Legal

Data Processing Agreement

This Data Processing Agreement (DPA) forms part of the Terms of Service and applies whenever KTESIBIOS processes personal data on behalf of an organization customer.

Draft — awaiting legal review

The wording on this page is a draft. Final wording is pending outside-counsel review (M-LEGAL) before launch.

Introduction

When an organization customer uses KTESIBIOS to design windchests, the organization is the controller of any personal data of its members and KTESIBIOS is the processor. This DPA describes the contractual obligations each side has under Article 28 of GDPR.

Scope of processing

KTESIBIOS processes personal data only to deliver the service to the controller: authenticating members, storing the projects and stop libraries the organization creates, and producing the DXF exports the controller requests. No personal data is processed for any other purpose.

Processor obligations

As processor we will implement appropriate technical and organisational security measures, will assist the controller in responding to data subject requests, will notify the controller without undue delay in the event of a personal data breach, and will make available the information necessary to demonstrate compliance with Article 28.

Subprocessors

KTESIBIOS engages a limited set of subprocessors to operate the service — listed on the Subprocessors page. We will notify the controller of any intended changes to that list, giving them an opportunity to object before the change takes effect.

International data transfers

Personal data is processed in EU regions by default. Where data is transferred outside the European Economic Area, the transfer is governed by the European Commission's Standard Contractual Clauses; the specific clauses applicable to each subprocessor are documented in the Subprocessors register.