Pogodba o obdelavi podatkov

(Article 28 GDPR — Template v1.0)

Effective date: 9.6.2026

Parties

This Data Processing Agreement (“DPA”) is entered into between:

1. The Controller:

Company name / full name: ___________________________________________

Registered address: ___________________________________________

Company registration number (if applicable): ___________________________________________

Contact email: ___________________________________________

2. The Processor:

Smartis, pametni informacijski sistemi, d.o.o., Ameriška ulica 8, 1000 Ljubljana, Slovenia (company registration number: 3637735000, VAT ID: SI53915453) (“Smartis” or “the Processor”).

The Controller and the Processor are individually referred to as a “Party” and collectively as the “Parties”.

By accepting the Terms of Use of the HACCPAL application (available at app.haccpal.com/legal/terms) or by signing this DPA, the Controller agrees to be bound by the terms of this DPA. Where the Controller is a legal entity, the individual accepting these terms represents and warrants that they have authority to bind that entity.

1. Background and Purpose

The Processor operates the HACCPAL mobile application (“App”) and the related services (“Service”), which enable food-service operators to maintain digital HACCP records, checklists and food-safety documentation.

In connection with the Controller’s use of the Service, the Processor will process personal data on behalf of the Controller. This DPA governs that processing relationship and is concluded pursuant to Article 28 GDPR.

This DPA supplements and forms part of the Terms of Use. In the event of any conflict between this DPA and the Terms of Use in relation to the processing of personal data, this DPA shall prevail.

2. Definitions

Capitalised terms not defined in this DPA have the meanings given to them in the Terms of Use or the GDPR. In addition:

“Controller” means the Business Customer as defined in the Terms of Use — the legal entity that subscribes to the Service and whose employees or agents use the App.
“Processor” means Smartis, pametni informacijski sistemi, d.o.o., in its capacity as provider of the Service.
“Data Subject” means a natural person whose personal data is processed under this DPA, in particular employees of the Controller who use or are referenced in the App.
“Personal Data” has the meaning given in Article 4(1) GDPR.
“Processing” has the meaning given in Article 4(2) GDPR.
“Security Incident” means a personal data breach within the meaning of Article 4(12) GDPR.
“SCCs” means the European Commission’s Standard Contractual Clauses for the transfer of personal data to third countries adopted by Commission Decision 2021/914/EU of 4 June 2021.
“Sub-processor” means any third party engaged by the Processor to carry out processing activities on behalf of the Controller.

3. Subject-Matter, Nature and Purpose of Processing

The Processor shall process Personal Data on behalf of the Controller solely for the following purposes:

providing, operating and maintaining the App and the Service for the Controller, including hosting the Controller’s Organisation data, enabling HACCP record-keeping workflows, delivering push notifications, and providing technical support;
enabling the Controller’s users (employees and administrators) to access the Service and the Controller’s Organisation within the App;
performing technical maintenance, security monitoring, crash reporting and analytics necessary for the reliable operation of the Service.

The Processor shall not process Personal Data for any other purpose, including its own marketing, profiling or analytics, without the prior written consent of the Controller.

4. Categories of Personal Data and Data Subjects

The Processor processes the following categories of Personal Data under this DPA:

Category	Details
Account and profile data	First name, last name, email address, profile picture (optional), authentication credentials (password hash, session tokens), role within Organisation.
Device and technical data	Device push token, device model, OS version, App version, IP address, crash-report data (Firebase Crashlytics), Firebase-generated identifiers.
Usage and analytics data	App events, screen views, session data, feature interactions (Firebase Analytics), where consent has been given or where processing is based on legitimate interest with opt-out.
HACCP Content data	HACCP records, checklists, photographs, uploaded documents, temperature logs, employee task assignments, and other operational HACCP data created by the Controller's users within the Organisation.
Health-related data (special category)	Employee illness declarations, symptom records, health-related notes relevant to food-safety compliance, entered by the Controller's users within the Organisation. Processed solely as processor on the Controller's documented instructions.

The Data Subjects are: (a) employees, administrators and contractors of the Controller who are registered as Users of the App within the Controller’s Organisation; and (b) individuals whose personal data is incidentally included in HACCP records, documents or photographs created within the Organisation.

5. Duration of Processing

The Processor shall process Personal Data for the duration of the Controller’s active use of the Service (i.e. for as long as the Controller maintains an Organisation within the App), and for the further retention periods set out in the Processor’s Privacy Policy (app.haccpal.com/legal/privacy) following deletion of the Organisation or termination of the Terms of Use.

Upon expiry of all applicable retention periods, the Processor shall delete or irreversibly anonymise Personal Data, unless a longer retention period is required by applicable law.

