Data Processing Agreement

Last Updated: January 12 2026

Effective Date: January 12 2026

Processor: MB Griaustinis Media, Kaunas, Lithuania

Service: Aylesbury Data Governance Platform

GDPR Compliance: EU Regulation 2016/679 (Article 28)

IMPORTANT: This Data Processing Agreement (DPA) applies if you process personal data of EU residents or other jurisdictions with similar regulations through the Service. This DPA is incorporated into your Terms of Service and forms a legally binding agreement between you (Controller) and us (Processor).

1. Definitions

Controller: The Customer (you) - the organization that determines the purposes and means of processing personal data

Processor: MB Griaustinis Media - the company that processes personal data on behalf of the Controller

Data Subject: Any individual to whom the personal data relates

Personal Data: Any information relating to an identified or identifiable natural person

Processing: Any operation performed on personal data (collection, recording, organization, storage, use, deletion, etc.)

Sub-processor: Any entity that processes personal data on behalf of the Processor

Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data

2. Subject Matter and Scope of Processing

2.1 Scope

This DPA applies to all processing of personal data by Processor on behalf of Controller through the Service, including:

Personal data uploaded to the Service by Controller
Account information (name, email, company details) provided during registration
Usage data and analytics that may include personal information
Data stored in backups and archives

2.2 Categories of Data

The types of personal data processed depend on what you upload to the Service. This may include:

Identification data (names, employee IDs)
Contact data (email addresses, phone numbers)
Professional data (job titles, departments)
Technical data (IP addresses, device identifiers)
Any other personal data you choose to process

2.3 Categories of Data Subjects

Data subjects may include:

Your employees and contractors
Your customers or business contacts
Any individuals whose data you process through the Service

2.4 Duration and Purpose

Duration: For the term of your Service subscription and 30 days after termination (for data export), then deletion
Purpose: Providing data governance, lineage, classification, quality monitoring, and compliance features as specified in your Service order
Nature: Processing is limited to what is necessary to provide the Service

3. Processing Instructions

3.1 Processor Obligations

Processor shall process personal data only on documented instructions from Controller, including:

The subject matter and duration of processing
The nature and purpose of processing
The types of personal data and categories of data subjects
The rights and freedoms of data subjects

3.2 Nature of Processing Instructions

Processing instructions are defined in:

The Service Terms of Service
The specific features Controller enables in the Service
Any written instructions Controller provides
Controller's account settings and configurations

3.3 Out-of-Scope Processing

Processor shall not process personal data for purposes outside the explicit instructions provided by Controller (e.g., Processor shall not use personal data for Processor's own marketing purposes).

3.4 Changes to Instructions

If Controller wishes to change processing instructions, Controller must provide written notice. Processor will implement changes within a reasonable timeframe, unless implementation is not technically or operationally feasible, in which case Processor will notify Controller.

4. Processor Responsibilities

4.1 Confidentiality

Processor ensures that persons authorized to process personal data have committed to confidentiality or are under an appropriate legal obligation of confidentiality. Processor's staff shall not access, use, or disclose personal data except as necessary to provide the Service.

4.2 Security and Technical Measures

Processor shall implement and maintain appropriate technical and organizational measures to ensure security, including:

Encryption of personal data in transit (TLS 1.3+) and at rest (AES-256)
Pseudonymization and encryption where appropriate
Ability to ensure confidentiality, integrity, availability, and resilience
Ability to restore availability and access to personal data in a timely manner
Regular testing of security measures
Processes for restoring data availability after incidents
Access controls limiting access to persons with legitimate need

4.3 Sub-processors

Processor shall not engage sub-processors without prior written authorization from Controller. Processor shall:

Provide a list of authorized sub-processors at aylesbury.io/subprocessors
Notify Controller at least 30 days before adding or replacing sub-processors
Allow Controller to object to new sub-processors
Enter into data processing agreements with sub-processors imposing the same data protection obligations
Remain fully liable to Controller for sub-processor performance

