Last updated:
This DPA forms an integral part of the Terms of Use.
By accepting the Terms of Use at registration or by continuing to use the service, you enter into this DPA with the Processor.
1. Parties and scope
Processor: FOP Babmyndra Oleksandr Oleksandrovych (Cowculator), address: Slyvyne, Tsentralna St., 53. Controller: the Cowculator customer who collects personal data through their public calculators/forms.
The specific Controller’s details are defined in the customer’s organization profile and constitute Appendix 1 to this DPA.
2. Subject and duration
Processing of the Controller’s end‑user personal data by the Processor is carried out solely for the purpose of providing the Cowculator service. This DPA remains in force for the term of service use and until all data‑handling operations are completed in accordance with this document.
3. Nature and purpose of processing
Hosting, storage, routing, rendering, and transmission of form/calculator data; product performance and stability analytics; backup and recovery; notifications about new submissions.
4. Types of data and data subjects
Types of data: form data (fields, attachments), technical metadata (timestamp, URL, calculator identifier, IP/UA where applicable). Data subjects: the Controller’s visitors/customers interacting with public calculators.
5. Controller’s instructions
The Processor processes personal data only on the Controller’s documented instructions, including for transfers to third countries where applicable and lawfully grounded. If an instruction conflicts with applicable law, the Processor will inform the Controller.
6. Processor’s obligations
- ensure confidentiality and appropriate training of personnel with access to data;
- implement appropriate technical and organizational security measures (see “Security (TOMs)”);
- maintain records of processing activities and provide necessary information to demonstrate compliance;
- not engage subprocessors without following the procedure set out in this DPA.
7. Security (TOMs)
The Processor applies technical and organizational measures proportionate to risk, including: TLS in transit; access control and least‑privilege principles; 2FA for administrators; RLS/ACL policies in the database; tenant data segmentation (multi‑tenant); backup and tested restore; access/event logging; incident monitoring and response procedures. Details: /security.
8. Subprocessors
The Controller grants a general authorization to engage subprocessors, the list of which is published at /subprocessors. The Processor typically provides 15 days’ prior notice of any addition or replacement; the Controller has the right to raise reasonable objections.
9. International transfers
Where processing involves transfers outside the EEA/UK/Switzerland to a country without an adequacy decision, the Processor will implement appropriate safeguards, including the EU Standard Contractual Clauses (SCC 2021/914), and additional measures where necessary.
10. Assistance to the Controller
The Processor will provide reasonable assistance to the Controller in fulfilling obligations regarding security, incident notifications, conducting DPIAs, and consultations with supervisory authorities, to the extent required and proportionate to the Processor’s role.
11. Incident notification
In the event of a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data, the Processor will notify the Controller without undue delay after becoming aware and will provide available relevant information.
12. Audits and inspections
Upon the Controller’s request, the Processor will provide information necessary to demonstrate compliance with this DPA, including access to independent audit/test reports (where available). Where reasonably required, the Controller may initiate an on‑site audit upon prior written notice and within reasonable timeframes, subject to the Processor’s confidentiality and security requirements.
13. Return and deletion of data
Upon termination of services or upon the Controller’s written request, the Processor will delete or return personal data without undue delay, unless retention is required by applicable law or reasonably necessary to protect legal claims for a limited retention period.
14. Liability and precedence
Each party is responsible, within its role (Controller/Processor), for compliance with applicable data‑protection law. In the event of conflict between this DPA and other terms, the provisions of this DPA prevail with respect to personal‑data processing.
15. Governing law and jurisdiction
This DPA is governed by the law of Ukraine. Exclusive jurisdiction — the court of Mykolaiv, unless mandatory rules provide otherwise.
Appendix 1 — Controller details
Defined by the organization profile in the Cowculator builder (name, link to privacy policy, contact email — taken from the Controller’s provided privacy policy). At the time of Terms acceptance, a snapshot of these details is stored and forms part of the executed DPA.
Appendix 2 — Technical and organizational measures
- TLS encryption in transit; platform‑level encryption/isolation at rest where applicable.
- Access management, least‑privilege principle, 2FA for administrators.
- RLS/ACL in the database; tenant data segmentation (multi‑tenant).
- Regular backups and restore verification.
- Access/event logging, incident monitoring, response procedures.
- Change control, code review, separate environments (prod/stage).
Appendix 3 — Subprocessors
The current list of subprocessors is published at https://cowculator.app/subprocessors and is updated when changes occur.
