Data Processing Agreement (DPA)

Version 1.1 — Last Updated: 2 March 2026

1. Preamble and Parties

This Data Processing Agreement ("DPA") is entered into and forms an integral part of the Terms of Service ("Agreement" or "ToS") between:

Processor:
NeuroCodeLab Maciej Śnieżyński, trading as JustFill
Registered office: ul. Franciszka Klimczaka 13 lok. 102, 02-797 Warszawa, Poland
Tax ID (NIP): 7123295462
CEIDG/REGON: 361253253
Contact: hello@justfill.app

Controller:
The customer who has accepted the Terms of Service and uses the JustFill.app service ("Customer" or "Controller").

This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the JustFill.app service (the "Service"), in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR").

The Processor and Controller are each a "Party" and together the "Parties."

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Terms not defined herein shall have the meanings given to them in the GDPR or the Agreement.

• "Applicable Data Protection Law" means the GDPR and any national implementing legislation in EU/EEA Member States, including but not limited to the Polish Act of 10 May 2018 on the Protection of Personal Data (Dz.U. 2018 poz. 1000), and, where applicable, the UK Data Protection Act 2018 and UK GDPR, as amended from time to time.
• "Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, as defined in Art. 4(7) GDPR. In this DPA, the Controller is the Customer.
• "Data Breach" (or "Personal Data Breach") means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed, as defined in Art. 4(12) GDPR.
• "Data Subject" means an identified or identifiable natural person to whom the Personal Data relates, as defined in Art. 4(1) GDPR.
• "EEA" means the European Economic Area, comprising the EU Member States plus Iceland, Liechtenstein, and Norway.
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR. In the context of this DPA, "Personal Data" refers specifically to Customer Content as defined in Section 3.1A, and excludes data processed by the Processor as an independent controller (such as account registration data and billing information). For the avoidance of doubt, personal data contained in documents uploaded to the Service, user-provided text data, calibration metadata, and AI analysis data are within scope of this DPA.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, as defined in Art. 4(2) GDPR.
• "Processor" means a natural or legal person which processes Personal Data on behalf of the Controller, as defined in Art. 4(8) GDPR. In this DPA, the Processor is JustFill.
• "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Art. 46(2)(c) GDPR, as set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced from time to time.
• "Service" means the JustFill.app AI-powered PDF form filling service, including all features, functionalities, APIs, and related support provided by the Processor to the Controller under the Agreement.
• "Special Categories of Personal Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, as defined in Art. 9(1) GDPR.
• "Sub-processor" means any third party engaged by the Processor (or by any subsequent sub-processor) to process Personal Data on behalf of the Controller in connection with the Service.
• "Supervisory Authority" means an independent public authority established by an EU/EEA Member State pursuant to Art. 51 GDPR. The lead Supervisory Authority for the Processor is the President of the Personal Data Protection Office (Urzad Ochrony Danych Osobowych, "UODO") in Poland.

3. Scope, Nature, and Purpose of Processing

3.1 Subject Matter

This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Service under the Agreement.

This DPA applies to users who process third-party personal data through the Service in the course of professional or business activities. Individual users processing personal data for purely personal or household activities are exempt from GDPR obligations under Article 2(2)(c) and are not considered Controllers under this DPA.

3.1A Scope of Controller/Processor Relationship

The Parties acknowledge that JustFill acts in two distinct capacities depending on the category of data processed:

• As Processor (covered by this DPA): JustFill processes the following data on behalf of the Controller under the Controller's instructions: (i) user-uploaded PDF documents and rendered document images; (ii) user-provided text data for form filling; (iii) AI analysis requests and responses relating to document content; (iv) calibration templates and associated PDF documents saved by the Controller; (v) filled PDF documents generated for download; and (vi) draft session data and user data snippets (collectively, "Customer Content").
• As Independent Controller (not covered by this DPA): JustFill processes the following data as an independent data controller under its own Privacy Policy, for the purposes of account administration, platform security, and legal compliance: (i) account management data (email address, hashed password, account creation date, email verification status); (ii) subscription and billing identifiers (Stripe customer ID, subscription ID, tier, usage credits); (iii) security data (session tokens, JWT tokens, device fingerprints, IP addresses); and (iv) service analytics and operational logs.

Where the same data element falls within both categories (e.g., email address used for both account management and as part of Customer Content in uploaded documents), this DPA applies to the processing of that data element insofar as it forms part of Customer Content. Where the same data element is processed under both capacities, a deletion request under this DPA applies to the data element insofar as it forms part of Customer Content. Data elements required for account management under the Controller's independent processing may be retained until account closure.

For the avoidance of doubt, data that JustFill transmits to third-party Sub-processors (such as Google Gemini and Stripe) for the purpose of providing the Service on behalf of the Controller remains subject to this DPA and the Sub-processor obligations in Section 10, even where those Sub-processors also process data independently under their own privacy policies (e.g., Stripe's independent fraud detection and risk modeling, or Google's service reliability monitoring). Only processing that a third party performs solely as an independent controller under its own privacy policy and not at JustFill's direction falls outside the scope of this DPA.

3.2 Nature of Processing

The Processor provides an AI-powered document processing service. The nature of processing includes:

• Receiving, temporarily storing, and rendering PDF documents uploaded by the Controller.
• Transmitting document images and user-provided text data to AI services (Google Gemini API) for automated form field detection and data extraction.
• Generating filled PDF documents with data placed in detected form fields for download by the Controller.
• Storing calibration templates (field layout configurations) as directed by the Controller for reuse with similar document formats.
• Facilitating data export and account deletion functionalities for Customer Content in compliance with Data Subject rights.

3.3 Purpose of Processing

Personal Data is processed solely for the purpose of providing, maintaining, and improving the Service as described in the Agreement. The Processor shall not process Personal Data for any other purpose, including but not limited to marketing, profiling, selling, or using Personal Data for AI model training.

3.4 Categories of Data Subjects and Personal Data

The categories of Data Subjects and types of Personal Data processed are described in detail in Annex A to this DPA.

4. Duration of Processing

4.1 Term

The Processor shall process Personal Data for the duration of the Agreement, unless otherwise agreed in writing or required by Applicable Data Protection Law.

