Data Processing Agreement

For the purposes of this DPA:

1.1 "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

1.2 "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Sub-Processor", "Personal Data Breach", and "Supervisory Authority" have the meanings given in Article 4 of the GDPR.

1.3 "Services" means any service provided by DMU to the Controller, including but not limited to website development, e-commerce, hosting, business email, maintenance, search engine optimisation, social media management, digital campaigns, advertising, branding, graphic design, video production, and any related technical, creative, or administrative activity.

1.4 "Client Personal Data" means Personal Data that DMU Processes on behalf of the Controller in the course of providing the Services.

1.5 "Annex" means any annex appended to this DPA, each of which forms an integral part of this DPA.

1.6 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Commission Implementing Decision (EU) 2021/914.

1.7 "EEA" means the European Economic Area.

2.1 Subject matter. This DPA governs the Processing of Client Personal Data by DMU in the course of providing the Services to the Controller.

2.2 Roles. The Controller is the controller of Client Personal Data. DMU acts as Processor on behalf of the Controller. Where DMU acts as an independent controller of Personal Data (for example, in respect of its own employees, leads, contractors, accounting records, or website visitors of dmu.gr), the DMU Privacy Policy applies and this DPA does not.

2.3 Details of Processing. The subject matter, nature, purpose, duration, categories of Data Subjects, and categories of Personal Data are described in Annex 1.

2.4 Compliance. Each party shall comply with its respective obligations under applicable data protection law, including the GDPR and Greek Law 4624/2019.

3.1 This DPA enters into force on the date of the Controller's acceptance of the relevant proposal, subscription, or service agreement.

3.2 This DPA remains in force for the entire duration of the Services and continues to apply for as long as DMU Processes, retains, or holds Client Personal Data, including any retention period required by law, this DPA, or agreed in writing between the parties.

3.3 Termination of the underlying service agreement does not terminate this DPA in respect of any Client Personal Data that DMU continues to hold after such termination. The obligations of confidentiality, security, breach notification, audit, and deletion survive until all Client Personal Data has been returned to the Controller or deleted in accordance with Section 13.

DMU shall, in respect of Client Personal Data:

4.1 Documented instructions. Process Client Personal Data only on the documented instructions of the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do otherwise by EU or Greek law applicable to DMU. The Controller's instructions are set out in this DPA, the signed proposal or service agreement, and any further written instructions issued by the Controller. If DMU is required by law to Process Client Personal Data beyond the Controller's instructions, DMU shall inform the Controller of that legal requirement before Processing, unless prohibited by law.

4.2 Lawfulness check. Promptly inform the Controller if, in DMU's opinion, an instruction infringes the GDPR or other applicable data protection law. DMU is not obliged to verify the lawfulness of the Controller's instructions beyond what is reasonably apparent.

4.3 Confidentiality. Ensure that persons authorised to Process Client Personal Data are bound by confidentiality obligations of a contractual or statutory nature.

4.4 Security. Implement the technical and organisational measures set out in Annex 2 and as further required by Article 32 GDPR.

4.5 Sub-Processors. Engage Sub-Processors only in accordance with Section 7.

4.6 Assistance. Taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligations under Articles 12 to 22 (data subject rights) and Articles 32 to 36 (security, breach, DPIA, prior consultation) of the GDPR.

4.7 Return or deletion. At the choice of the Controller, return or delete all Client Personal Data in accordance with Section 13.

4.8 Audit support. Make available to the Controller the information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, in accordance with Section 12.

5.1 DMU shall treat all Client Personal Data as strictly confidential. DMU shall ensure that any person it authorises to Process Client Personal Data, whether employee, contractor, or Sub-Processor, has committed in writing to confidentiality or is under an appropriate statutory obligation of confidentiality.

5.2 DMU shall limit access to Client Personal Data to those personnel who require such access for the purpose of providing the Services.

6.1 DMU shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those described in Annex 2, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

6.2 Measures shall include, where appropriate:

• pseudonymisation and encryption of Personal Data;
• the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services;
• the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident;
• a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures.

