Data Processing Addendum
Effective date: 10.6.2026 Last updated: 10.6.2026
This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the Terms of Service between GettingData OÜ, Estonian registry code 16805326 ("Funktio", "we", "us"), and the customer agreeing to those Terms ("Customer", "you"). It governs our processing of personal data that you provide to us, where you act as a controller (or processor) and we act as your processor (or sub-processor).
Where there is any conflict between this DPA and the Terms of Service on the subject of personal-data processing, this DPA prevails. Capitalised terms not defined here have the meaning given in the Terms of Service.
This DPA is drafted to satisfy Art. 28(3) GDPR. It is incorporated into the Terms of Service by reference and is accepted when you accept those Terms; no separate signature is required. On request, we will provide a copy for separate execution.
1. Definitions
"GDPR" means Regulation (EU) 2016/679 and, where applicable, the UK GDPR and the UK Data Protection Act 2018. "Controller", "processor", "data subject", "personal data", "processing", and "personal data breach" have the meanings given in the GDPR. "Customer Personal Data" means personal data contained in the materials, project information, or other data you provide to us, that we process on your behalf to provide the Service. "Sub-processor" means a third party engaged by us to process Customer Personal Data.
2. Roles of the parties
In respect of Customer Personal Data, you are the controller (or, where you are yourself a processor for a third party, the processor) and we are your processor (or sub-processor). Each party will comply with its obligations under applicable data-protection law. You are responsible for the lawfulness of the Customer Personal Data you provide and of your instructions to us, including having a valid legal basis and providing any required notices to data subjects.
Personal data for which we determine the purposes and means — such as account and billing data, and our own product analytics — is processed by us as a controller under our Privacy Policy, and is not Customer Personal Data subject to this DPA.
3. Scope and instructions
We will process Customer Personal Data only:
- to provide, secure, maintain, and support the Service;
- in accordance with your documented instructions, including those set out in this DPA, the Terms of Service, and your use of the Service's features; and
- as required by applicable law, in which case we will inform you of that legal requirement before processing unless the law prohibits it on important grounds of public interest.
If we believe an instruction infringes applicable data-protection law, we will inform you. We will not "sell" Customer Personal Data or process it for our own independent purposes, including training our own or third parties' AI models.
The subject matter, duration, nature and purpose of processing, the categories of data subjects, and the types of personal data are set out in Annex 1.
4. Confidentiality
We ensure that personnel authorised to process Customer Personal Data are bound by appropriate obligations of confidentiality and process the data only as necessary to provide the Service.
5. Security
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the nature of the processing, and the risks to data subjects, as described in Annex 2 and in Section 12 of our Privacy Policy. We regularly review these measures and may update them provided the level of protection is not materially reduced.
6. Sub-processors
You provide general authorisation for us to engage Sub-processors to process Customer Personal Data. Our current Sub-processors, their purposes, and locations are listed in the Sub-processors table in Section 6 of our Privacy Policy, which forms Annex 3 to this DPA.
We will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance. We will give you at least 14 days' notice of any intended addition or replacement of a Sub-processor before it begins processing Customer Personal Data, and you may object on reasonable data-protection grounds within that period, in which case we will work with you in good faith to find a resolution.
7. Assistance to you
Taking into account the nature of the processing, we will assist you by:
- providing reasonable assistance, using appropriate technical and organisational measures, to help you respond to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, and objection). If we receive such a request directly, we will forward it to you and not respond ourselves except as legally required or as you instruct;
- assisting you in ensuring compliance with your obligations relating to security (Art. 32), personal-data-breach notification (Arts. 33–34), and data protection impact assessments and prior consultation (Arts. 35–36), taking into account the information available to us.
We may charge a reasonable fee for assistance that goes materially beyond standard product functionality, and will tell you in advance.
8. Personal data breaches
We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and provide information reasonably available to us to help you meet your own notification obligations. We will take reasonable steps to mitigate and, where possible, remediate the breach.