4.2 Post-Termination

Upon termination or expiration of the Agreement, the Processor shall, at the Controller's election, return or delete all Personal Data in accordance with Section 17 of this DPA. The Processor's obligations under Sections 8 (Confidentiality), 9 (Security Measures), 12 (Data Breach Notification), 16 (Audit Rights), and 17 (Return and Deletion) shall survive termination and continue to apply for as long as the Processor retains any Personal Data.

4.3 Retention Periods

Specific retention periods for different categories of Personal Data are set out in Annex A. In summary:

• Transient document processing data (uploaded PDFs for one-time processing, AI analysis data): automatically deleted within 24 hours.
• Saved calibration templates and associated PDFs: retained until deleted by the Controller or upon account termination.
• Account data: retained for the duration of the account and deleted without undue delay, and in any event within 30 calendar days of account closure, subject to legal retention obligations.
• Billing data: anonymized financial records (transaction amounts, dates, invoice numbers, and tax identifiers with personal details removed) may be retained for the statutory period required by applicable tax and accounting legislation (5 years from the end of the financial year in which the transaction occurred, as required by Polish tax and accounting law (Ordynacja podatkowa Art. 86, Ustawa o rachunkowości Art. 74)). This retention is a lawful exception to erasure under GDPR Art. 17(3)(b) (compliance with a legal obligation under Union or Member State law). Personally identifiable billing data not required for tax compliance shall be deleted within 30 calendar days of account closure.

5. Processor Obligations

In accordance with Art. 28(3) GDPR, the Processor shall:

• (a) Documented Instructions: Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest (Art. 28(3)(a) GDPR).
• (b) Confidentiality: Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).
• (c) Security: Take all measures required pursuant to Art. 32 GDPR, including implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as further detailed in Annex B (Art. 28(3)(c) GDPR).
• (d) Sub-processors: Respect the conditions referred to in Art. 28(2) and (4) GDPR for engaging another processor, as further set out in Section 10 of this DPA (Art. 28(3)(d) GDPR).
• (e) Data Subject Rights: Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights as laid down in Chapter III GDPR (Art. 28(3)(e) GDPR).
• (f) DPIA and Prior Consultation: Assist the Controller in ensuring compliance with the obligations pursuant to Art. 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor (Art. 28(3)(f) GDPR).
• (g) Return and Deletion: At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data (Art. 28(3)(g) GDPR).
• (h) Audit: Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Art. 28(3)(h) GDPR), subject to the audit limitations set forth in Section 16 of this DPA. All auditors must sign a confidentiality agreement acceptable to the Processor. The Processor may provide SOC 2 reports, ISO 27001 certifications, or equivalent third-party audit reports in lieu of on-site audits, at the Processor's discretion.

The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions (Art. 28(3), last subparagraph, GDPR).

6. Controller Obligations

The Controller warrants and undertakes that:

• 6.1 Lawful Basis: It has established and shall maintain a lawful basis for the processing of Personal Data instructed under this DPA, in accordance with Art. 6 GDPR (and, where applicable, Art. 9 GDPR for Special Categories of Personal Data).
• 6.2 Instructions: Its processing instructions to the Processor shall comply with Applicable Data Protection Law. The Controller shall be solely responsible for the accuracy, quality, and legality of the Personal Data it provides to the Processor and the means by which it acquired such Personal Data.
• 6.3 Data Subject Notification: It has provided adequate notice to Data Subjects regarding the processing of their Personal Data through the Service, including, where required, information about the use of AI for document analysis.
• 6.4 Special Categories: It shall not submit Special Categories of Personal Data to the Service unless it has ensured full compliance with Art. 9 GDPR, including obtaining explicit consent where required. The Controller assumes full responsibility for ensuring a lawful basis for processing any Special Categories of Personal Data submitted to the Service.
• 6.5 Data Minimization: It shall apply the principle of data minimization (Art. 5(1)(c) GDPR) and only submit Personal Data to the Service to the extent necessary for the purposes of processing.
• 6.6 Cooperation: It shall cooperate with the Processor in good faith to enable the Processor to fulfil its obligations under this DPA and Applicable Data Protection Law.
• 6.7 Authority: It has the full right, power, and authority to enter into this DPA and to instruct the Processor to process Personal Data on its behalf in accordance with the terms of this DPA and the Agreement.
• 6.8 Indemnification for Unlawful Instructions: The Controller shall indemnify and hold the Processor harmless against any claims, damages, fines, or penalties arising from the Controller's processing instructions that are unlawful or that violate Applicable Data Protection Law, except to the extent such claims arise from the Processor's failure to comply with its obligation to inform the Controller under Section 7.3. The indemnification obligations under this Section are subject to the general limitations of liability set out in the Agreement.

7. Instructions

7.1 Documented Instructions

The Processor shall process Personal Data only in accordance with the Controller's documented instructions. The Agreement (including this DPA), together with the Controller's use of the Service (including configuration settings, API calls, and actions performed through the user interface), constitute the Controller's complete and final documented instructions to the Processor at the time of execution of this DPA.

7.2 Additional Instructions

The Controller may issue additional or amended instructions in writing, provided that such instructions are consistent with the terms of the Agreement and Applicable Data Protection Law. If the Processor determines that an additional instruction requires changes to the Service, the Parties shall negotiate in good faith any additional fees or terms.

7.3 Obligation to Inform

The Processor shall, without undue delay, inform the Controller if, in the Processor's reasonable opinion, an instruction from the Controller infringes the GDPR or other Applicable Data Protection Law. The Processor shall be entitled to suspend the relevant processing activity until the Controller has confirmed, amended, or withdrawn the instruction.

8. Confidentiality

8.1 Personnel Obligations

The Processor shall ensure that all personnel (including employees, contractors, and agents) who have access to Personal Data:

• Are bound by written confidentiality agreements or are subject to an appropriate statutory obligation of confidentiality, in accordance with Art. 28(3)(b) GDPR.
• Process Personal Data only in accordance with the Controller's documented instructions and only to the extent necessary for the performance of their duties.
• Have received appropriate training on data protection obligations, including the requirements of the GDPR and this DPA.