6.3 DMU may update the measures in Annex 2 from time to time provided that the level of protection is not reduced.

7.1 General authorisation. The Controller grants DMU general written authorisation to engage Sub-Processors for the performance of the Services, subject to the conditions set out in this Section 7.

7.2 Approved Sub-Processors. The Sub-Processors approved as of the effective date of this DPA are listed in Annex 3.

7.3 Changes. DMU shall notify the Controller of any intended addition or replacement of Sub-Processors at least thirty (30) days in advance, giving the Controller the opportunity to object to such changes on reasonable data protection grounds. If the Controller objects on such grounds and the parties cannot agree on a resolution within a reasonable period, the Controller may terminate the affected Services without penalty.

7.4 Flow-down. DMU shall impose on each Sub-Processor data protection obligations that are no less protective than those set out in this DPA, by way of a contract or other legal act under EU or Greek law, including in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of the GDPR.

7.5 Responsibility for Sub-Processors. Where a Sub-Processor fails to fulfil its data protection obligations, DMU remains responsible to the Controller for the performance of that Sub-Processor's obligations under this DPA, subject to the liability provisions of Section 14.

8.1 Default rule. DMU shall not transfer Client Personal Data outside the EEA except as permitted by Chapter V of the GDPR.

8.2 Permitted transfer mechanisms. Where transfers occur, DMU shall rely on one or more of the following safeguards:

• an adequacy decision of the European Commission under Article 45 GDPR;
• the EU-US Data Privacy Framework, where the recipient is a self-certified participant;
• the Standard Contractual Clauses adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, executed between DMU and the relevant Sub-Processor or directly between the Controller and the Sub-Processor;
• any other transfer mechanism recognised under the GDPR.

8.3 Transfer impact assessment. DMU shall, where required, conduct a transfer impact assessment in respect of each transfer and implement supplementary measures where the level of protection in the recipient country is not deemed essentially equivalent to that of the EEA.

8.4 Sub-Processors based outside the EEA. A list of Sub-Processors located outside the EEA and the applicable transfer safeguards is set out in Annex 3.

9.1 DMU shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests for exercising Data Subject rights under Chapter III of the GDPR (information, access, rectification, erasure, restriction, portability, objection, and automated decision-making).

9.2 If DMU receives a request from a Data Subject in relation to Client Personal Data, DMU shall not respond to the request itself, except on the documented instructions of the Controller or as required by applicable law. DMU shall forward the request to the Controller without undue delay and in any event within five (5) business days of receipt.

10.1 Notification timeline. DMU shall notify the Controller of any Personal Data Breach affecting Client Personal Data without undue delay after becoming aware of the breach, and in any event within forty-eight (48) hours of becoming aware.

10.2 Content of notification. The notification shall, to the extent known at the time, contain at minimum:

• a description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned;
• the name and contact details of the DMU point of contact for further information;
• a description of the likely consequences of the breach;
• a description of the measures taken or proposed to be taken to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

10.3 Subsequent information. Where it is not possible to provide all required information at the same time, DMU shall provide it in phases without further undue delay.

10.4 Cooperation. DMU shall cooperate with the Controller and provide reasonable assistance to enable the Controller to comply with its notification obligations to the Supervisory Authority under Article 33 GDPR and to Data Subjects under Article 34 GDPR.

10.5 DMU's own communication. DMU shall not notify any Supervisory Authority or Data Subject of a Personal Data Breach on behalf of the Controller without the Controller's prior written authorisation, except where required by law.

DMU shall, taking into account the nature of the Processing and the information available to DMU, provide reasonable assistance to the Controller in carrying out Data Protection Impact Assessments under Article 35 GDPR and in any prior consultation with the Supervisory Authority under Article 36 GDPR, where such assessments or consultations relate to the Services.

12.1 Documentation on request. DMU shall make available to the Controller, upon written request, all information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR. Such information may include security policies, sub-processor lists, breach logs, training records, certifications, and the most recent reports of any independent audits or penetration tests, subject to redaction of confidential third-party information.

