Data Processing Addendum (DPA)

Document status. This is a template Data Processing Addendum (DPA) for enterprise customers who use the Inkover Service to process personal data belonging to their own users or employees. To activate this DPA, email [email protected] — we will return a signable copy (DocuSign/PandaDoc or PDF) with party details filled in. Until signed, this text is informational.

1. Definitions and parties

This Data Processing Addendum ("DPA") is entered into between:

• The Controller — the legal or natural person who signs the DPA and uses the Service to process personal data of its clients or employees (the "Customer"), and
• The Processor — Nikolai Ivanovich Dubina, a self-employed individual registered under the Russian Federation Professional Income Tax regime (Federal Law No. 422-FZ of 27 November 2018), TIN 502997275398, Saint Petersburg, Russian Federation (the "Operator" or "Processor").

The terms "personal data", "processing", "controller", "processor" and "data subject" have the meaning given in Regulation (EU) 2016/679 (GDPR) and, for data of Russian Federation citizens, in Federal Law No. 152-FZ. Where the two regimes conflict, the provision granting the data subject greater protection prevails.

2. Subject matter and roles

The Processor processes the personal data supplied by the Controller through the Service solely on the Controller's documented instructions. Use of the Service's standard features (OCR, translation, rendering, publication) constitutes documented instructions agreed between the parties upon signature of this DPA.

3. Nature and purposes of processing

• Subject matter: text, images, metadata and user identifiers uploaded by the Customer or its end users to the Service.
• Duration: for the term of the underlying commercial agreement between the parties (subscription or other contract) plus 30 days thereafter (see § 11).
• Purposes: provision of the Service — OCR, machine translation, rendering of translated images, version storage, publication (if activated by the Customer), billing, technical support.
• Categories of data: account identifiers (email, name, locale), content of uploaded materials, service metadata (IP, User-Agent, action timestamps).
• Categories of data subjects: Customer end users, Customer employees, rights holders and complainants (within the procedures described in § 10.5 of the Terms of Service).

4. Processor obligations

1. Process personal data only on the Controller's documented instructions, including with regard to international transfers, unless required to do so by applicable law.
2. Ensure that persons authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Take all measures required under Article 32 GDPR and Article 19 of Federal Law No. 152-FZ, including those described in § 7.
4. Respect the conditions for engaging sub-processors set out in § 6.
5. Taking into account the nature of the processing, assist the Controller in fulfilling its obligation to respond to data subject requests (see § 8).
6. Assist the Controller in complying with Articles 32 to 36 GDPR and the applicable Russian-law equivalents (security, breach notification, DPIA, consultation with the supervisory authority).
7. At the Controller's choice, delete or return all personal data after the end of the provision of services (see § 11).
8. Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow audits on the conditions set out in § 9.

5. Controller obligations

• Have a lawful basis for the processing of personal data it provides to the Processor (consent, contract performance, legitimate interest, etc.).
• Provide data subjects with the notices required by law (privacy notice) and facilitate the exercise of their rights.
• Not upload special categories of personal data (Article 9 GDPR / Article 10 of 152-FZ) to the Service without prior written agreement with the Processor.
• Follow the Processor's account-security instructions and promptly revoke access of employees who leave.

6. Sub-processors

The Controller grants general authorisation for the engagement of sub-processors. The up-to-date list is published at /privacy, section "Data Recipients". At the date of this DPA, the sub-processors are:

• Google LLC / Google Ireland Ltd — processing through the Gemini API (OCR, translation, rendering) and Cloud Vision API.
• Google Cloud Platform — hosting and infrastructure.
• Resend (Resend, Inc.) — transactional email delivery.
• Payment providers (Heleket, YooKassa) — receive only billing details, with no access to translated content.

The Processor notifies the Controller of any intended changes to the sub-processor list at least 30 calendar days in advance, by email. The Controller may object to a new sub-processor within 30 days; where an objection is reasonable, the parties will in good faith seek a reasonable workaround, failing which the Controller is entitled to terminate the underlying agreement.

7. Technical and organisational measures (TOMs)

• Encryption in transit: TLS 1.2+ for all HTTPS traffic.
• Encryption at rest: AES-256 for object storage; disk-level encryption provided by the cloud provider.
• Access control: RBAC, MFA for administrative access, principle of least privilege, regular secret rotation.
• Data isolation: logical segregation by tenant id; public links are created only through explicit user action.
• Logging and monitoring: centralised access logs, audit log of administrator actions, anomaly alerting.
• Backups: daily incremental and weekly full backups; restoration is tested at least once per quarter.
• Continuity: incident-response plan, responder reachable within 24 hours on business days.
• Training: data-protection briefings for all personnel with access to Controller data.

8. Data subject rights

The Processor provides the technical capabilities required to respond to data-subject requests for access, rectification, erasure, restriction, portability and objection. Where the Processor receives such a request directly, it will forward it to the Controller without undue delay and will not respond on its own, unless required by law.

9. Audit

On the Controller's request, the Processor provides summary information on the TOMs implemented, any independent-auditor reports available and reasonable support for an audit conducted by the Controller or a Controller-appointed auditor who is not a competitor of the Processor, during business hours, on at least 30 days' notice, no more than once per year, except in the event of a reasonably suspected breach. The auditor must sign an NDA. All audit costs are borne by the Controller.

10. Personal-data-breach notification

The Processor notifies the Controller of any confirmed personal-data breach affecting Controller data without undue delay and no later than 72 hours after becoming aware of it. The notification includes: the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed. The Processor provides reasonable assistance to the Controller in fulfilling its obligations to notify data subjects and supervisory authorities (Articles 33–34 GDPR; Article 21(3) of 152-FZ where applicable).

11. Return and deletion of data

Upon termination of the services, the Controller chooses within 30 days whether to have the data deleted or returned in a machine- readable format (JSON/ZIP). After 30 days without a choice, the data is deleted. Backups are deleted on their rotation cycle — no later than 90 days. Audit logs and accounting records are retained for the periods required by law (up to 5 years) and are excluded from deletion.

12. International transfers

Processing may involve transfers outside the Russian Federation and the EEA (through the Gemini API / GCP). Such transfers are based on the EU Standard Contractual Clauses (Commission Decision 2021/914) concluded between the Processor and the non-domestic sub-processor; for personal data of Russian Federation citizens, the requirement of primary recording on servers located in the Russian Federation (Part 5, Article 18 of 152-FZ) is complied with.

13. Liability and governing law

Each party's liability under this DPA is subject to the limits agreed in the underlying commercial agreement. This DPA is governed by the law of the Russian Federation; for Controllers established in the EEA, GDPR additionally applies. Disputes are resolved under the procedure agreed in the underlying agreement. As regards data-subject rights, the jurisdiction of the data subject's habitual residence applies.

14. Conflict of documents

If there is any conflict between this DPA and the Terms of Service, this DPA prevails. If there is any conflict between this DPA and a separate commercial agreement signed by the parties, the commercial agreement prevails unless the DPA expressly states otherwise.

15. How to sign

To request this DPA, email [email protected] with the subject "DPA request" and include: your legal entity, country of incorporation, expected categories of data and number of data subjects, and the signatory. We will return a ready-to-sign copy within 5 business days.