8.2 Scope of Confidentiality

The confidentiality obligations set out in this Section 8 apply to all Personal Data processed under this DPA, regardless of the medium in which it is stored or transmitted. These obligations shall survive the termination of this DPA and the Agreement indefinitely.

8.3 Exceptions

The confidentiality obligations shall not apply to information that:

• Is or becomes publicly available through no fault of the Processor.
• Is independently developed by the Processor without reference to the Personal Data.
• Is required to be disclosed by applicable law, court order, or order of a competent Supervisory Authority, provided that the Processor gives the Controller prior written notice where legally permitted.

9. Security Measures

9.1 Implementation

The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, or disclosure, in accordance with Art. 32 GDPR. These measures are described in detail in Annex B to this DPA.

9.2 Proportionality

The security measures shall take into account:

• The state of the art and costs of implementation.
• The nature, scope, context, and purposes of processing.
• The risk of varying likelihood and severity for the rights and freedoms of Data Subjects.

9.3 Ongoing Assessment and Updates

The Processor shall regularly assess the adequacy and effectiveness of the technical and organizational measures and, where necessary, update and improve them. The Processor reserves the right to modify, upgrade, or replace its technical and organizational measures at any time, provided that the overall level of security is not materially reduced below that in effect at the time of execution of this DPA. Such modifications may be made unilaterally by the Processor without the Controller's prior consent. If a modification would materially reduce the overall level of security, the Processor shall obtain the Controller's prior written consent.

9.4 Specific Measures

Without limiting the measures described in Annex B, the Processor implements the following key security measures:

• Encryption in transit: All data transmitted between the Controller and the Processor, and between the Processor and its Sub-processors, is encrypted using TLS 1.2 or higher.
• Encryption at rest: All stored Personal Data is encrypted using AES-256 encryption.
• Access controls: Role-based access controls (RBAC), multi-factor authentication (MFA) for administrative access, and the principle of least privilege.
• Data minimization: Documents uploaded for transient processing are automatically deleted within 24 hours. The Processor does not retain Personal Data longer than necessary for the provision of the Service.
• Infrastructure: The Service is hosted on Google Cloud Platform in EU regions (Frankfurt, Germany and Warsaw, Poland).
• Monitoring: Continuous security monitoring, logging, and intrusion detection systems protect against unauthorized access and anomalous activity.

10. Sub-processors

10.1 General Authorization

The Controller grants the Processor general written authorization to engage Sub-processors for the purposes of providing the Service, subject to the requirements of this Section 10 and Art. 28(2) and (4) GDPR. The list of currently authorized Sub-processors is set out in Annex C to this DPA.

10.2 Notification of Changes

The Processor shall notify the Controller in writing (including by email) at least fourteen (14) calendar days before engaging a new Sub-processor or replacing an existing Sub-processor. The notification shall include the identity of the proposed Sub-processor, the nature and scope of the processing to be performed, and the location of processing. The Processor shall not engage the new Sub-processor until the earlier of: (a) the expiry of the fourteen (14) calendar day objection period without objection from the Controller; or (b) the Controller's express written acceptance of the new Sub-processor.

10.3 Objection Right

The Controller may object to the appointment or replacement of a Sub-processor by notifying the Processor in writing within fourteen (14) calendar days of receiving the notification under Section 10.2. The objection must be based on reasonable grounds related to data protection. If the Controller objects:

• The Processor shall make commercially reasonable efforts to make available to the Controller a change in the Service or recommend a commercially reasonable change to the Controller's use of the Service to avoid processing of Personal Data by the objected-to Sub-processor.
• If the Processor is unable to offer such a change within thirty (30) calendar days of the Controller's objection, either Party may terminate the Agreement (and this DPA) with respect to the Service that cannot be provided without the use of the objected-to Sub-processor, by providing written notice to the other Party.
• If the Controller does not object within the fourteen (14) calendar day period, the Controller shall be deemed to have accepted the new or replacement Sub-processor.
• The Controller acknowledges that objections may not be raised on the basis of commercial considerations unrelated to data protection. The Processor is not required to discontinue use of a Sub-processor where the objection is not based on reasonable data protection grounds. In assessing whether an objection is based on reasonable data protection grounds, the Processor's good-faith determination shall be given due consideration, provided that such determination is consistent with applicable GDPR guidance and the Processor's obligations under this DPA.
• If the engagement of a new Sub-processor is required by applicable law, regulation, or binding order of a competent authority, or necessary to address a critical security vulnerability that poses an imminent risk to the security of Personal Data, the Processor may proceed with the engagement after the notice period regardless of any objection, with the Controller's sole remedy being termination of the affected services. For purposes of this exception, a "critical security vulnerability" means a vulnerability with a CVSS score of 9.0 or above, or a zero-day exploit actively being exploited against the Processor's infrastructure. The Processor shall provide the Controller with written notification within 48 hours of invoking this exception, explaining the nature of the vulnerability and the necessity of the emergency sub-processor engagement. In all other cases, the Processor shall not engage the new Sub-processor if the Controller has objected within the notice period, and shall make commercially reasonable efforts to provide an alternative solution.
• Where the Controller exercises its right to terminate the Agreement under this Section 10.3, such termination does not entitle the Controller to any refund of prepaid fees for Service periods or credits already delivered or consumed prior to the termination effective date. The Controller shall remain liable for any fees accrued up to and including the effective date of termination. Notwithstanding the foregoing, where termination is triggered solely because the Processor introduces a new sub-processor over the Controller's objection and the Processor is unable to provide a reasonable alternative within the thirty (30) day period referred to above, the Controller shall be entitled to a pro-rata refund of prepaid fees for the unused portion of the Service period from the effective date of termination. This no-refund clause does not apply to natural persons who qualify as consumers under applicable law (including Directive 2011/83/EU and national implementing legislation), for whom mandatory statutory rights shall take precedence.

