I. Parties
This agreement is entered into between:

The User or Test User using the Services offered on the website (as defined in the Terms of Service), acting as the data controller (hereinafter referred to as the “User”),
and
The Service Provider (as defined in the Terms of Service), namely Simplyweb Jakub Janaszczak, Rudniki 64, 64-330 Rudniki, NIP 7882039610, REGON 525747037, acting as the data processor (hereinafter referred to as the “Service Provider”).
For the purposes of this Agreement, the User and the Service Provider shall collectively be referred to as the “Parties.”

II. Definitions
Terms written with capital letters in this Agreement and in the Annex shall be understood in accordance with the following definitions:

Application – refers to the software offered by the Service Provider as a service (SaaS), through which the User can manage pages, accounts, and profiles, as well as their presence (or the presence of the User’s Client) on Internet Services. The Application also allows for the analysis of activity on those pages, accounts, and profiles. The number and type of available functions depend on the Package selected by the User.
Terms of Service – refers to the “Terms of service for the application” regarding the BrandSense service, available at: https://brandsense.app/en/terms-of-service-for-the-application/
GDPR – means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and on the free movement of such data, which repeals Directive 95/46/EC (General Data Protection Regulation).
Website – refers to the social media platforms serviced under the Services based on the Basic Agreement (e.g., Facebook, Instagram, LinkedIn, WordPress), along with associated communication channels.
Basic Agreement – refers to all documents regulating the Cooperation between the Parties, such as the Terms of Service, orders specifying the selected Service Package, and any additional service agreements (if concluded). For the purposes of this Agreement, all these documents shall collectively be referred to as the “Basic Agreement.”
Service – refers to the services available to the User under the Basic Agreement, in particular the provision of Application functions. The scope and type of Services depend on the selected Package.
End User – refers to an individual using the Internet Services as an end user.
User’s Client – refers to the entity for whom the User acts, particularly in managing their presence on Social Media. The User utilizes the Services for this purpose. Users acting on their own behalf do not have a User’s Client.
Other terms written with capital letters used in this Agreement have the meaning specified in the Terms of Service unless explicitly stated otherwise in this Agreement.

III. Data Processing Delegation
This Data Processing Agreement (hereinafter referred to as the “Agreement”) outlines the principles of processing personal data within the framework of the Basic Agreement.
This Agreement constitutes an integral part and supplements the Basic Agreement regarding the processing of personal data unless the Parties have entered into a separate agreement for the delegation of data processing.
The User entrusts the Service Provider with the processing of personal data (hereinafter referred to as “Personal Data”) under the conditions specified in this Agreement. The Service Provider commits to processing the entrusted Personal Data at the User’s request, in accordance with the provisions of this Agreement and applicable law.
The delegation of processing is based on Article 28 of the GDPR.

IV. Scope and Purpose of Data Processing
The Personal Data entrusted to the Service Provider by the User shall be processed solely for the purpose of fulfilling services, activities, and operations resulting from the cooperation between the Parties (hereinafter referred to as “Cooperation”), based on the Basic Agreement concluded between the Parties. This includes the User’s use of the Service and Application in accordance with the provisions of the Basic Agreement.
Details regarding the nature, subject, and purpose of the processing, as well as the types of personal data and categories of individuals whose data are processed, are specified in Annex 1 to the Agreement.
Data shall be processed by the Service Provider throughout the duration of the Basic Agreement and Cooperation, and the processing shall be repetitive during this time.
Processing shall be carried out according to the documented instructions of the User – this Agreement and the Basic Agreement constitute such processing instructions.

V. Obligations of the Service Provider
The Service Provider ensures that it has implemented appropriate technical and organizational measures that meet the requirements of the GDPR and guarantee the protection of the rights of individuals whose data are being processed.
In processing the entrusted Personal Data, the Service Provider commits to comply with the requirements of Article 32 of the GDPR. This includes implementing appropriate technical and organizational safeguards, taking into account the current state of technical knowledge, costs of implementation, as well as the scope, purpose, nature of processing, and the risk of violation of the rights and freedoms of individuals of varying degrees of probability and severity of threats.
The Service Provider guarantees that individuals with access to the processed personal data are obliged to maintain the confidentiality of that data or are subject to an appropriate legal obligation of confidentiality.

VI. Cooperation Principles
Upon completion of the Services related to data processing within the framework of Cooperation, the Service Provider – at the User’s discretion – commits to delete or return all Personal Data to the User and delete any copies thereof, unless EU or national law requires their further storage.
Considering the specifics of processing, the Service Provider commits, as far as possible, to provide the User with technical and organizational support to enable the realization of the rights of individuals whose data are being processed, in accordance with the provisions of Chapter III of the GDPR.
Taking into account the nature of processing and available information, the Service Provider will assist the User in fulfilling obligations arising from Articles 32-36 of the GDPR.
In the event of a breach of Personal Data protection identified by the Service Provider, i.e., accidental or unlawful destruction, loss, modification, unauthorized disclosure, or access to entrusted data, the Service Provider shall promptly inform the User and provide all information that may reasonably be required in connection with such a breach.
The User is obliged to cooperate with the Service Provider in the implementation of the Agreement by providing all necessary explanations in case of any doubts regarding the legality of issued instructions and timely fulfilling its obligations.

