Data Processing Agreement

1. Parties

Data Controller: the client using the Legal Kanban system, according to the data indicated in the agreement or order.

Processor: Decent Code Sp. z o.o., ul. Młynarska 29, 58-300 Wałbrzych, Poland (registered office address only, no on-site client service), NIP 886 301 65 19, REGON 388 952 820, KRS 0000904994, share capital PLN 10,000, e-mail: firma@decentcode.pl.

This Data Processing Agreement forms part of the agreement for using Legal Kanban and applies when the Client enters personal data into the system for which it is the controller or which it processes as a processor authorised to use a sub-processor.

2. Subject matter of processing entrustment

The Controller entrusts the Processor with processing personal data to the extent necessary to provide the Legal Kanban service, including application maintenance, hosting, User accounts, the Client Portal, backups, security, technical support, error diagnostics and fulfilment of documented Controller instructions.

Processing takes place for the period of using the service and, after it ends, for the period necessary to export, return or delete data and to fulfil security and accountability obligations.

3. Scope and purposes of processing

The nature of processing includes storage, recording, organisation, structuring, modification, viewing for support purposes, disclosure to authorised Users, securing, creating backups, restoring, restriction, deletion and export of data.

The purpose of processing is to enable the Controller to use the SaaS system for managing law firm work, legal matters, documents, clients, deadlines, tasks, offers, billing and communication.

The entrustment may cover data of law firm clients, contractors, employees, co-workers, attorneys, opposing parties, witnesses, contact persons, Users, persons invited to the Client Portal and other persons whose data the Controller enters into the system.

The data scope may include identification, contact and organisational data, matter and document data, financial and billing data, metadata, activity history, correspondence and, if the Controller decides to enter them, special category data or data concerning criminal convictions and offences, to the extent resulting from the nature of matters handled by the Controller.

4. Security measures

The Processor applies technical and organisational measures appropriate to the risk, in particular access control, authorisations, personnel confidentiality, transmission encryption, permission segmentation, backups, security monitoring, logging of selected events, incident handling procedures and server environment safeguards.

The Controller is responsible for configuring User roles and permissions, selecting data entered into the system, legality of processing instructions and assessing whether using the system complies with professional secrecy and the Controller's obligations towards data subjects.

5. Controller instructions

The Processor processes data only on documented instructions from the Controller. Documented instructions include the agreement, Terms of Service, system configuration, actions of the Controller and Users in the application, support requests and other written or electronic Controller instructions.

If the Processor considers that an instruction infringes the GDPR or other data protection regulations, it informs the Controller unless prohibited by law.

6. Confidentiality and professional secrecy

The Processor ensures that persons authorised to process data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

The Processor acknowledges that Client Data may include information covered by advocate secrecy, attorney-at-law secrecy, professional secrecy or contractual confidentiality. Access to such data is limited to the extent necessary to provide the service, support, security or execute a lawful Controller instruction.

7. Sub-processing

The Controller grants the Processor general authorisation to use further processors where necessary to provide the service, in particular providers of cloud infrastructure and hosting in the EEA, e-mail, security tools, backups, technical monitoring and support.

The Processor imposes data protection obligations on sub-processors no less restrictive than those under this agreement and remains responsible for their actions in accordance with the GDPR. Information about current categories or list of sub-processors is made available to the Controller on request.

The Processor informs the Controller about intended material changes concerning sub-processors, giving the Controller an opportunity to object if the change may realistically affect protection of entrusted data.

8. Assistance to the Controller

Taking into account the nature of processing and information available, the Processor assists the Controller in fulfilling obligations concerning data subject rights, security of processing, breach notifications, data protection impact assessments and consultations with the supervisory authority.

If a data subject contacts the Processor directly regarding data entrusted by the Controller, the Processor may forward the request to the Controller unless law requires another action.

9. Personal data breaches

The Processor informs the Controller without undue delay after becoming aware of a breach of entrusted personal data. The information includes, where available, a description of the nature of the breach, possible consequences, measures taken or proposed and contact details for the breach matter.

The Controller is responsible for assessing the obligation to notify the supervisory authority or communicate the breach to data subjects, unless law imposes specific obligations directly on the Processor.

10. Audit and accountability

The Processor makes available to the Controller information necessary to demonstrate compliance with Article 28 GDPR, taking into account trade secrets, system security and rights of other clients.

An audit may be carried out by document review, answers to a security questionnaire, a technical meeting or another agreed form. A direct audit requires prior agreement on date, scope and security rules and must not disrupt the service or violate confidentiality of other clients' data.

11. Return and deletion of data

After the provision of services ends, the Processor, at the Controller's choice, enables data export, deletes data or returns data in an agreed form, unless European Union law or Polish law requires further storage of data.

Backups may be deleted according to the backup retention cycle. Until deletion from backups, data remains secured and is not processed for any purpose other than security, restoration or compliance with a legal obligation.

12. Data transfers

The Processor processes entrusted application data in the European Economic Area unless the Controller and Processor agree otherwise or the transfer results from services selected or configured by the Controller.

If data is transferred outside the EEA, the Processor applies mechanisms required by the GDPR, in particular standard contractual clauses or other appropriate safeguards.

13. Controller obligations

The Controller undertakes to use the service in accordance with law, fulfil information obligations towards data subjects, ensure legal bases for processing, grant permissions according to the data minimisation principle and not enter into the system data broader than necessary for the Controller's purposes.

14. Final provisions

For matters not regulated by this agreement, the GDPR, Polish law, the Terms of Service and the main agreement concerning Legal Kanban apply. In case of conflict, the provisions of this Data Processing Agreement prevail in the area of personal data protection.