10.4 Flow-Down Obligations

Where the Processor engages a Sub-processor, the Processor shall:

• Impose on the Sub-processor, by way of a written contract, data protection obligations that are no less protective than those set out in this DPA, including in particular sufficient guarantees to implement appropriate technical and organizational measures in accordance with Art. 28(4) GDPR.
• Ensure that the Sub-processor processes Personal Data only in accordance with the Controller's documented instructions as communicated through the Processor.
• Conduct appropriate due diligence on the Sub-processor's data protection practices before engagement and periodically thereafter.
• Ensure that each Sub-processor processes Personal Data only for the specific purpose for which it has been engaged and does not share Personal Data with any other Sub-processor unless explicitly authorized by the Processor in connection with the provision of the Service.
• Ensure that no Sub-processor uses Personal Data for AI model training, machine learning model development, or any purpose beyond the specific processing task for which the data was provided, unless the Controller provides separate written consent.

10.5 Liability for Sub-processors

The Processor shall remain liable to the Controller for the performance of each Sub-processor's obligations under its sub-processing agreement, subject to the limitations of liability set forth in the Terms of Service. The Processor's obligation is to exercise due diligence in selecting and monitoring Sub-processors and to ensure that Sub-processors are bound by equivalent data protection obligations. Where a Sub-processor fails to fulfil its data protection obligations, the Processor shall remain responsible to the Controller for the performance of such Sub-processor's obligations, in accordance with Art. 28(4) GDPR.

10.6 AI Training Verification

The Processor shall maintain its Google Gemini API configuration to ensure that Customer Content is not used for AI model training. The Processor shall periodically verify this configuration and promptly notify the Controller if any change in the API provider's terms or configuration could result in Customer Content being used for model training purposes.

11. Data Subject Rights

11.1 Assistance

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights under Chapter III GDPR, including:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure ("right to be forgotten") (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Rights related to automated individual decision-making, including profiling (Art. 22 GDPR)

11.2 Notification

If the Processor receives a request directly from a Data Subject regarding Personal Data processed on behalf of the Controller, the Processor shall promptly (and in any event within five (5) business days) notify the Controller and shall not respond to the Data Subject directly unless instructed to do so by the Controller or required to do so by Applicable Data Protection Law.

11.3 Response Timeframes

The Processor shall respond to the Controller's requests for assistance under this Section 11 without undue delay and in any event within ten (10) business days of receiving the Controller's request.

11.4 Self-Service Capabilities

The Service provides the following self-service capabilities to assist Controllers and Data Subjects:

• Data Export: The Controller may export all Personal Data associated with its account in a structured, commonly used, machine-readable format (JSON and ZIP archive containing all documents) through the account settings interface or via the following API endpoints: (i) GET /api/auth/data-export — exports all account data, calibration templates, and metadata in JSON format; and (ii) GET /api/auth/data-export-archive — provides a ZIP archive containing all stored PDF documents associated with the account. Both endpoints are rate-limited to three (3) requests per day per account to prevent abuse.
• Account Deletion: The Controller may request immediate deletion of its account and all associated Personal Data through the account settings interface or via the API endpoint (DELETE /api/auth/account). This triggers a cascading deletion of all user data including authentication tokens, processing logs, uploaded documents, calibration templates, subscription cache, and account records.

11.5 Cost Allocation

The Processor shall provide reasonable assistance under this Section 11 at no additional charge. However, if compliance with a request requires disproportionate effort or resources beyond the self-service capabilities of the Service, the Processor may charge reasonable fees based on the Processor's actual administrative costs, provided that the Controller is informed of such fees in advance. For the purposes of this DPA, "disproportionate effort" means effort exceeding four (4) hours per individual request or ten (10) hours per calendar quarter. Beyond these thresholds, the Processor may charge its then-current professional services rate. The quarterly cap may be temporarily exceeded in the event of a data breach or regulatory investigation, in which case the Processor shall provide reasonable additional assistance and the parties shall negotiate cost allocation in good faith.

12. Data Breach Notification

12.1 Notification Obligation

The Processor shall notify the Controller without undue delay and, where feasible, within forty-eight (48) hours after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller. For the purposes of this Section, the Processor shall be deemed to have "become aware" of a Personal Data Breach when a member of the Processor's management team or designated security personnel has confirmed, following reasonable investigation, that a security incident has resulted in the unauthorized access to, or loss of, Personal Data. Mere suspicion of a security incident, without confirmation, does not trigger the notification obligation, but the Processor shall promptly investigate any suspected incident. This notification timeframe is stricter than the 72-hour requirement under Art. 33(1) GDPR to allow the Controller adequate time to assess and fulfil its own notification obligations. This 48-hour notification timeframe is designed to allow the Controller adequate time to assess the breach and fulfil its own 72-hour notification obligation to the Supervisory Authority under Article 33(1) GDPR.

12.2 Content of Notification

The Processor's notification shall include, at a minimum, the following information (to the extent known at the time of notification):

• A description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.
• The name and contact details of the Processor's contact point from whom more information can be obtained.
• A description of the likely consequences of the Personal Data Breach.
• A description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

12.3 Supplementary Information

Where, and insofar as, it is not possible to provide all information at the same time, the Processor shall provide the information in phases without undue further delay, in accordance with Art. 33(4) GDPR. The Processor shall provide complete information about the Personal Data Breach within thirty (30) calendar days of the initial notification, unless the investigation requires additional time, in which case the Processor shall provide interim updates at least every seven (7) calendar days until complete information is available.

12.4 Cooperation

The Processor shall cooperate with the Controller and take all reasonable steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach, including:

• Preserving and providing all relevant records, logs, files, data reporting, and other evidence relating to the Personal Data Breach.
• Taking immediate steps to contain and minimize the ongoing effects of the breach.
• Assisting the Controller in fulfilling its obligations under Art. 33 and 34 GDPR to notify the Supervisory Authority and, where required, affected Data Subjects.

12.5 Exclusion of Unsuccessful Attacks

The notification obligations under this Section 12 apply only to confirmed Personal Data Breaches as defined in Section 2. For the avoidance of doubt, the Processor shall have no obligation to notify the Controller of unsuccessful security incidents, including but not limited to unsuccessful login attempts, pings, port scans, denial-of-service attacks, or other network attacks on firewalls or networked systems, provided that no unauthorized access to Personal Data has occurred.