12.2 On-site audit. The Controller, or an independent auditor mandated by the Controller and reasonably acceptable to DMU, may conduct an on-site audit of DMU's facilities and processes relevant to the Services once per twelve (12) month period, subject to the following conditions:

• a written request shall be sent at least thirty (30) days in advance;
• the audit shall be conducted during DMU's normal business hours;
• the audit shall not unreasonably interfere with DMU's business operations;
• the auditor shall sign confidentiality undertakings in favour of DMU and any third party whose information may be accessed;
• the costs of the audit, including the Controller's auditor fees and travel, are borne by the Controller, save where the audit reveals a material breach of this DPA by DMU, in which case DMU shall bear the reasonable costs.

12.3 Additional audits. The Controller may request additional audits within a twelve-month period only following a Personal Data Breach affecting the Controller's data or where required by the Supervisory Authority.

12.4 Scope. Audits shall be limited to the systems, facilities, records, and personnel relevant to the Processing of Client Personal Data and shall not extend to commercial information, source code, or data of other clients of DMU.

13.1 Retention period. Following termination or expiry of the Services, DMU shall retain Client Personal Data for a period of twelve (12) months for the purpose of business continuity, dispute resolution, and compliance with legal obligations, unless the Controller requests earlier deletion or return.

13.2 Election by Controller. Within thirty (30) days after the end of the Services (or at any time during the retention period), the Controller may request, in writing, that DMU either:

• (a) return all Client Personal Data to the Controller in a commonly used and machine-readable format; or
• (b) delete all Client Personal Data from DMU's active systems.

13.3 Implementation. DMU shall implement the Controller's election within thirty (30) days of receipt of the request.

13.4 Backups. Client Personal Data held in routine backups shall be deleted in the normal course of the backup rotation cycle. During this rotation period, such data shall remain protected by the measures set out in Annex 2 and shall not be Processed for any purpose other than secure storage.

13.5 Legal retention. DMU may retain Client Personal Data to the extent required by EU, Greek, or other applicable law, including without limitation accounting and tax legislation. Such retained data shall continue to be protected in accordance with this DPA until lawfully deleted.

13.6 Certificate of deletion. Upon completion of deletion, DMU shall issue to the Controller a written certificate signed by an authorised representative of DMU, identifying the categories of data deleted, the systems involved, the date(s) of deletion, and confirmation of backup purge timing. A template form is provided in Annex 4.

14.1 Cap on liability. The total aggregate liability of DMU to the Controller under or in connection with this DPA, whether in contract, tort, statutory duty, or otherwise, shall be limited to the total fees paid by the Controller to DMU under the affected service agreement in the twelve (12) months immediately preceding the event giving rise to the liability.

14.2 Excluded matters. The cap in Section 14.1 shall not apply to:

• liability arising from DMU's gross negligence or wilful misconduct;
• breach of confidentiality obligations under Section 5;
• liability that cannot be excluded or limited under applicable law.

14.3 Indirect loss. Neither party shall be liable for any indirect, special, incidental, or consequential loss, including loss of profit, loss of goodwill, or loss of business opportunity, arising out of or in connection with this DPA, except to the extent such exclusion is prohibited by applicable law.

14.4 Regulatory fines and Data Subject claims. Where DMU and the Controller are jointly liable for any administrative fine or compensation award to a Data Subject under Article 82 GDPR, each party shall bear that portion of the liability corresponding to its share of responsibility for the damage.

14.5 Allocation between Controller and Processor. Nothing in this Section 14 limits either party's direct statutory liability to Data Subjects or Supervisory Authorities. As between the parties, the allocation of liability shall be determined by reference to each party's respective compliance with its obligations under the GDPR and this DPA.

15.1 This DPA shall remain in force for the duration set out in Section 3 and may not be terminated independently of the underlying service agreement, save where required by applicable law or by an order of a competent court or Supervisory Authority.

15.2 If a competent court or Supervisory Authority orders DMU to cease Processing certain Client Personal Data, DMU shall comply with such order and notify the Controller without undue delay.

16.1 Order of precedence. In the event of conflict between this DPA and the main service agreement, proposal, Terms and Conditions, or Privacy Policy of DMU, this DPA shall prevail with respect to matters of data protection.

16.2 Governing law. This DPA shall be governed by Greek law.

16.3 Jurisdiction. The courts of Athens, Greece, shall have exclusive jurisdiction over any dispute arising out of or in connection with this DPA, without prejudice to the right of any Data Subject to bring proceedings before a Supervisory Authority or court having competent jurisdiction under Article 79 GDPR.