6. Obligations of the Processor

6.1 Processing on documented instructions

The Processor shall process Personal Data only on the documented instructions of the Controller, as set out in this DPA and the Terms of Use, unless required to do so by applicable Union or Member State law. Where such legal requirement exists, the Processor shall notify the Controller before processing, unless that law prohibits such notification on grounds of public interest.

6.2 Confidentiality

The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.3 Security

The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. These measures currently include:

encryption of Personal Data in transit using TLS;
encryption of Personal Data at rest where technically feasible;
role-based access controls and the principle of least privilege;
authentication of Users through an identity provider, including password hashing and session management;
environment segregation (development, staging, production) and logging of security-relevant events;
regular data backups and restoration procedures;
an internal incident-response process and breach-notification procedure (see Section 6.5).

The Processor shall review and update these measures periodically and shall make available to the Controller, on written request, a summary of its current technical and organisational measures.

6.4 Sub-processors

The Controller grants the Processor general written authorisation to engage Sub-processors. The Processor’s current Sub-processors are listed in Schedule A to this DPA. The Processor shall:

impose on each Sub-processor data-protection obligations equivalent to those set out in this DPA, by means of a written contract;
remain fully liable to the Controller for the performance of Sub-processors’ obligations;
notify the Controller of any intended changes to Sub-processors (additions or replacements) with at least 30 days’ prior notice. The Controller may object to a new Sub-processor within 14 days of notification by providing written reasons. If the Parties cannot agree, the Controller may terminate the Terms of Use without penalty upon written notice.

6.5 Security Incidents

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Security Incident that affects Personal Data processed on behalf of the Controller. Notification shall be made to the email address provided by the Controller in the registration details and shall include, to the extent then known:

a description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records concerned;
the name and contact details of the Processor’s data-protection contact point;
a description of the likely consequences of the Security Incident;
a description of the measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects.

The Processor shall cooperate with the Controller in notifying Data Subjects and supervisory authorities where required under Articles 33 and 34 GDPR.

6.6 Assistance with data-subject rights

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures in responding to requests from Data Subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability and objection), to the extent that the Controller cannot fulfil such requests independently through the functionality of the App.

6.7 Assistance with compliance obligations

The Processor shall assist the Controller in ensuring compliance with the obligations set out in Articles 32 to 36 GDPR (security, breach notification, data-protection impact assessments and prior consultation), taking into account the nature of the processing and the information available to the Processor.

6.8 Deletion or return of data

At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller upon termination of the Terms of Use or upon written request, and shall delete existing copies, unless applicable Union or Member State law requires storage of the Personal Data for a longer period. The Controller may exercise this right via info@haccpal.com.

6.9 Audit and information

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, provided that:

the Controller provides at least 30 days’ prior written notice;
audits are conducted during business hours and no more than once per calendar year unless required by a supervisory authority or following a Security Incident;
the audit does not unreasonably disrupt the Processor’s operations or require access to data of other customers of the Processor;
the Controller and its mandated auditor comply with the Processor’s reasonable confidentiality requirements.

As an alternative to an on-site audit, the Processor may provide a current third-party certification or audit report (such as ISO 27001 or SOC 2 Type II) where available.

7. Obligations of the Controller

The Controller shall:

ensure that it has a valid legal basis under Article 6 GDPR (and, for special categories, under Article 9(2) GDPR) for the processing of Personal Data it instructs the Processor to carry out, including in particular the processing of employee health data referenced in Section 4;
ensure that Data Subjects have been informed about the processing of their Personal Data in connection with the App, in accordance with Articles 13 and 14 GDPR;
ensure that any instructions given to the Processor comply with applicable data-protection law;
provide the Processor with accurate and up-to-date contact information for receiving Security Incident notifications;
not instruct the Processor to process Personal Data in a manner that would infringe applicable data-protection law.

8. Special Categories of Personal Data

Where the Controller’s use of the App involves the processing of special categories of Personal Data within the meaning of Article 9 GDPR — in particular health-related data of employees (including illness declarations, symptom records and health-related notes relevant to food-safety compliance) — the Controller:

is the data controller for such processing and is solely responsible for identifying and documenting a valid legal basis under Article 9(2) GDPR;
warrants that such processing is necessary and proportionate for the Controller’s HACCP, food-safety, hygiene or employment-law obligations;
shall ensure that employees whose health data is processed are informed thereof in accordance with applicable law.

The Processor processes such data solely on the Controller’s documented instructions and does not use it for its own purposes.

9. International Transfers of Personal Data

The Processor’s general policy is to process Personal Data within the EEA. Where Sub-processors transfer Personal Data outside the EEA, the Processor ensures that an appropriate transfer mechanism is in place as set out in Schedule A, in particular:

an adequacy decision of the European Commission; or
the European Commission’s Standard Contractual Clauses (Commission Decision 2021/914/EU), supplemented where necessary by additional safeguards following a transfer impact assessment.

