Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Web Solution Jog690 S.R.L. ("Processor", "we") and the registered user of biolinks.info ("Controller", "you").

It governs the processing of personal data of your end users (biolink page visitors) carried out by us on your behalf pursuant to Art. 28 GDPR. In the event of conflict, this DPA takes precedence over the Terms of Service with respect to data protection matters.

By using the platform you accept this DPA. A signed copy can be downloaded below.

• "Controller" – the registered user who determines the purposes and means of processing personal data of their biolink page visitors.
• "Processor" – Web Solution Jog690 S.R.L., operating the biolinks.info platform.
• "Customer Data" – personal data of end users processed by the Processor on behalf of the Controller via the platform.
• "Sub-Processor" – any third party engaged by the Processor to process Customer Data.
• "Security Incident" – any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.
• "GDPR" – EU Regulation 2016/679 and any applicable national implementations.

The Processor processes Customer Data solely to operate and provide the biolinks.info platform in accordance with the Terms of Service and the Controller's instructions. No processing beyond this scope takes place without a separate written instruction.

The Controller is solely responsible for ensuring a valid legal basis for any processing of personal data they initiate via the platform (e.g. through tracking pixels, embedded scripts, or contact forms).

The Controller hereby grants general authorization for the engagement of the following sub-processors:

The Processor will notify the Controller at least 30 days in advance before adding a new sub-processor. The Controller may object in writing within 14 days if there are demonstrable compliance concerns. If the objection cannot be resolved, the Controller may terminate the contract with 90 days' notice.

The Processor ensures each sub-processor is bound by data protection obligations equivalent to those in this DPA.

The Processor will promptly notify the Controller of any requests received from data subjects regarding Customer Data and will not respond directly to such requests without the Controller's instruction, unless required by law.

The Processor will provide reasonable technical assistance to enable the Controller to fulfill data subject rights (access, rectification, erasure, restriction, portability) within the platform.

The Processor implements appropriate technical and organizational measures pursuant to Art. 32 GDPR, including:

• SSL/TLS encryption for all data in transit
• Access control and user authentication
• Role-based access restrictions for personnel
• Regular backups and recovery testing
• Confidentiality agreements with all personnel with data access
• Logging of access and system events

In the event of a Security Incident, the Processor will notify the Controller within 72 hours of becoming aware, investigate the incident, and take remedial action.

Where Customer Data is transferred outside the EEA, the Processor ensures an adequate level of protection through one of the following mechanisms:

• EU Commission adequacy decision for the destination country
• EU Standard Contractual Clauses (SCCs) with the sub-processor
• Certification under the EU-US Data Privacy Framework (where applicable)

Wasabi Technologies LLC (USA, planned) – transfer covered by SCCs or DPF certification at time of activation.

This DPA remains in force for the duration of the Terms of Service. Upon termination of the account, the Processor will delete all Customer Data within 90 days, including data held by sub-processors, unless statutory retention obligations require otherwise.

The Controller may request written confirmation of deletion.