16.4 Language. This DPA is published in English and Greek. In the event of any discrepancy between the two versions, the Greek version shall prevail.

16.5 Amendments. DMU may amend this DPA from time to time to reflect changes in applicable law, regulatory guidance, or operational practice. Material amendments shall be notified to the Controller at least thirty (30) days in advance, by email or via the DMU Portal. Non-material updates (including changes to Annex 3) take effect upon publication at https://dmu.gr/legal/data-processing-agreement.

16.6 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

16.7 Entire agreement. This DPA, together with the signed proposal, the DMU Terms and Conditions, and the DMU Privacy Policy, constitutes the entire agreement between the parties in relation to the Processing of Client Personal Data and supersedes any prior arrangement on the same subject matter.

16.8 Execution. The Controller's acceptance of a proposal, subscription, or service agreement that references this DPA, whether by electronic signature in the DMU Portal or by signed PDF or printed copy, constitutes acceptance of this DPA.

16.9 Contact. For all matters relating to this DPA, including audit requests, deletion requests, breach notifications received from third parties, and sub-processor objections, the Controller may contact DMU at:

[email protected]

1. Subject matter

The Processing of Client Personal Data by DMU in the context of providing digital services to the Controller, including the design, development, hosting, maintenance, optimisation, communication, advertising, and analytics services described in the signed service agreement.

2. Duration

For the duration of the Services and for the retention period set out in Section 13 of the DPA.

3. Nature and purpose of Processing

• Designing, building, hosting, and maintaining the Controller's websites, web applications, and e-commerce systems.
• Operating business email and communication infrastructure on behalf of the Controller.
• Performing search engine optimisation, performance monitoring, and analytics.
• Managing the Controller's social media presence, content publication, and engagement.
• Planning, executing, and measuring paid advertising campaigns.
• Producing graphic, video, and motion design assets.
• Providing customer service coordination, billing, and account management.

4. Categories of Data Subjects

• The Controller's website visitors and users.
• The Controller's customers, leads, and prospects.
• The Controller's newsletter subscribers and form respondents.
• The Controller's employees, contractors, and authorised representatives (to the extent their data appears in materials provided to DMU).
• Any other natural persons whose Personal Data is contained in content, databases, or communications provided by the Controller or collected through the Services.

5. Categories of Personal Data

Categories may include:

• Identification data (name, title, employer).
• Contact data (email, phone, postal address).
• Account credentials and authentication data (usernames, hashed passwords, tokens).
• Online identifiers (IP address, cookie identifiers, device identifiers).
• Transactional data (order history, invoices, payment metadata; never raw card data, which is handled by Stripe).
• Communication content (messages, form submissions, support requests).
• Marketing data (preferences, segmentation tags, engagement metrics).
• Audiovisual data (photos, videos, voice recordings supplied or recorded).
• Behavioural and analytics data (page views, click events, conversion data).
• Professional data (CV content for HR, job applications, employee records if provided).

6. Special categories of Personal Data

DMU does not actively process patient medical records or other special category data of the Controller. However, where the Controller operates in a sector that may incidentally involve special category data (for example, a healthcare clinic whose website collects general inquiries from members of the public), the Controller acknowledges that such data may be transmitted through forms, emails, or systems hosted or maintained by DMU.

In such cases:

• DMU shall apply enhanced security measures including end-to-end encryption of form submissions where technically feasible.
• DMU shall not access, read, or process the content of such submissions beyond what is strictly necessary to maintain the system.
• The Controller remains responsible for ensuring that the collection and Processing of such data is lawful under Article 9 GDPR.

7. Frequency of Processing

Continuous for the duration of the Services.

DMU implements and maintains the following measures, mapped to Article 32 GDPR. Specific implementations may evolve over time, provided the overall level of protection is not reduced.

A. Access control

• Role-based access control across all internal systems via Zitadel (self-hosted identity provider).
• Multi-factor authentication required for all administrative and developer access.
• Principle of least privilege applied to all personnel and systems.
• Access reviews performed periodically.
• Immediate revocation of access upon personnel departure or role change.