12.6 Breach Register

The Processor shall maintain a register of all Personal Data Breaches, including the facts relating to each breach, its effects, and the remedial actions taken, in accordance with Art. 33(5) GDPR. The register shall be made available to the Controller and the Supervisory Authority upon request.

12.7 No Unauthorized Communication

The Processor shall not inform any third party of a Personal Data Breach without first obtaining the Controller's prior written consent, unless notification is required by Union or Member State law to which the Processor is subject.

13. Data Protection Impact Assessment

13.1 DPIA Assistance

The Processor shall provide reasonable assistance to the Controller in carrying out data protection impact assessments ("DPIAs") where required by Art. 35 GDPR, taking into account the nature of the processing and the information available to the Processor. Such assistance shall include providing:

• A description of the processing activities performed by the Processor under this DPA.
• Information about the technical and organizational measures implemented by the Processor (as detailed in Annex B).
• Information about Sub-processors and any cross-border data transfers.
• Any other information reasonably required by the Controller to complete the DPIA.

13.2 Prior Consultation

Where the results of a DPIA indicate that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk, the Processor shall provide reasonable assistance to the Controller in its consultation with the Supervisory Authority pursuant to Art. 36 GDPR.

13.3 Cost Allocation

The Processor shall provide a reasonable amount of initial information for a DPIA at no additional charge. Where the Controller requires the Processor's extended assistance with a DPIA or prior consultation that goes beyond providing standard documentation about the Service, the Controller shall reimburse the Processor for reasonable costs incurred, provided that the Processor informs the Controller of such costs in advance.

14. Records of Processing Activities

The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller, in accordance with Art. 30(2) GDPR. The record shall contain:

• The name and contact details of the Processor and, where applicable, the joint controller, the Processor's representative, and the data protection officer.
• The categories of processing carried out on behalf of the Controller.
• Where applicable, transfers of Personal Data to a third country or international organization, including the identification of that third country or international organization, and the documentation of suitable safeguards.
• Where possible, a general description of the technical and organizational security measures referred to in Art. 32(1) GDPR.

The Processor shall make such records available to the Controller and the Supervisory Authority upon request.

A current copy of the Processor's records of processing activities is available upon written request to hello@justfill.app.

15. Cross-Border Data Transfers

15.1 Default: EEA Processing

The Processor shall process and store Personal Data within the EEA by default. The Service infrastructure is hosted on Google Cloud Platform in EU regions (Frankfurt, Germany and Warsaw, Poland).

15.2 Transfer Mechanisms

To the extent that the processing of Personal Data involves a transfer to a country outside the EEA that has not been recognized by the European Commission as providing an adequate level of data protection (an "Adequate Country"), the Processor shall ensure that one of the following safeguards is in place:

• Standard Contractual Clauses (SCCs): The Processor has entered into the SCCs (Commission Implementing Decision (EU) 2021/914) with the relevant Sub-processor or data importer, as applicable. Module 2 (Controller-to-Processor) applies where the Controller transfers Personal Data to the Processor; Module 3 (Processor-to-Sub-processor) applies where the Processor transfers Personal Data to authorized Sub-processors.
• Adequacy Decision: The European Commission has issued an adequacy decision for the recipient country pursuant to Art. 45 GDPR.
• Art. 49 Derogations: One of the derogations for specific situations under Art. 49 GDPR applies (e.g., explicit consent of the Data Subject, necessity for the performance of a contract). Art. 49 derogations are relied upon only as a last resort where no other transfer mechanism is available, and only for non-routine, non-systematic transfers. They are not used as a primary safeguard for ongoing processing operations.

15.3 Supplementary Measures (Schrems II)

Where SCCs are relied upon as the transfer mechanism, the Processor shall conduct a transfer impact assessment and, where necessary, implement supplementary technical, contractual, or organizational measures to ensure that the level of protection of Personal Data is essentially equivalent to that guaranteed within the EEA, in accordance with the CJEU's judgment in Case C-311/18 ("Schrems II") and EDPB Recommendations 01/2020. Such supplementary measures may include:

• Additional encryption of Personal Data in transit and at rest.
• Pseudonymization or anonymization where feasible.
• Contractual commitments from the data importer regarding government access requests.
• Transparency reporting regarding law enforcement and government data access requests.

15.4 Government Access Requests

If the Processor receives a request from a government authority or law enforcement agency for access to Personal Data processed on behalf of the Controller, the Processor shall:

• Promptly notify the Controller of such request, unless prohibited by applicable law.
• Challenge the request if there are reasonable grounds to consider it unlawful, taking into account the rights of the Data Subjects.
• Provide the minimum amount of information permissible when responding to the request, based on a reasonable interpretation of the request.

15.5 Current Transfer Status

As of the date of this DPA, the following transfers outside the EEA may occur:

As of the date of this DPA, the primary processing configuration utilizes EU data residency (Frankfurt, Germany and Warsaw, Poland regions). However, certain AI model features may involve processing in the United States, in which case the transfer mechanisms described in Section 15.2 apply. In the event that EU data residency cannot be maintained for any Sub-processor, the Processor shall ensure that international transfers are covered by appropriate safeguards under Chapter V GDPR (such as Standard Contractual Clauses) and shall promptly notify the Controller of any change in data residency.

16. Audit Rights

16.1 Scope

The Controller (or an independent third-party auditor appointed by the Controller and approved by the Processor, such approval not to be unreasonably withheld) has the right to audit the Processor's compliance with its obligations under this DPA, in accordance with Art. 28(3)(h) GDPR. The audit scope may include:

• Verification of the technical and organizational measures described in Annex B.
• Review of Sub-processor agreements and compliance.
• Inspection of records of processing activities maintained under Section 14.
• Verification of data breach notification procedures.
• Assessment of cross-border data transfer safeguards.

16.2 Frequency

The Controller may conduct one (1) audit per calendar year under normal circumstances. Additional audits may be conducted if:

• There is a Personal Data Breach affecting the Controller's data.
• A Supervisory Authority requests or mandates an audit in relation to the Controller's data.
• There are reasonable grounds to suspect non-compliance by the Processor with this DPA.

