2 for service-related Customer Personal Data Processing consistent with the activities described in Annex 1, including transfers to a third country, including a country outside of the European Economic Area without an adequate level of protection, as determined by the European Commission, insofar as applicable requirements of Data Protection Laws are met, such as the implementation of European Commission-approved Standard Contractual Clauses, where applicable.

Furjar shall inform Customer of any addition or replacement of such Sub-Processors giving Customer an opportunity to object to such changes. If Customer sends the Processor a written objection notice, setting forth a reasonable basis for objection, the Parties will make a good-faith effort to resolve Customer’s objection. In the absence of a resolution, Furjar will make commercially reasonable efforts to provide Customer with the same level of service described in the Terms of Use, without using that Sub- Processor to process Customer Personal Data. If Furjar’s efforts are not successful within a reasonable time, each Party may terminate the portion of the service which cannot be provided without the sub-processor, and Customer will be entitled to a pro-rated refund of the applicable Services fees.

Furjar shall ensure that the Sub-Processor is bound by a written contract including terms which offer at least the same level of protection as offered by Furjar under this DPA, and must in particular impose on its Sub- Processors the obligation to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of applicable Data Protection Laws.

Notwithstanding any authorisation by Customer within the scope of this Section 4, Furjar shall remain fully liable vis-à-vis Customer for the performance of any such Sub-Processor that fails to fulfil its data protection obligations.

Assistance to Customer

Furjar shall assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the Data Subject’s rights under the Data Protection Laws.

Taking into account the nature of processing and the information available to Furjar, Furjar shall assist Customer in ensuring compliance with obligations pursuant to Section 3 (Security), as well as other Customer obligations under Data Protection Law that are relevant to the Processing of Customer Personal Data, including notifications to a supervisory authority or to Data Subjects, the process of undertaking a Data Protection Impact Assessment, and with prior consultations with supervisory authorities, as might be needed.

Data Breach Notification

If Furjar becomes aware of a Personal Data Breach affecting Customer Personal Data, it shall promptly notify Customer about the incident, shall at all times cooperate with Customer, and shall follow Customer’s instructions with regard to such Personal Data Breach in order to enable Customer to perform a thorough investigation into the incident, and to take suitable further steps in respect of the Personal Data Breach, including communicating details of the Data Breach to supervisory authorities and/or Data Subjects, as might be needed. 

Returning or Destruction of Customer Personal Data

Upon termination of this DPA, upon Customer’s written request, or upon fulfilment of all purposes agreed in the context of the Services whereby no further Customer Personal Data Processing is required, Furjar shall, at the discretion of Customer, either delete or return all Customer Personal Data to Customer, and destroy or return any existing copies.

Auditing and Assistance with Information

Furjar shall make available to Customer all information necessary to demonstrate compliance with Furjar’s obligations and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. Unless otherwise required by a supervisory authority of competent jurisdiction, Customer shall be entitled on giving at least 30 days’ notice to Furjar to carry out, or have carried out by a third party who has entered into a confidentiality agreement with Furjar, audits of Furjar´s premises and operations as these relate to the Customer Personal Data.

Furjar shall provide Customer and/or Customer´s auditors with access to any information relating to the Processing of Customer Personal Data as may be reasonably required by Customer to ascertain Furjar´s compliance with this DPA.

Duration and Termination

Furjar shall process Customer Personal Data until the date of expiration or termination of the agreement under the Terms of Use, unless instructed otherwise by Customer, or until such data is returned or destroyed on instruction of Customer in accordance with Section 7.

Miscellaneous

This DPA shall come into effect on the Effective Date

Except as modified within this DPA, the terms of the Terms of Use shall remain in full force and effect, and supplement the terms of this DPA. In the event of a conflict between any provisions of the Terms of Use and the provisions of this DPA, the provisions of this DPA shall govern and control.

Should any provision of this DPA is found to be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

Customer (including any Data Subjects invited to furjar.com by Customer, such as freelancers) may not use furjar.com to store or otherwise Process information governed by the Payment Card Industry Data Security Standard (PCI DSS), such as cardholder data, in the absence of an express prior written authorisation by Furjar.
 