B. Encryption and pseudonymisation

• TLS 1.2 or higher for all data in transit (HTTPS, SMTPS, IMAPS).
• Encryption at rest for production databases hosted on Hetzner infrastructure.
• Passwords stored using salted, adaptive hashing algorithms (bcrypt or equivalent).
• Sensitive credentials managed through secrets management; never stored in source code.
• Backups encrypted at rest.

C. Confidentiality

• All personnel bound by written confidentiality obligations.
• Sub-Processors bound by contractual data protection terms compliant with Article 28(4) GDPR.
• Internal communications conducted through the DMU Portal, restricted to authorised personnel.

D. Integrity

• Source code versioned and audited via GitHub with branch protection and code review.
• Deployment via controlled CI/CD processes managed through RunCloud.
• Logging and monitoring of administrative actions.
• Cloudflare protection against unauthorised modification of web assets in transit.

E. Availability and resilience

• Backups performed according to the Controller's active maintenance plan, ranging from hourly (E-Commerce Maintenance Pro) to bi-weekly (Basic Maintenance).
• Uptime monitoring on all production systems.
• Hetzner data centre operations in Germany provide power redundancy, fire suppression, and physical security to industry standards (ISO 27001 certified).
• Disaster recovery procedures maintained and tested periodically.

F. Testing, assessment, and evaluation

• Software updates applied according to the Controller's maintenance plan tier.
• Security checks and optimisations performed at the frequency set out in the Controller's maintenance plan (daily for Advanced and E-Commerce tiers).
• Plugin and dependency vulnerabilities monitored and patched.
• Periodic internal review of access controls, sub-processor list, and security posture.

G. Personnel

• Onboarding includes data protection awareness and confidentiality training (per the BD Agent Onboarding Plan, Customer Service Manual, and Development Department Manual).
• Personnel are instructed to report suspected Personal Data Breaches immediately to the Managing Director.

H. Sub-processor management

• All Sub-Processors listed in Annex 3.
• New Sub-Processors notified to the Controller in accordance with Section 7.
• Sub-Processor agreements reviewed for data protection compliance before engagement.

I. Incident response

• Designated point of contact: [email protected].
• Internal escalation: Customer Service Lead → Managing Director.
• Breach notification within 48 hours of becoming aware (Section 10 DPA).
• Incident log maintained for all confirmed and suspected Personal Data Breaches.

J. Data minimisation and retention

• Client Personal Data collected and Processed only as necessary for the Services.
• Retention applied per Section 13 DPA.
• Deletion verified and certified per Section 13.6 DPA.

This Annex lists the Sub-Processors engaged by DMU as of the effective date of this DPA. The most current version is always available at https://dmu.gr/legal/data-processing-agreement.

A. Hosting and infrastructure

B. Email, communications, and meetings

C. Payments

D. Advertising and analytics

E. Development, design, and SEO tools

F. AI tools

G. Business operations

Note: Where transfer to a third country is required and no adequacy decision applies, DMU relies on the Standard Contractual Clauses adopted under Commission Implementing Decision (EU) 2021/914 and, where applicable, the EU-US Data Privacy Framework. DMU monitors the validity of these mechanisms and updates this Annex accordingly.

Upon completion of deletion under Section 13 of the DPA, DMU issues a certificate in substantially the following form:

CERTIFICATE OF DELETION OF PERSONAL DATA

Issued by: Konstantinos Mitsouras, sole proprietor trading as "DMU"

Issued to: [Controller name]

Reference: [Service agreement number / Portal reference]

Date of issue: [Date]

This certifies that DMU has, on the date(s) set out below, deleted from its active systems the Client Personal Data Processed on behalf of the above Controller in connection with the Services.

Routine backups containing residual copies of the above data shall be purged in the normal course of the backup rotation cycle, which is expected to complete by [Date]. During this period, such data remains protected by the measures set out in Annex 2 of the DPA and is not Processed for any other purpose.

Data retained pursuant to legal obligations (including accounting and tax law) is identified separately and continues to be protected in accordance with the DPA.

Signed:

________________________

Konstantinos Mitsouras

DMU

[email protected]

End of Data Processing Agreement.