In no event shall the Controller conduct more than three (3) audits (including the annual audit and any additional audits) in any twelve (12) month period, unless additional audits are mandated by a Supervisory Authority or are necessary due to a confirmed Personal Data Breach.

16.3 Notice Period

The Controller shall provide the Processor with at least thirty (30) calendar days' prior written notice of any planned audit (except in the case of an audit mandated by a Supervisory Authority, in which case the Controller shall provide as much notice as reasonably practicable).

16.4 Conduct of Audits

Audits shall be conducted subject to the following conditions:

• Audits shall take place during normal business hours and shall not unreasonably interfere with the Processor's business operations.
• The auditor shall be bound by appropriate confidentiality obligations with respect to any information obtained during the audit. All auditors (whether the Controller's employees or third-party auditors) must sign a confidentiality agreement acceptable to the Processor before the audit commences.
• The Controller shall ensure that the audit does not access Personal Data of other customers of the Processor.
• The Controller bears its own audit costs, including auditor fees, travel, and related expenses.

16.5 Remote Audit Option

As an alternative to an on-site audit, the Processor may offer to provide:

• Copies of relevant third-party certifications, audit reports, or compliance attestations (e.g., ISO 27001, SOC 2 Type II reports from infrastructure providers).
• A written response to reasonable audit questionnaires submitted by the Controller.
• Access to a virtual audit session with the Processor's security and compliance personnel.

The Controller may accept such alternative measures where they are reasonably sufficient to verify the Processor's compliance. Nothing in this Section 16.5 shall limit the Controller's right to conduct an on-site audit under Section 16.1.

16.6 Cost Allocation

The Controller shall bear all costs associated with conducting an audit, including the Controller's own costs and any reasonable out-of-pocket expenses incurred by the Processor in cooperating with the audit. The Processor shall make relevant personnel and information available at no additional charge for up to one (1) business day per calendar year. If an audit requires the Processor's cooperation beyond one business day, the Controller shall reimburse the Processor for reasonable personnel costs at the Processor's then-current professional services rates, provided that such rates are communicated to the Controller in advance. This limitation applies to voluntary commercial audits only. For audits mandated by a supervisory authority under Article 58(1) GDPR, the Processor shall provide reasonable cooperation without regard to the annual limitation, though the Controller shall bear reasonable costs associated with such cooperation beyond the initial one business day.

17. Return and Deletion of Personal Data

17.1 Data Return

Upon the Controller's written request or upon termination or expiration of the Agreement, the Processor shall return to the Controller all Personal Data processed under this DPA in a structured, commonly used, and machine-readable format. The Service provides a self-service data export functionality that generates a JSON file and ZIP archive containing all user data, calibration templates, and associated PDF documents. The exported data includes all categories of Personal Data listed in Annex A.2, in JSON format. The ZIP archive includes all associated PDF documents, calibration templates, and account data.

17.2 Deletion

Following the return of Personal Data under Section 17.1 (or if the Controller elects deletion instead of return), the Processor shall delete all copies of the Controller's Personal Data without undue delay, and in any event within thirty (30) calendar days, including Personal Data held by Sub-processors. Deletion shall be performed using industry-standard methods that ensure data cannot be recovered.

17.3 Certification of Deletion

Upon the Controller's written request, the Processor shall provide the Controller with written certification that all Personal Data has been deleted in accordance with this Section 17, within fifteen (15) calendar days of completing the deletion.

17.4 Exceptions

The Processor may retain Personal Data (or specific categories thereof) after termination only to the extent and for the duration required by applicable Union or Member State law. In particular, the Processor may retain financial records (transaction amounts, dates, invoice numbers, and tax identifiers) in anonymized or pseudonymized form where required for compliance with tax and accounting obligations under Polish law (Ordynacja podatkowa Art. 86, Ustawa o rachunkowości Art. 74) for the statutory retention period of 5 years. Where anonymization is not technically feasible at the time of account deletion, the Processor will delete the records and rely on payment processor (Stripe) records for tax compliance. The Processor relies on the following GDPR exceptions to the right of erasure:

• GDPR Art. 17(3)(b): Processing is necessary for compliance with a legal obligation which requires processing by Union or Member State law to which the Processor is subject (specifically, Polish Ordynacja podatkowa Art. 86 and Ustawa o rachunkowości Art. 74, requiring retention of financial records for 5 years from the end of the financial year in which the transaction occurred).
• GDPR Art. 17(3)(e): Processing is necessary for the establishment, exercise, or defence of legal claims (retained for the applicable statute of limitations period).

In all cases of post-termination retention, the Processor shall:

• Inform the Controller of the legal basis and scope of the required retention.
• Ensure that retained data is anonymized to the greatest extent possible while still fulfilling the legal obligation, and is protected in accordance with this DPA and processed only for the purpose mandated by the applicable law.
• Delete the retained data promptly upon the expiration of the applicable retention period.

18. Cooperation with Supervisory Authorities

The Parties shall cooperate in good faith with each other and with any competent Supervisory Authority in the performance of their respective obligations under Applicable Data Protection Law. In particular:

• The Processor shall promptly inform the Controller if it receives an inquiry, complaint, or request from a Supervisory Authority relating to Personal Data processed on behalf of the Controller.
• The Processor shall not respond to such inquiry, complaint, or request without the Controller's prior consultation, unless required to do so by Applicable Data Protection Law.
• The Processor shall provide reasonable cooperation and assistance to the Controller in responding to any such inquiry, complaint, or request.

19. Liability

19.1 GDPR Liability

Each Party shall be liable for damages caused by processing that infringes the GDPR, in accordance with Art. 82 GDPR:

• The Controller shall be liable for damages caused by processing which infringes the GDPR.
• The Processor shall be liable for damages caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside of or contrary to the Controller's lawful instructions.

19.2 Limitations

The Processor's total aggregate liability arising out of or in connection with this DPA shall be subject to the limitations of liability set out in the Terms of Service, except to the extent that such limitations are prohibited by Applicable Data Protection Law. The limitations of liability set out in the Terms of Service shall not apply to: (i) the Processor's obligations for damage caused by non-compliance with Processor-specific GDPR obligations under Art. 82(2) GDPR; (ii) data breaches caused by the Processor's willful misconduct or gross negligence; or (iii) administrative fines imposed directly on the Processor by a Supervisory Authority.