4.4 Current Sub-processors

Current authorized sub-processors include:

Hetzner: Cloud hosting and data storage (EU data centers)
Stripe/Payment Processor: Payment processing (PCI-compliant)
Email Provider: Transactional email delivery
Analytics: Service usage analytics (anonymized)

5. Data Subject Rights

5.1 Assistance with Data Subject Requests

Processor shall assist Controller in fulfilling data subject requests for:

Right of Access: Providing copies of personal data within 10 business days
Right to Rectification: Correcting or updating inaccurate data
Right to Erasure: Deleting personal data (where technically feasible)
Right to Restrict Processing: Limiting processing of certain data
Right to Data Portability: Exporting data in portable format (CSV, JSON)
Right to Object: Ceasing processing for certain purposes

5.2 Responsibility

Processor shall respond promptly to Controller's requests and assist in meeting data subject timelines (typically 30 days under GDPR). Controller remains responsible for verifying the requestor's identity and making final decisions about compliance.

5.3 Cost

Processor provides reasonable assistance at no additional cost. Processor may charge reasonable fees for excessive or repetitive requests.

6. Deletion and Return of Data

6.1 Upon Termination

Upon termination or expiration of the Service agreement, Processor shall:

Provide Controller with 30 days to export personal data
Delete all personal data within 60 days (unless legally required to retain)
Delete archived backup data within 90 days
Certify completion of deletion upon request

6.2 Earlier Deletion

Controller may request deletion of specific data at any time through the Service interface. Processor shall delete such data within a reasonable timeframe (typically within 30 days).

6.3 Legal Obligations

Processor may retain personal data if legally required (tax law, regulatory investigation, litigation hold). Processor shall notify Controller of such retention and explain the legal basis.

7. Data Breach Notification

7.1 Breach Notification Duty

If Processor becomes aware of a personal data breach, Processor shall notify Controller:

Timing: Without undue delay, typically within 24 hours
Content: Facts of the breach, affected data, likely consequences, and mitigation steps
Method: Email to security contact or account administrator

7.2 Cooperation

Processor shall:

Cooperate fully with Controller's incident response
Preserve evidence for forensic investigation
Provide regular updates on investigation progress
Assist with regulatory notifications and reports

7.3 No Delay for Regulatory Reporting

Processor shall not delay notification to regulatory authorities. However, Processor and Controller will coordinate to ensure consistent and appropriate reporting.

8. Audit and Inspection Rights

8.1 Audit Rights

Controller has the right to:

Audit Processor's processing of personal data
Request documentation of security measures
Request evidence of compliance with this DPA
Conduct on-site inspections (with reasonable notice)
Request SOC 2 or ISO 27001 audit reports

8.2 Audit Conduct

Audits shall be conducted:

At reasonable times with reasonable notice (typically 14+ days)
Under confidentiality protections
Subject to Processor's reasonable security protocols
Without unduly disrupting operations

8.3 Audit Costs

Controller may conduct one audit per calendar year at no cost. Additional audits may be charged at Processor's reasonable cost-recovery rate. Third-party audits (e.g., for compliance verification) may be permitted with Processor's consent.

8.4 Audit Results

Processor shall cooperate in addressing any audit findings and provide remediation plans for identified issues.

9. International Data Transfers

9.1 Data Location

Personal data is processed and stored in the European Union (AWS EU data centers in Ireland). If international transfers are necessary, Processor will ensure compliance with applicable laws.

9.2 Standard Contractual Clauses

For any transfer of personal data outside the EU/EEA, Processor shall use the EU Standard Contractual Clauses (SCCs) as approved by the European Commission. The SCCs are incorporated by reference into this DPA.

9.3 Supplementary Measures

If required by law (e.g., post-Schrems II), Processor shall implement supplementary technical and organizational measures to ensure adequate protection, including encryption and restricted access.