Annex 1: Customer Personal Data Processing details 

Types of Customer Personal Data may include at the discretion of Customer:

• basic contact information, such as first and last name, email address, phone number, home address and country of residence

• role within the organisation of Customer;

• photos;

• professional information, such as employment history, education, professional skills, equipment used, work location preferences, social media accounts, professional/personal website, project portfolio, language proficiency

• information relating to the provision of services by a freelancer to Customer, such as hourly rate, payout details (e.g. amount and currency) and history;

• information typically seen on an invoice, such as bank account number (IBAN), home address, VAT registration number, tax identification number and other similar mandatory state registrations, where applicable;

• logs about work performance and other data produced and recorded within furjar.com as a result of using the Services as intended over a period of time;

• free-text information (e.g. notes and freelancer bio);

• attachments, such as CVs/resumes, documents from onboarding flow (e.g. NDA), compliance reports – and all information contained therein;

• any other data provided as (or within) an attachment or free-form text at the discretion of Customer or a Data Subject.

Categories of Data Subjects may include:

• freelancers/contractors;

• Customer account representatives.

Nature and purpose of the Customer Personal Data Processing:

• provision of Services to Customer on furjar.com

Annex 2: Approved Sub-Processors

Purposes of Processing:

Google Cloud Platform - GCP: To provide cloud infrastructure and platform services that support hosting and system monitoring.

• MailerLite: To manage contact information for marketing purposes and to send out newsletters and campaigns.

• KVK: To maintain and provide access to business registration details and company information. • Sentry: To monitor infrastructure for ensuring system reliability and performance.

• Pipedrive: To manage customer relationships and sales processes through a web-based CRM system.

• Google Analytics: To analyze website traffic and user behavior for improving service offerings.

• Stripe: To process payments and manage transactions.

Categories of Data Subjects and Personal Data:

Data Subjects: Clients, employees, suppliers, website users.

• Personal Data Categories: Contact details, financial information, user interaction data, employment details, IP addresses.

Categories of Recipients:

Internal Recipients: Marketing team, IT support team, Customer service, Finance department.

• External Recipients: External auditors, Regulatory authorities, Third-party service providers.

Transfers to Third Countries:

Data Transfer Countries: EU

Retention Schedules:

• Customer Data: Retained for the duration of the customer relationship plus 1 years according to legal requirements.

• Employee Data: Retained for the duration of employment plus 1 years for compliance with labor laws.

• Financial Data: Retained for 7 years to comply with tax legislation.

Technical and Organizational Security Measures:

Data Encryption: Use of end-to-end encryption for data in transit and at rest.
Access Controls: Implementation of role-based access control (RBAC) to ensure only authorized personnel have access to personal data.

• Data Backup: Regular data backups to prevent loss in case of an incident. I

ncident Response Plan: A defined process for responding to data breaches or security incidents.

Data Processing Activities:

Activity Log: Maintaining a log of all processing activities, including data collection, data entry, data access, data analysis, data sharing, and data deletion.

• Data Impact Assessments: Regular assessments to evaluate the risks associated with processing activities, especially when introducing new processing activities or technologies.

Compliance Documentation:

Consent Records: Where processing is based on consent, maintaining records of when and how consent was obtained.

• Data Processing Agreements: Contracts with third-party service providers that process personal data on behalf of your company.

• Policies and Procedures: Documentation of data protection policies, procedures, and training materials.
 

Annex 3: Security Measures 

Furjar shall:

1. ensure that the Customer Personal Data can be accessed only by authorised personnel for the purposes set forth in Annex 1 of this DPA;

2. take all reasonable measures to prevent unauthorised access to the Customer Personal Data through the use of appropriate physical and logical (passwords) entry controls, securing areas for data processing, and implementing procedures for monitoring the use of data processing facilities;

3. build in system and audit trails;

4. use secure passwords, network intrusion detection technology, encryption and authentication technology, secure logon procedures and virus protection;

5. account for all the risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorised or unlawful storage, processing, access or disclosure of Customer Personal Data;

6. ensure pseudonymisation and/or encryption of Customer Personal Data, where appropriate;

7. maintain the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

8. maintain the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident;

9. implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing of Customer Personal Data;

10. monitor compliance on an ongoing basis;

11. implement measures to identify vulnerabilities with regard to the processing of Customer Personal Data in systems used to provide Services to Customer;

12. provide employee and contractor training to ensure ongoing capabilities to carry out the security measures established in policy.