VII. Audit
At the User’s request, the Service Provider commits to provide all necessary information that confirms compliance with the obligations arising from Article 28 of the GDPR. Additionally, the Service Provider shall allow the User or an auditor authorized by the User to conduct an audit (at the User’s expense), including inspections, and actively support the implementation of such actions. The User is obliged to notify the Service Provider about the planned audit at least 30 days in advance by sending a written notice, specifying the scope of the audit and the individuals authorized to conduct it.
If conducting the audit at the time proposed by the User proves impossible for justified reasons, the Service Provider commits to indicate the nearest possible date.
The audit must be conducted considering the working hours of the Service Provider and in a manner that does not disrupt its activities. The entire audit process should not last longer than one business day.
After the audit, the User is obliged to provide the Service Provider with a report containing the results and recommendations. The Service Provider shall only be obligated to implement those recommendations that are objectively justified and do not exceed legal requirements.
Conducting audits must not violate the trade secrets of the Service Provider or the business secrets of third parties.

VIII. Further Delegation of Data Processing
External entities with which the Service Provider cooperates or may cooperate in processing Personal Data on behalf of the User shall be referred to as “Other Processors.”
The User grants general written consent for the Service Provider to delegate the processing of Personal Data to Other Processors, as long as it is necessary (in the Service Provider’s assessment) for the provision of services within the framework of Cooperation. This particularly applies to entities providing services related to IT, telecommunications infrastructure, e.g., email service providers, hosting, data storage, and transmission.
In the case of planned delegation of data to Other Processors, the following rules apply:
The Service Provider informs the User of any intended change regarding the addition of a new entity or replacement of an existing one. The User has the right to object to such a change;
Information will be communicated via email or through the User Panel in the Application;
The User can express an objection to the new Processor (hereinafter referred to as the “Objection”), but is aware that this may affect the provision of Services, which may require their limitation or even termination of the Basic Agreement.
If the Basic Agreement is terminated due to the expressed Objection, the User will be obliged to pay for Services until the end of the subscription period in which the termination occurred. The User will not be entitled to claim any compensation from the Service Provider in connection with such termination of the agreement.
Each Other Processor with whom the Service Provider enters into an agreement is obliged to meet the same data protection requirements arising from this Agreement, including guaranteeing appropriate technical and organizational safeguards. Exceptions apply in cases where these obligations do not apply due to the specifics of further delegation.
If an Other Processor fails to fulfill its data protection obligations, the Service Provider shall be liable to the User for the breach.

IX. Data Transfer to Third Countries
The User consents to the transfer of Personal Data to countries outside the European Economic Area (hereinafter referred to as “Third Countries”), as long as it is related to the provision of Services. Such transfer must comply with GDPR requirements, in particular:

• based on a decision of the European Commission recognizing an adequate level of protection in a given Third Country;
• based on standard contractual clauses adopted by the European Commission.

X. Representations and Warranties
The User acknowledges and agrees that when using the Internet Services, they may be considered the data controller of the End Users of those services, especially in situations where the operator of the Internet Service also acts as a data controller. The determination of whether the User (or their Client) is a controller depends on how they use these services. This particularly pertains to the data of End Users with whom the User contacts (on their own behalf or on behalf of their Client) or who contact them or their Client, as well as those using the pages and profiles managed by the User (or their Client).
For the purposes of this Agreement and the Basic Agreement, the Parties agree, and the User confirms that:

• The User is the controller of the personal data entrusted to the Service Provider when acting on their own behalf while using the Services,
• The User acts as a processor of personal data at the request of their Client (who is the data controller) and has the right to delegate further processing of that data to the Service Provider when acting on behalf of their Client while using the Services.
  The User represents and warrants that they ensure compliance with the processing of personal data with applicable laws, including when using the Services. The User also commits to providing the Service Provider only with personal data that:
• are processed based on valid legal grounds (if the User acts as the data controller), or
• may be lawfully further delegated to the Service Provider, Other Processors, and also transferred to Third Countries (if the User acts on behalf of their Client).
  The User is responsible for fulfilling all legal requirements regarding informational obligations towards individuals whose data are processed, where such obligations apply.

In the event that any third party takes legal action against the Service Provider or the User due to a breach of data protection principles, the Parties agree to cooperate to take appropriate legal steps, including dismissing or rejecting claims, filing appeals, reaching settlements, or taking other appropriate legal actions.
This Agreement does not modify the provisions concerning liability (including limitations thereof) contained in the Basic Agreement.

XI. Conclusion of the Agreement
The Agreement is concluded by accepting the Terms of Service, which is an integral part of this Agreement. The User accepts the Agreement by checking the appropriate box in the form – in the case of a natural person or an authorized Employee of the User (as defined in the Terms of Service).
If the Agreement is concluded by an Employee on behalf of the User:

• both the Employee and the User declare that the Employee has the appropriate authorization to conclude the Agreement on behalf of the User,
• at the request of the Service Provider, the Employee and the User are obliged to present proof of authorization,
• the Employee is fully responsible to the Service Provider for concluding the Agreement without appropriate authorization.
  At the User’s express request, the Agreement may be concluded in writing or by exchanging signed scans of the Agreement electronically, or in another agreed manner.

XII. Final Provisions
This Agreement is valid for the entire duration of the Basic Agreement.
In matters not regulated by this Agreement, the provisions of the Basic Agreement and the Terms of Service shall apply.
Changes, termination, or dissolution of the Agreement require a written or documented form under pain of nullity.