Data Processing Agreement

Last Updated: 4 July, 2025

This Data Processing Agreement (“Agreement”) is entered into between the User (“Data Controller”) and MB “Su Idėja“ („Company“ or „Data Processor“) for the purpose of setting the terms and conditions under which the Data processor will process Personal data on behalf of the Data controller in connection with the QualifyHQ platform and its associated services (”Services”).

This Agreement governs all aspects of Data Processing carried out by the Data Processor on behalf of the Data Controller, as required under Article 28 of the EU General Data Protection Regulation (2016/679) ("GDPR"). The provisions of this Agreement are incorporated by reference into the Terms of Service and any other agreements between the Parties. 

By using the Services, the Data Controller confirms that the Data Processor is authorized to process Personal Data in accordance set forth in this Agreement. 

In the event of a conflict or any inconsistency between this Agreement and any other document or agreement governing the use of the Services, the terms of this Agreement shall prevail. 

1. DEFINITIONS

   1.1 Unless expressly stated otherwise in Terms of Service, terms used in this Agreement shall have the meanings set forth in the GDPR.

   1.2 In the event of any conflict or ambiguity between definitions in the GDPR and those in the Terms of Service, the definitions provided in the GDPR shall prevail with respect to the processing of Personal Data. 

2. SUBJECT MATTER

   2.1 The Data Processor shall Process the Data only on documented instructions from the Data Controller, including with regard to transfers of Data to a third country or an international organization, unless required to do so by the EU or Member State law to which the Data processor is subject. The instructions from the Data Controller to the Data Processor shall be enclosed to this Agreement as Annex.

3. DATA SECURITY

   3.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The Data Processor shall ensure that persons authorized to process the Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. OTHER DATA PROCESSORS

   4.1 The Data Controller provides the Data Processor with a general written authorization to engage other data processors to process Data under this Agreement. Where the Data Processor engages another data processor to carry out specific processing activities on behalf of the Data Controller, the same data protection obligations as set out in this Agreement are imposed on that other data processor by contract, in particular the obligation to provide sufficient assurance that appropriate technical and organizational measures will be put in place in such a way as to ensure that the processing of the Data complies with the requirements of the GDPR. Where that other data processor fails to comply with the data protection obligations, the Data Processor remains fully responsible to the Data Controller for the performance of the obligations of that other data processor. 

5. DATA SUBJECT’S RIGHTS

   5.1 The Data Processor, taking into account the nature of the processing, shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the Data Subjects’ rights laid down in the GDPR.

6. ASSISTANCE TO THE DATA CONTROLLER

   6.1 The Data Processor shall, taking into account the nature of the processing and the information available to it, assist the Data Controller in ensuring compliance with the obligations set out in Articles 32 (“Security of processing”), 33 (“Notification of a personal data breach to the supervisory authority”), 34 (“Communication of a personal data breach to the data subject”), 35 (“Data protection impact assessment”), and 36 (“Prior consultation”) of the GDPR.

7. COMPLIANCE AND AUDITS

   7.1 The Data Processor shall provide the Data Controller with all information necessary to demonstrate compliance with the obligations laid down in this Agreement and shall enable and assist the Data Controller or any other auditor authorized by the Data Controller to carry out audits, including inspections.


8. DELETION AND RETURN OF DATA

   8.1 Upon completion of the provision of the services related to the processing of Data, the Data Processor shall, at the option of the Data Controller, erase or return to the Data Controller all the Data and delete existing copies of the Data, except where retention of the Data is required by law.

9. TERM

   9.1 The provisions of this Agreement shall apply to the extent the Data Processor processes Data on behalf of the Data Controller. The obligations of the Parties under Section 8 of the Agreement (“Deletion and Return of Data”), shall remain in effect after the expiration or termination of this Agreement.

10. MISCELLANEOUS

    10.1 This Agreement shall be governed by and construed in accordance with the substantive law of the Republic of Lithuania. All and any disputes or claims arising from this Agreement shall be settled in the courts of the Republic of Lithuania.

    10.2 In case of discrepancies between this Agreement and any other agreements between the Parties governing the processing of Data, this Agreement shall prevail.

    10.3 Instructions of the Data Controller to the Data processor are attached as an annex to this Agreement and shall constitute an integral part of it.

INSTRUCTIONS OF THE DATA CONTROLLER TO THE DATA PROCESSOR