Where the Controller is established outside the EEA and transfers Personal Data to the Processor, the Parties agree to the SCCs (Module 2: controller to processor) as supplemented by this DPA, which are hereby incorporated by reference.

The Processor shall promptly notify the Controller if it becomes aware that a transfer mechanism it relies upon is no longer valid or has been suspended, and shall cooperate with the Controller to identify an alternative.

10. Liability

Each Party’s liability under this DPA is subject to the limitations and exclusions set out in the Terms of Use. The Parties acknowledge that, as between them, the allocation of liability for data-protection infringements shall reflect their respective responsibilities: the Controller bears liability for the lawfulness of the instructions it gives to the Processor, and the Processor bears liability for its failure to comply with the obligations imposed on processors under the GDPR and this DPA.

Nothing in this DPA limits either Party’s liability to Data Subjects or supervisory authorities under the GDPR.

11. Governing Law and Jurisdiction

This DPA is governed by the laws of the Republic of Slovenia, without prejudice to the directly applicable provisions of EU law, including the GDPR. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the competent courts in Ljubljana, Slovenia, in accordance with the Terms of Use.

12. Amendments

This DPA may be amended only by written agreement signed by both Parties. The Processor may propose amendments to reflect changes in applicable data-protection law or guidance from supervisory authorities; the Controller shall not unreasonably withhold or delay its consent to such amendments.

13. Entire Agreement

This DPA, together with the Terms of Use and the Processor’s Privacy Policy, constitutes the entire agreement between the Parties in relation to the processing of Personal Data by the Processor on behalf of the Controller, and supersedes any prior agreements or understandings on the same subject.

Signatures

By signing below, the Parties agree to be bound by the terms of this DPA with effect from the date last signed.

For and on behalf of the Controller:	For and on behalf of Smartis (Processor):
_____________________________	_____________________________
Authorised signatory	Authorised signatory
Name: ___________________________________________	Name: Julij Božič
Title: ___________________________________________	Title: CEO
Date: ___________________________________________	Date: ___________________________________________

Schedule A — Approved Sub-processors

The following Sub-processors are approved as of the effective date of this DPA. The Processor will notify the Controller of any changes in accordance with Section 6.4.

Sub-processor	Service provided	Processing location	Transfer mechanism
Google Ireland Ltd / Google LLC (Firebase)	Push notifications (FCM), crash reporting (Crashlytics), analytics (Firebase Analytics)	EEA / USA	EU-U.S. Data Privacy Framework; SCCs (Module 3)
Apple Inc. (APNs)	Push notification delivery to iOS devices	USA	EU-U.S. Data Privacy Framework; SCCs (Module 3)
Atlassian Pty Ltd (Jira Service Management)	Internal support ticketing	EEA / Australia	SCCs (Module 3)
Mailtrap	Transactional email delivery	EEA	EEA — no transfer
Smartis (internal hosting)	Back-end infrastructure, data storage	[TO CONFIRM — EEA server location]	N/A (EEA)

Schedule B — Technical and Organisational Measures (Article 32 GDPR)

The following describes the technical and organisational measures implemented by the Processor as of the effective date of this DPA. These measures may be updated by the Processor from time to time; the Processor will notify the Controller of any material reduction in the level of protection.

Measure	Description
Encryption in transit	All data transmitted between the App and the back-end is encrypted using TLS 1.2 or higher.
Encryption at rest	Personal Data stored in the back-end database is encrypted at rest using AES-256 or equivalent, where technically supported by the hosting infrastructure.
Access controls	Role-based access controls and the principle of least privilege are applied. Access is granted only to authorised personnel on a need-to-know basis.
Authentication	Users are authenticated through an identity provider. Passwords are stored as hashed values. Session tokens are managed with appropriate expiry policies.
Environment segregation	Development, staging and production environments are separated. Personal Data from production is not used in development or testing.
Logging and monitoring	Security-relevant events are logged and monitored. Logs are retained for a minimum of 90 days and protected against tampering.
Vulnerability management	The App and back-end are regularly updated to address known security vulnerabilities. Dependency scanning is incorporated into the development pipeline.
Backups	Production data is backed up on a regular schedule. Backup integrity is periodically tested. Backups are encrypted and subject to the same access controls as production data.
Incident response	The Processor maintains an internal incident-response plan covering identification, containment, assessment, notification and remediation of Security Incidents.
Staff training	Personnel with access to Personal Data receive training on data-protection obligations and information-security practices.
Sub-processor due diligence	Sub-processors are subject to due diligence before engagement and are contractually bound to implement equivalent security measures.
Physical security	The Processor relies on the physical security measures of its hosting provider(s) for server infrastructure.

— End of Data Processing Agreement —