Data Processing Agreement

This Data Processing Agreement (DPA) governs the processing of personal data by Rapoport Studio SRL on behalf of its clients in connection with the services described in the Terms of Engagement.

Parties

This DPA is entered into between the client (Data Controller) and Rapoport Studio SRL, a Moldovan limited liability company (Data Processor). The DPA forms part of and is incorporated into the project agreement between the parties.

Scope and purpose

Rapoport Studio processes personal data solely to the extent necessary to deliver the contracted services. The nature, purpose, and categories of data processed are defined in the project agreement. Processing occurs only on documented instructions from the Controller.

Sub-processors

Rapoport Studio uses infrastructure sub-processors to deliver its services, including Supabase (database hosting) and Cloudflare (CDN and analytics). A current list of sub-processors is available at /legal/sub-processors. No sub-processor is granted access to Controller data beyond what the contracted service requires.

Data subject rights

Rapoport Studio will assist the Controller in responding to data subject requests under GDPR and Moldova Law 133/2011 within the timeframes required by applicable law. The Controller remains responsible for communicating with data subjects and for determining the lawful basis of processing.

Security measures

Rapoport Studio implements appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. Measures include encrypted data at rest and in transit, access controls limited to personnel with a need to know, and regular review of security practices.

Audit rights

The Controller may, upon 30 days' written notice and at its own cost, audit Rapoport Studio's compliance with this DPA no more than once per calendar year. Rapoport Studio will provide reasonable cooperation and access to relevant documentation. Audits must not unreasonably disrupt ongoing service delivery.

Sub-processor change notification

Rapoport Studio will notify the Controller at least 14 days before adding or replacing a sub-processor. The Controller may object to the change within that period on reasonable grounds related to data protection. If the parties cannot resolve the objection, either party may terminate the affected services without penalty.

Term and termination

This DPA remains in effect for the duration of the project agreement. It terminates automatically upon expiry or termination of the project agreement, subject to the return and deletion obligations below.

Return and deletion of data

Upon termination, Rapoport Studio will, at the Controller's election, return all Controller personal data in a portable format or securely delete it within 30 days, and certify deletion in writing. Rapoport Studio may retain copies only to the extent required by applicable law, for the minimum period so required.

Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Engagement. Rapoport Studio's liability for data processing is limited to direct damages caused by its breach of this DPA. The Controller indemnifies Rapoport Studio against claims arising from processing instructions that violate applicable data protection law.