10. Limitation of Liability

10.1 Processor Liability

Processor's liability for violations of this DPA is subject to the limitations in the Terms of Service. However, Processor remains fully liable for:

Breaches of confidentiality obligations
Violations of personal data processing rights
Unauthorized data transfers
Gross negligence or willful misconduct
Violations that cannot be limited under GDPR or applicable law

10.2 Controller Responsibility

Controller remains responsible for:

Determining the lawful basis for processing
Obtaining necessary consents
Verifying compliance with data protection laws
Responding to data subject requests
Reporting breaches to authorities

11. Term and Amendments

11.1 Duration

This DPA is effective as of the date you agree to the Terms of Service and continues while you use the Service and for 30 days after termination (for data export and deletion).

11.2 Amendments

Processor may amend this DPA to comply with GDPR changes or regulations. Processor will notify Controller at least 30 days in advance. If Controller objects to amendments, Controller may terminate the Service agreement.

11.3 Incorporation into Terms of Service

This DPA is incorporated into and forms part of the Service Terms of Service. In case of conflict, this DPA controls regarding personal data processing.

12. EU-US Data Transfers (If Applicable)

Note: This section applies only if Processor transfers personal data to the United States or other non-EU countries.

12.1 Standard Contractual Clauses

For transfers to the US, Processor relies on Standard Contractual Clauses as approved by the European Commission. These clauses ensure adequate safeguards for data protection.

12.2 No Privacy Shield Reliance

Processor does not rely on the Privacy Shield framework, which is not valid post-Schrems II decision.

12.3 Supplementary Measures

Processor implements supplementary technical and organizational measures, including encryption and restricted access, to mitigate risks of access by US government authorities.

13. Contact and Compliance

13.1 Data Protection Officer

For questions about this DPA or personal data processing, contact:

Email: dpo@aylesbury.io
Address: MB Griaustinis Media, Kaunas, Lithuania

13.2 EU Regulatory Authority

If you have concerns about Processor's compliance with GDPR, you may lodge a complaint with:

Lithuania: State Data Protection Inspectorate
Your country: Your local data protection authority

14. Schedules (Appendices)

Schedule A: Sub-Processor List

Current Authorized Sub-processors:

Amazon Web Services (AWS)
- Purpose: Cloud hosting, data storage, compute services
- Location: Ireland (EU)
- DPA: AWS Data Processing Addendum
Stripe/Wise
- Purpose: Payment processing
- Location: Multiple (PCI-DSS compliant)
- DPA: Provider's Data Processing Agreement
SendGrid/Email Provider
- Purpose: Transactional email delivery
- Location: US (with Privacy Shield/SCCs)
- DPA: Provider's Data Processing Agreement

Updates: aylesbury.io/subprocessors

Schedule B: Security Measures

Detailed description of technical and organizational measures:

Encryption (TLS 1.3+, AES-256)
Role-based access control
Intrusion detection and monitoring
Regular security patches and updates
Automated backups and disaster recovery
Employee security training and background checks
Incident response procedures
Regular security audits and penetration testing
SOC 2 Type II and ISO 27001 compliance

Schedule C: Data Subject Rights Procedures

Processor will assist with the following procedures:

Access Requests: Processor exports data within 10 business days
Deletion Requests: Processor deletes data within 30 days (where technically feasible)
Correction Requests: Processor assists with data correction
Portability Requests: Processor exports data in CSV/JSON format

Version: 1.0 – GDPR Compliant

Last Updated: January 2026

Effective Date: Upon acceptance by both parties

Jurisdiction: Lithuania / GDPR (EU Regulation 2016/679)

Acknowledgment:

This Data Processing Agreement incorporates the principles and requirements of GDPR Article 28 and is compliant with GDPR requirements for controller-processor relationships. Both parties acknowledge that they have read, understood, and agree to be bound by the terms of this DPA.

Signature Authority:

This DPA is accepted automatically when the customer agrees to the Terms of Service. Digital execution is valid and binding. For questions or disputes regarding this DPA, both parties agree to the dispute resolution procedures outlined in the main Terms of Service.