Notwithstanding the foregoing, the Processor's total aggregate liability to the Controller for Processor-specific GDPR breaches under Art. 82(2) GDPR (item (i) above) shall not exceed the greater of: (a) three (3) times the total fees paid by the Controller to the Processor in the twelve (12) months immediately preceding the event giving rise to the claim; or (b) EUR 5,000 — except where mandatory provisions of Applicable Data Protection Law require otherwise or where the liability arises from the Processor's willful misconduct or fraud. The EUR 5,000 minimum floor applies only where three (3) times annual fees would produce a lower amount, and is further limited to actual demonstrated damages suffered by the Controller. The uncapped liability for willful misconduct and fraud reflects mandatory requirements of applicable law and cannot be contractually excluded. For users on free-tier plans where no fees have been paid, the Processor's aggregate liability shall not exceed EUR 100, except for the carve-outs specified in this Section. For the avoidance of doubt, this cap applies only to claims by the Controller against the Processor; it does not limit the rights of Data Subjects under Art. 82 GDPR or the Processor's obligations to cooperate in relation to Supervisory Authority proceedings.

19.3 Controller Responsibility

The Processor shall not be liable for any damages, claims, or regulatory penalties arising out of or in connection with:

• The Controller's failure to establish or maintain a lawful basis for the processing of Personal Data as required by Art. 6 or Art. 9 GDPR.
• The Controller's failure to provide adequate notice to Data Subjects or to obtain any required consents.
• Processing carried out in accordance with the Controller's documented instructions, where such instructions are the cause of the infringement.
• The content of Personal Data submitted to the Service by the Controller, including the accuracy, quality, and legality of such data.

19.4 Exclusion of Consequential Damages

To the maximum extent permitted by Applicable Data Protection Law, neither Party shall be liable to the other Party for any indirect, incidental, special, consequential, punitive, or exemplary damages arising out of or in connection with this DPA, including but not limited to loss of profits, loss of business, loss of reputation, or loss of data, regardless of the form of action or the theory of liability, even if the Party has been advised of the possibility of such damages. This exclusion shall not apply to damages arising from a Party's willful misconduct or gross negligence, or to the extent that such exclusion is prohibited by mandatory provisions of Applicable Data Protection Law. This exclusion shall not apply to claims by Data Subjects under Art. 82 GDPR or to indemnification obligations arising from Personal Data Breaches or violations of Applicable Data Protection Law. For the avoidance of doubt, the exclusion of indirect and consequential damages in this section does not limit either Party's obligations under Article 82 GDPR to compensate Data Subjects for material or non-material damage resulting from an infringement of the GDPR. This exclusion also does not apply to third-party proceedings, contribution claims, or recourse claims between the Parties arising from GDPR liability under Articles 82 or 83. For the avoidance of doubt, regulatory fines or penalties imposed on one Party by a Supervisory Authority as a direct result of the other Party's breach of this DPA are not considered "consequential damages" for purposes of this Section 19.4, and claims for contribution in respect of such fines are governed by Section 19.5.

19.5 Indemnification

Each Party shall indemnify the other Party against all claims, actions, proceedings, losses, damages, expenses, and costs (including reasonable legal fees) arising out of or in connection with the indemnifying Party's breach of this DPA, to the extent caused by the indemnifying Party's acts or omissions. The indemnification obligations under this Section 19.5 are subject to the limitations of liability set out in Section 19.2 and in the Terms of Service.

19.6 Data Subject Rights Preserved

The limitations of liability in this Section apply solely to the contractual relationship between the Processor and the Controller and do not limit the Processor's liability to Data Subjects under Article 82 of the GDPR or any mandatory provision of applicable data protection law.

20. Insurance

The Processor shall use commercially reasonable efforts to maintain professional liability or cyber-insurance coverage appropriate to the nature and scope of the processing activities under this DPA, including coverage for data breach incidents, with a target coverage of no less than EUR 50,000 per incident. If coverage at this level is genuinely unavailable in the relevant insurance market at the time of renewal (i.e., no insurer offers such coverage regardless of premium), the Processor shall maintain the highest level of coverage reasonably available and shall notify the Controller of any material reduction in coverage within fourteen (14) calendar days of the renewal date. Upon the Controller's reasonable written request (no more than once per calendar year), the Processor shall provide evidence of such insurance coverage.

21. Term and Termination

21.1 Effective Date

This DPA shall become effective on the date the Controller accepts the Terms of Service or begins using the Service, whichever is earlier.

21.2 Duration

This DPA shall remain in effect for the duration of the Agreement and for as long as the Processor processes Personal Data on behalf of the Controller.

21.3 Termination

This DPA shall automatically terminate upon the termination or expiration of the Agreement, subject to Section 21.4.

21.4 Surviving Obligations

The following provisions shall survive termination of this DPA: Section 8 (Confidentiality), Section 12 (Data Breach Notification), Section 16 (Audit Rights, limited to the period during which the Processor retains any Personal Data), Section 17 (Return and Deletion), Section 19 (Liability), Section 25 (General Provisions), and any other provisions which by their nature are intended to survive termination.

21.5 Change of Control

If the Processor undergoes a change of control (including merger, acquisition, or sale of substantially all assets), the Processor shall notify the Controller within fourteen (14) calendar days. The successor entity automatically assumes all Processor obligations under this DPA from the effective date of the change of control. The Controller may terminate this DPA by providing written notice within sixty (60) days of receiving such notification. Upon termination under this Section 21.5, the data return and deletion obligations in Section 17 commence from the date the Controller's termination notice is received by the Processor (or its successor). During the sixty (60) day assessment window, the Processor (or its successor) shall continue to perform all obligations under this DPA without interruption.

22. Conflict

In the event of any conflict or inconsistency between the provisions of this DPA and the provisions of the Agreement (including the Terms of Service), the provisions of this DPA shall prevail with respect to data protection matters. In all other respects, the Agreement shall prevail.

