Data Processing Addendum

For the purposes of this DPA, the following definitions apply:

"Personal Data", "Data Subject", "Processing", "Controller", "Processor" and "Sub-processor" have the meanings given to them in the GDPR.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

"Kosovo DPA" means the Republic of Kosovo Law No. 06/L-082 on Personal Data Protection.

"Customer Data" means any Personal Data that the Processor processes on behalf of the Controller under the Agreement, including end-user account data, authentication metadata, support communications and audit logs.

"TOMs" means the technical and organisational measures implemented by the Processor as described in Section 7.

"Service" means the ARBK Atlas platform, including search, lookup, monitoring, alerts, exports, API access and account administration features made available to the Customer under the Agreement.

The subject matter of the Processing is the Customer Data necessary for the Processor to provide the Service to the Controller in accordance with the Agreement.

This DPA applies for the term of the Agreement and any retention period defined in Section 12 below. Obligations that by their nature should survive termination (including confidentiality, audit, deletion and breach notification) shall survive accordingly.

The Processor will process Customer Data solely for the purpose of providing the Service, which includes: full-text and structured search of the Albanian (Kosovo) business registry, individual business lookup, watchlists and monitoring, scheduled and ad-hoc alerts, data export, programmatic API access, billing administration via the Merchant of Record, and account administration (authentication, plan management, support).

The Processor will not process Customer Data for its own purposes, will not sell Customer Data, and will not use Customer Data to train machine-learning or generative-AI models.

The categories of Data Subjects and Personal Data processed under this DPA are as follows:

Note: records contained in the Albanian business registry itself, including the personal data of business representatives and owners published by the public registry, are processed by the Processor as an independent Controller under its legitimate-interests legal basis (see the Privacy Policy). Such processing is outside the scope of this DPA.

The Controller warrants that it has a valid legal basis under the GDPR and/or Kosovo DPA for instructing the Processing of Customer Data, and that it has provided all information notices and obtained all consents required from Data Subjects.

The Processor will process Customer Data only on the documented instructions of the Controller. The Agreement, this DPA and the Customer's use of the Service constitute the Controller's documented instructions. Any additional instructions must be agreed in writing.

The Processor will ensure that personnel authorised to process Customer Data are subject to written confidentiality obligations and have received appropriate data-protection training.

The Processor will implement and maintain the TOMs described in Section 7 and will assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 GDPR, taking into account the nature of the Processing and the information available to the Processor.

The Controller grants the Processor general written authorisation to engage Sub-processors to perform specific Processing activities on its behalf. The current list of authorised Sub-processors is published at /subprocessors and includes Hetzner Online GmbH (hosting, Germany), Stripe Payments Europe, Ltd. (payment processing, Ireland), Microsoft Corporation (Azure transactional email), Google LLC (OAuth and Google Analytics 4).

The Processor will give the Controller at least 30 days' prior notice (by updating the public Sub-processor list and, on request, by email) before adding or replacing a Sub-processor. The Controller may object to a proposed change on reasonable data-protection grounds. If the parties cannot resolve the objection in good faith, the Controller may terminate the affected portion of the Service without penalty.

The Processor will impose data-protection obligations on each Sub-processor that are no less protective than those set out in this DPA, and remains fully liable to the Controller for any failure of a Sub-processor to fulfil its obligations.

View the current Sub-processor list

The Processor implements and maintains the following technical and organisational measures, designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access:

For a fuller technical description, see our Security Policy at /security.

Customer Data is hosted in Hetzner Online GmbH's data centres located in the Federal Republic of Germany, within the European Economic Area.

Certain authorised Sub-processors process limited Personal Data outside the European Union: Google LLC processes OAuth identifiers and analytics data in the United States. Stripe Payments Europe, Ltd. is established in Ireland (within the EU); limited payment data may be processed by its affiliate Stripe, Inc. (USA) under the European Commission's Standard Contractual Clauses.

Transfers from European Union or European Economic Area Controllers to the Processor (whose central administration is in the Republic of Kosovo, a third country for GDPR purposes) are made under the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), Module Two (Controller-to-Processor), which are deemed incorporated by reference into this DPA. The Processor will assist the Controller in completing any required transfer impact assessment and will maintain supplementary measures where appropriate.

The Processor will notify the Controller without undue delay, and in any case within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Data.

The notification will, to the extent then known, include: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, the measures taken or proposed to address the breach and mitigate its possible adverse effects, and the contact details of the Processor's data-protection contact.

The Processor will cooperate with the Controller and provide such reasonable assistance as the Controller may require to comply with its own breach-notification obligations under Articles 33 and 34 GDPR.

Taking into account the nature of the Processing, the Processor will assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests from Data Subjects to exercise their rights under Articles 12 to 22 GDPR and the equivalent provisions in Articles 12 to 22 of the Kosovo DPA, including the rights of access, rectification, erasure, restriction of processing, data portability and objection.

Standard request handling is included at no additional charge. Bulk, repetitive or manifestly unfounded requests may be invoiced at the Processor's reasonable cost.

Where the Processor receives a Data Subject request directly relating to Customer Data, it will not respond on the merits and will instead promptly forward the request to the Controller.

The Processor will make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and Article 28 of the Kosovo DPA, and will allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Audits may be conducted at the Controller's own cost, on at least 30 days' written notice, no more than once per calendar year (save where required by a competent supervisory authority or following a Personal Data Breach), during normal business hours, in a manner that does not unreasonably interfere with the Processor's operations, and subject to confidentiality obligations.

The Processor may satisfy its audit obligations by providing third-party audit reports (such as SOC 2 Type II or equivalent) where these reasonably address the Controller's audit objectives.

Upon termination or expiry of the Agreement, the Processor will, at the Controller's choice, return all Customer Personal Data to the Controller in a commonly used machine-readable format, or delete all Customer Personal Data, within 30 days, except to the extent that retention is required by applicable Union or Kosovo law.

Where retention is legally required, the Processor will inform the Controller of the legal basis for retention and will ensure that retained Customer Data is stored confidentially and not further processed.

On written request, the Processor will provide written confirmation that deletion has been completed.

Each party's liability arising out of or in connection with this DPA is subject to, and counts towards, the limitations and exclusions of liability set out in the underlying Agreement.

Nothing in this DPA limits or excludes either party's liability where such limitation or exclusion is prohibited by applicable mandatory data-protection law.

This DPA is governed by, and construed in accordance with, the laws of the Republic of Kosovo, without regard to conflict-of-laws principles.

The competent courts of Pristina shall have exclusive jurisdiction over any dispute arising out of or in connection with this DPA, except where overridden by mandatory consumer-protection or data-protection rules of the Customer's jurisdiction.

Enterprise customers requiring a counter-signed copy of this DPA should email [email protected] with: (i) the legal entity name of the Controller, (ii) its registered address, (iii) the name and title of the authorised signatory, and (iv) any country-specific annexes required.

We will counter-sign and return the DPA within five (5) business days of receipt of a complete request.

Questions concerning this DPA should be directed to:

• Data protection enquiries: [email protected]
• Privacy enquiries: [email protected]
• Postal address: Rrahim Beqiri 1, 10000 Prishtinë, Republic of Kosovo
• Business identification number (NUI): 812382414
• Telephone: +383 45 957 990