Data Processing Agreement (DPA)

"Controller", "Processor", "data subject", "personal data", "processing" and "personal data breach" have the meaning given in Article 4 GDPR.

"Sub-processor" means any third party engaged by the Provider to process personal data on behalf of the Customer. "Applicable law" means the GDPR and any national implementing legislation.

For personal data the Customer enters or collects through the platform about its own users, visitors or clients (e.g. traffic analytics data, security events), the Customer is the Controller and the Provider acts as Processor.

For the Customer's account and billing data (name, email, login credentials, payment data), the Provider acts as an independent controller, as described in the Privacy Policy.

The subject matter of the processing is the personal data provided or generated through the use of the monitoring, security, analytics and reporting services of the Synux platform.

The nature and purpose of the processing is to provide the platform's functionality according to the Customer's instructions (uptime monitoring, traffic analytics, security event logging, generating reports and notifications).

The duration of the processing corresponds to the contractual term of the service, plus the retention periods set out in Annex A, after which the data is deleted or returned under section 12.

Data categories: online identifiers (IP addresses, truncated where applicable), device and browser data, pages visited and aggregated usage data, security events and, where applicable, the data the Customer chooses to send to the platform.

Categories of data subjects: visitors and users of the websites the Customer monitors, and the Customer's representatives who administer the account.

We process personal data only on the Controller's documented instructions, including with regard to transfers, unless required to do so by law; in that case we will inform the Controller before processing, unless the law prohibits it.

We ensure that persons authorised to process the data have committed to confidentiality or are under a statutory obligation of confidentiality.

We implement the technical and organisational measures required by Article 32 GDPR (Annex B) and assist the Controller with its obligations under sections 10 and 11.

We make available to the Controller the information necessary to demonstrate compliance and allow for audits as set out in section 13.

The Controller warrants that it has a legal basis for processing the personal data and for transferring it to the Processor, and that its instructions comply with applicable law.

The Controller is responsible for the accuracy, quality and lawfulness of the personal data and the means by which it was obtained.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, detailed in Annex B.

The Controller grants a general authorisation for the use of sub-processors. The current list of sub-processors is set out in Annex C.

We will inform the Controller of any intended addition or replacement of a sub-processor, giving the opportunity to object on reasonable grounds within a reasonable period.

We impose on each sub-processor, by contract, data protection obligations equivalent to those in this DPA. We remain liable to the Controller for the performance of our sub-processors' obligations.

We process and store personal data within the European Union / European Economic Area. If a transfer outside the EEA becomes necessary, it will only take place on the basis of a valid transfer mechanism under the GDPR (e.g. an adequacy decision or the standard contractual clauses).

Taking into account the nature of the processing, we assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligation to respond to data subject requests to exercise their rights (access, rectification, erasure, restriction, portability, objection).

We assist the Controller in ensuring compliance with the obligations relating to security, breach notification, data protection impact assessments (DPIA) and prior consultation of the supervisory authority, within the limits of the information available to us.

If we become aware of a personal data breach, we notify the Controller without undue delay, providing the information reasonably available to enable the Controller to meet its own obligations to notify the authority and, where applicable, the data subjects.

On termination of the services, at the Controller's choice, we delete or return all personal data and delete existing copies, unless applicable law requires their retention.

Data remaining in logs or backups is removed in line with our retention and backup rotation cycles.

We make available to the Controller the information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by it, with reasonable prior notice and subject to the confidentiality and security of other customers.

Each party's liability under this DPA is governed by the limitation of liability provisions in the Synux Terms and Conditions, to the extent permitted by applicable law.

This DPA remains in effect for the duration of the processing of personal data on behalf of the Controller. We may update this DPA to reflect changes in law or in the services; the applicable version is the one published on this page, with the last-updated date shown above.

For any request relating to data protection or this DPA, you can contact us at contact@coolweb.ro. Operator: [denumire firmă], VAT [CUI], reg. no. [J__/____/____], with registered office at [adresă sediu].

Subject matter: provision of the Synux monitoring, security, analytics and reporting services.

Duration: for the contractual term of the service, plus the applicable retention periods (e.g. analytics data and security events are kept for limited windows and then removed).

Nature and purpose: collecting, storing, structuring, analysing and displaying data to provide the platform's functionality according to the Controller's instructions.

Data types: online identifiers, device/browser data, usage data and security events. Categories of data subjects: visitors and users of monitored websites, representatives of the Controller.

Encryption of data in transit (TLS/HTTPS) and secure storage of credentials (passwords stored as hashes).

Role-based access control, two-factor authentication available, and session management.

Per-account data isolation, access rate limiting and logging of relevant security events.

Retention policies with periodic data removal, backups and restore procedures.

Organisational measures: data minimisation, need-to-know access and confidentiality obligations for staff.

Infrastructure and hosting provider — Hetzner Online GmbH (data centres in the European Union).

Payment processor — Netopia (NETOPIA Financial Services), for collecting payments where applicable.

Transactional email provider — for delivering notifications and system emails.

An up-to-date list of sub-processors is available on request at contact@coolweb.ro.