9. International transfers
Where our provision of the Service involves transferring Customer Personal Data outside the EEA or the UK (including to Sub-processors in the United States, as identified in Annex 3), we will ensure an appropriate transfer mechanism is in place, such as the European Commission's Standard Contractual Clauses (the "SCCs") and, for UK transfers, the UK International Data Transfer Addendum (the "UK Addendum"), or reliance on an adequacy decision (including the EU-US Data Privacy Framework) where applicable.
Incorporation. Where the SCCs apply to a transfer, they are incorporated into this DPA by reference and form part of it, with this DPA and its Annexes completing the information they require. No separate signature is required; the SCCs take effect when you accept the Terms of Service. On request, we will provide a separately completed copy of the SCCs for a specific transfer.
Module selection. Because your role may differ from one engagement to another, the applicable SCC module is determined by the parties' roles for the relevant processing:
- Module Two (controller-to-processor) applies where you are a controller of the Customer Personal Data; and
- Module Three (processor-to-processor) applies where you are yourself a processor acting for a third-party controller and we act as your sub-processor.
SCC options. For the SCCs as incorporated:
- the optional docking clause (Clause 7) applies;
- for Clause 9 (use of sub-processors), Option 2 (general written authorisation) applies, with changes notified in accordance with Section 6 of this DPA;
- the optional redress wording in Clause 11(a) does not apply;
- for Clause 17 (governing law) and Clause 18 (choice of forum and jurisdiction), the law and the courts of Estonia apply;
- Annex I of the SCCs is completed by Annex 1 of this DPA; the competent supervisory authority (Annex I.C) is the authority competent for you as data exporter or, where you are not established in the EEA, the Estonian Data Protection Inspectorate; and Annex II of the SCCs is completed by Annex 2 of this DPA.
UK transfers. For transfers subject to the UK GDPR, the SCCs are completed and amended by the UK Addendum, which is incorporated by reference on the same basis.
10. Audit
We will make available to you information reasonably necessary to demonstrate compliance with Art. 28 GDPR and this DPA, and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate. To minimise disruption, audits will be on reasonable prior notice, no more than once per year (unless required by a supervisory authority or following a breach), during business hours, subject to confidentiality, and may be satisfied by our providing relevant documentation or third-party reports where available.
11. Deletion and return
On termination of the Service, and at your choice, we will delete or return Customer Personal Data and delete existing copies, unless applicable law requires us to retain it. Routine deletion follows the retention periods in Section 9 of our Privacy Policy. Data held in backups is deleted in accordance with our backup-rotation cycle.
12. Liability and general
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. This DPA takes effect on the effective date of the Terms and remains in force for as long as we process Customer Personal Data. If any provision is found unenforceable, the remainder continues in effect.
Annex 1 — Details of processing
| Subject matter | Provision of the Software Factory service (scoping, building, deploying, revising, delivering, and hosting custom software). |
| Duration | For the term of the Terms of Service and until deletion or return of Customer Personal Data under Section 11. |
| Nature and purpose | Storage, hosting, transmission, analysis, and other processing necessary to design and build the Customer's application, and to communicate about and support the engagement. |
| Types of personal data | Any personal data contained in the project information, materials, files, and communications the Customer chooses to provide. The Customer controls what it submits and should avoid submitting special-category data. |
| Categories of data subjects | Determined by the Customer; may include the Customer's own staff, contractors, customers, or other individuals referenced in the materials provided. |
| Special-category data | Not intended to be processed; the Customer agrees not to submit it without prior written agreement on additional safeguards. |
Annex 2 — Technical and organisational measures
The security measures described in Section 12 of the Privacy Policy apply, including encryption in transit and at rest, access controls, isolation of customer environments, and audit logging.
Annex 3 — Sub-processors
The list of Sub-processors is the Sub-processors table in Section 6 of the Privacy Policy, as updated from time to time in accordance with Section 6 of this DPA.
Contact
GettingData OÜ (Estonian registry code 16805326) Lõõtsa tn 2a, Lasnamäe linnaosa, 11415 Tallinn, Harju maakond, Estonia Data protection: johannes@funktio.ai