Data Processing Agreement (DPA)
This Data Processing Agreement (“Agreement”) is entered into between:
(1) The Customer (“Controller”), being the legal entity or individual that subscribes to and uses the ArgonStack platform and related services; and
(2) ArgonStack (“Processor”), a company headquartered in Athens, Greece, operating under Greek law, with email contact info@argonstack.gr.
Together referred to as “the Parties.”
1. Purpose and Scope
This Agreement governs the processing of personal data by ArgonStack on behalf of the Customer in connection with the provision of its software platform and related services (“Services”).
The purpose of the processing is to enable the Customer to manage contacts, communications, marketing, scheduling, automation, and other CRM-related activities within the ArgonStack platform.
ArgonStack acts solely as a Data Processor, processing personal data only under documented instructions from the Customer.
2. Definitions
The terms used in this Agreement have the meanings given in Regulation (EU) 2016/679 (GDPR):
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Processing” means any operation performed on Personal Data, such as collection, storage, or deletion.
- “Controller” means the entity that determines the purposes and means of processing.
- “Processor” means the entity that processes Personal Data on behalf of the Controller.
- “Sub-Processor” means a third party engaged by the Processor to assist in processing Personal Data.
- “Data Subject” means the individual to whom the Personal Data relates.
3. Processor Obligations
ArgonStack shall:
a) Process Personal Data only on documented instructions from the Customer.
b) Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
c) Implement appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, including encryption, access control, backups, and incident response.
d) Notify the Customer without undue delay after becoming aware of a personal data breach.
e) Assist the Customer in responding to requests from data subjects (access, rectification, erasure, restriction, portability, objection).
f) Assist the Customer in ensuring compliance with Articles 32–36 of the GDPR (security, breach notification, impact assessment, prior consultation).
g) Delete or return all Personal Data to the Customer after the end of the processing, unless retention is required by law.
h) Maintain records of processing activities as required by Article 30(2) GDPR.
4. Sub-Processors
The Customer authorizes ArgonStack to engage Sub-Processors necessary for the operation of the platform, including infrastructure, hosting, and communication providers.
ArgonStack ensures that all Sub-Processors:
- Operate under written data processing agreements;
- Provide sufficient guarantees to implement appropriate technical and organizational measures;
- Comply with EU Standard Contractual Clauses (SCCs) for any transfer of data outside the European Economic Area (EEA).
ArgonStack maintains an updated list of Sub-Processors available upon request. Typical categories include:
- Cloud hosting and database providers;
- Email delivery and communication infrastructure;
- Analytics and security monitoring services.
ArgonStack remains fully responsible for the performance of each Sub-Processor.
5. International Data Transfers
If Personal Data is transferred outside the EEA, ArgonStack will ensure such transfers comply with Chapter V of the GDPR through:
a) The use of Standard Contractual Clauses approved by the European Commission; and/or
b) Engagement of providers certified under appropriate adequacy frameworks recognized by the EU.
6. Data Security
ArgonStack shall implement and maintain the following safeguards:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
- Two-factor authentication for administrative access.
- Access control based on least privilege.
- Continuous monitoring, audit logs, and regular vulnerability testing.
- Backup and recovery systems to prevent data loss.
- Procedures to ensure prompt detection and mitigation of incidents.
Details of these measures can be provided upon written request.
7. Data Breach Notification
In the event of a personal data breach, ArgonStack shall:
a) Notify the Customer without undue delay upon discovery.
b) Provide information regarding the nature of the breach, affected data, and corrective measures taken.
c) Cooperate with the Customer to fulfill its legal obligations toward supervisory authorities and data subjects.
8. Confidentiality
ArgonStack shall ensure that all personnel with access to Personal Data are bound by confidentiality obligations and act only on instructions from the Customer.
9. Audit Rights
The Customer may, upon reasonable notice, request information necessary to verify ArgonStack’s compliance with this Agreement.
Formal on-site audits may be conducted only where required by law or by a supervisory authority, and under mutual agreement to ensure minimal disruption of operations.
10. Liability and Indemnification
Each Party shall be liable for damages arising from its own acts or omissions that breach this Agreement or the GDPR.
ArgonStack’s total aggregate liability shall not exceed the total fees paid by the Customer under the main Service Agreement during the twelve (12) months preceding the event giving rise to liability.
11. Duration and Termination
This Agreement remains in effect for as long as ArgonStack processes Personal Data on behalf of the Customer.
Upon termination of the Service, all Personal Data shall be securely deleted or returned to the Customer within 90 days, unless retention is required by law.
12. Governing Law and Jurisdiction
This Agreement is governed by the laws of Greece.
Any dispute arising from or in connection with this Agreement shall fall under the exclusive jurisdiction of the Courts of Athens, Greece.
13. Entire Agreement
This Agreement forms part of the general Terms & Conditions between the Parties. In case of conflict, this DPA shall prevail regarding data protection matters.