23. Governing Law and Jurisdiction

23.1 Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Republic of Poland, without regard to its conflict of laws principles, and the GDPR.

23.2 Jurisdiction

Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the competent courts in Warsaw, Poland, without prejudice to the rights of Data Subjects under Art. 79 GDPR to lodge a complaint with a Supervisory Authority or to bring proceedings before the courts of the Member State in which the Data Subject has their habitual residence.

24. Contact

For questions, requests, or notifications regarding this DPA, please contact:

NeuroCodeLab Maciej Śnieżyński
ul. Franciszka Klimczaka 13 lok. 102, 02-797 Warszawa, Poland
NIP: 7123295462 | CEIDG, REGON: 361253253
Email: hello@justfill.app

The Controller shall ensure that the Processor is kept informed of the Controller's current contact details for the purposes of receiving notifications under this DPA.

The Processor has conducted an assessment under Article 37 GDPR and determined that its core activities do not consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale, or large-scale processing of special categories of data. The Processor has therefore not appointed a Data Protection Officer. The Processor will reassess this determination periodically and upon any material change in its processing activities. All data protection inquiries may also be directed to hello@justfill.app.

25. General Provisions

25.1 Entire Agreement and Amendments

This DPA, together with the Agreement and its annexes, constitutes the entire agreement between the Parties with respect to the processing of Personal Data and supersedes all prior or contemporaneous oral or written agreements, proposals, and representations regarding such subject matter. No amendment or modification of this DPA shall be effective unless made in writing and signed or otherwise formally accepted by both Parties.

25.2 Severability

If any provision of this DPA is found by a court of competent jurisdiction or Supervisory Authority to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect. The Parties shall negotiate in good faith to replace any invalid, illegal, or unenforceable provision with a valid provision that achieves, to the greatest extent possible, the original economic, legal, and commercial objectives of the invalid provision.

25.3 No Third-Party Beneficiaries

This DPA is entered into solely for the benefit of the Parties and does not confer any rights, benefits, or causes of action upon any third party. Nothing in this DPA shall be construed as creating any right enforceable by any person or entity that is not a Party to this DPA, without prejudice to the rights of Data Subjects under Applicable Data Protection Law.

25.4 Aggregated and Anonymized Data

The Processor may create aggregated and anonymized datasets derived from the processing of Personal Data under this DPA, subject to the following conditions: (a) the Processor shall provide the Controller with no less than thirty (30) calendar days' advance written notice before commencing any new aggregation or anonymization activity; (b) the Controller shall have the right to object in writing within the notice period, in which case the Processor shall not proceed with the proposed activity in respect of that Controller's data; (c) such data must be irreversibly de-identified in accordance with Applicable Data Protection Law and EDPB Opinion 05/2014 on Anonymisation Techniques, such that it cannot reasonably be used, alone or in combination with other data, to identify any natural person; and (d) such data may be used solely for the purposes of improving the Service, generating analytics, benchmarking, or research.

Once data has been irreversibly anonymized to the standard described above, it falls outside the scope of the GDPR and this DPA, and the Processor may process it without further restriction. The Processor shall apply appropriate technical measures to verify that purportedly anonymized data meets this standard before treating it as outside the scope of this DPA.

The Controller may at any time request in writing that the Processor cease creating new aggregated or anonymized data from the Controller's Personal Data. Upon receipt of such request, the Processor shall cease such activities within thirty (30) calendar days.

For the avoidance of doubt, any rights granted in the Terms of Service regarding anonymized or aggregated data usage are subject to this Section 25.4 when the Terms of Service are supplemented by this DPA.

25.5 Waiver

No failure or delay by either Party in exercising any right or remedy under this DPA shall constitute a waiver of that right or remedy. A waiver of any right or remedy must be in writing and shall apply only to the specific instance for which it is given.

25.6 Updates

The Processor may propose updates to this DPA from time to time to reflect changes in applicable law, regulatory guidance, or operational practices. The Processor shall notify the Controller of proposed changes at least thirty (30) calendar days in advance via email or through the Service dashboard. Proposed changes take effect only upon the Controller's affirmative acceptance, which must be provided in writing (including electronic form such as email confirmation or acceptance through the Service's account settings interface). Continued use of the Service alone shall not constitute acceptance of DPA amendments. This requirement is consistent with Section 25.1. Immaterial changes (e.g., formatting, contact details, typographical corrections) may be made without prior notice.

Annex A: Description of Processing

This Annex A forms an integral part of the DPA and describes the processing of Personal Data by the Processor on behalf of the Controller.

A.1 Categories of Data Subjects

A.2 Categories of Personal Data

A.3 Special Categories of Personal Data

The Processor does not intentionally process Special Categories of Personal Data. However, the Controller may upload documents to the Service that contain such data (e.g., health-related forms, applications revealing ethnic origin or religious beliefs). Where the Controller submits documents containing Special Categories of Personal Data to the Service, the Controller assumes full responsibility for ensuring a lawful basis under Art. 9 GDPR for the processing of such data. The Processor applies the same technical and organizational measures to all Personal Data processed through the Service, as described in Annex B.

A.4 Processing Operations

Annex B: Technical and Organizational Measures

This Annex B forms an integral part of the DPA and describes the technical and organizational measures implemented by the Processor to protect Personal Data in accordance with Art. 32 GDPR. The Processor implements and maintains the following measures, which are subject to regular review and continuous improvement.

B.1 Encryption

B.2 Access Controls

B.3 Network Security

B.4 Data Minimization and Retention

B.5 Monitoring and Logging

B.6 Incident Response

B.7 Business Continuity

B.8 Personnel Security

B.9 Physical Security

B.10 Pseudonymization and Data Separation

B.11 Regular Testing and Assessment

Annex C: List of Sub-processors

This Annex C forms an integral part of the DPA and lists all Sub-processors authorized by the Controller as of the effective date of this DPA, in accordance with Section 10.

The Processor shall maintain an up-to-date list of Sub-processors and notify the Controller of any changes in accordance with Section 10.2 of this DPA. The current list of Sub-processors is also available upon written request to hello@justfill.app.