DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) forms part of the agreement (“Principal Agreement”) between Ambriel Technologies SRL (“Ambriel”), a company incorporated under the laws of Romania, with its registered office at Bucharest, acting as Processor, and the Customer (“Controller”), as defined in the Principal Agreement.

1. Objective and Application 

1.1 This DPA governs the Processing of Personal Data by Ambriel on behalf of the Customer in connection with the provision of Ambriel’s fraud prevention, risk scoring, monitoring, and related services.

1.2 The DPA ensures that such Processing is carried out in compliance with Applicable Data Protection Laws, including Regulation (EU) 2016/679 (“GDPR”). 1.3 This DPA applies only to the extent Ambriel Processes Personal Data as Processor on behalf of the Customer.

2. Definitions For purposes of this DPA:

  • “Applicable Data Protection Laws” means the GDPR and any applicable data protection or privacy laws in Romania and the European Union.
  • “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, and “Supervisory Authority” have the meanings set out in the GDPR.
  • “Customer Data” means Personal Data provided or made available to Ambriel by the Customer or its End Users in connection with the Services.
  • “Services” means Ambriel’s fraud detection, screening, monitoring, and related solutions.
  • “Sub-processor” means any third party engaged by Ambriel to Process Personal Data on behalf of the Customer.
  • “SCCs” means the Standard Contractual Clauses adopted by the European Commission implementing Article 46(2)(c) of the GDPR.

3. Undertaking and Instructions

3.1 Ambriel shall only Process Personal Data on documented instructions from the Customer.

3.2 Ambriel shall ensure persons authorized to Process Personal Data have committed themselves to confidentiality.

3.3 Ambriel shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

3.4 Ambriel shall assist the Customer in responding to requests from Data Subjects under Chapter III of the GDPR.

3.5 Ambriel shall assist the Customer with ensuring compliance with Articles 32 to 36 GDPR, taking into account the nature of Processing and information available.

3.6 Ambriel shall notify the Customer without undue delay after becoming aware of a Personal Data Breach.

4. Audit Rights

4.1 The Customer may, up to once per year and upon reasonable prior written notice, audit Ambriel’s compliance with this DPA, either by itself or through an independent third-party auditor.

4.2 Ambriel shall make available all information necessary to demonstrate compliance.

4.3 Audits shall be conducted without unreasonable disruption to Ambriel’s business operations.

5. Engaging Sub-processors

5.1 The Customer authorizes Ambriel to engage Sub-processors for the Processing of Personal Data.

5.2 Ambriel shall ensure Sub-processors are bound by obligations no less protective than those in this DPA.

5.3 Current Sub-processors include:

  • Hetzner Online GmbH (Germany) – hosting infrastructure (EU-based data centers, ISO 27001).
  • Typesense Inc. (EU deployment) – managed search service.
  • Cloudflare, Inc. (global, with EU data residency commitments) – CDN, DDoS protection, WAF. 5.4 Ambriel shall notify the Customer of changes to Sub-processors and provide an opportunity to object.

6. Public Databases and Publicly Available Data

6.1 Ambriel does not rely on scraping of public social media or public databases unless explicitly agreed in writing.

6.2 If applicable, Ambriel shall ensure lawful basis and compliance with Applicable Data Protection Laws for any such Processing.

7. Reporting Personal Data Breach

7.1 Ambriel shall notify the Customer without undue delay after becoming aware of a Personal Data Breach.

7.2 The notification shall include: (a) description of the nature of the breach, (b) categories and approximate number of Data Subjects affected, (c) likely consequences, and (d) measures taken or proposed.

8. Responsibilities of Controller

8.1 The Customer is responsible for ensuring that it has a lawful basis for Processing Customer Data and providing necessary transparency notices to Data Subjects.

8.2 The Customer shall not instruct Ambriel to Process Personal Data in a manner that violates Applicable Data Protection Laws.

9. Limitation of Liability

9.1 The liability provisions set forth in the Principal Agreement apply to this DPA.

9.2 Nothing in this DPA limits either party’s liability under Applicable Data Protection Laws where such limitation is not permitted.

10. Term and Termination

10.1 This DPA shall remain in force for the duration of the Principal Agreement.

10.2 Upon termination, Ambriel shall, at the choice of the Customer, delete or return all Customer Data, unless retention is required by law.

11. Miscellaneous

11.1 Governing Law: This DPA is governed by the laws of Romania.

11.2 Jurisdiction: The courts of Romania shall have exclusive jurisdiction.

11.3 Amendments: Any amendment to this DPA must be in writing and signed by both parties.

11.4 Severability: If any provision is held invalid, the remainder shall remain in effect.

11.5 Entire Agreement: This DPA supersedes any prior agreements relating to data processing.

* * *

APPENDIX 1 – Details of Processing

  1. Subject matter: Processing of Customer Data for fraud detection, risk scoring, monitoring, and related services.
  2. Purpose: To provide fraud prevention, compliance, monitoring, and security services.
  3. Categories of Data Subjects: End customers of the Controller, employees, contractors, and business partners.
  4. Categories of Personal Data: Identifiers (name, email, phone), transaction data, device/IP, geolocation, behavioral data, payment data (excluding cardholder data; Ambriel does not store PANs).
  5. Duration: For the term of the Principal Agreement, unless otherwise required by law.
  6. Technical and Organizational Measures:
  • Hetzner: ISO 27001 certified, EU-based servers, encrypted storage and backups.
  • Typesense: EU cluster, role-based access control, TLS encryption.
  • Cloudflare: DDoS protection, WAF, CDN with TLS 1.3.
  • Ambriel: Access control, MFA for staff, logging and monitoring, vulnerability management, least privilege principle, secure software development lifecycle.
* * *

APPENDIX 2 – List of Sub-processors

  • Hetzner Online GmbH (Germany, hosting)
  • Typesense (EU-based deployment, search services)
  • Cloudflare, Inc. (CDN, DDoS/WAF, global network with EU data residency guarantees)
* * *

APPENDIX 3 – Standard Contractual Clauses (SCCs)

Where Customer Data is transferred outside the European Economic Area or Switzerland to a country that does not provide an adequate level of protection, the SCCs (Commission Implementing Decision (EU) 2021/914) shall apply. The parties agree that Module 2 (Controller to Processor) and, where applicable, Module 3 (Processor to Processor) shall apply. The governing law and competent Supervisory Authority shall be that of Romania.