DATA PROCESSING AGREEMENT (DPA)

Between Client and Star Products SRL (Starmaster Marketing)

Effective Date: __________

PARTIES

Data Controller (“Client”): - Legal Name: ___________________________________ - Registration Number: ___________________________________ - Address: ___________________________________ - Contact Person: ___________________________________ - Email: ___________________________________ - Phone: ___________________________________

Data Processor (“Processor” or “Starmaster Marketing”): - Legal Name: Star Products SRL - Trading Name: Starmaster Marketing - Registration Number: [INSERT COMPANY NUMBER] - Address: [INSERT REGISTERED ADDRESS] - Contact Person: [INSERT NAME] - Email: [INSERT PRIVACY EMAIL] - Phone: [INSERT PHONE NUMBER] - Website: www.starmastermarketing.com

RECITALS

WHEREAS, the Client has engaged Starmaster Marketing to provide certain services as described in the Service Agreement dated [DATE] (“Main Agreement”);

WHEREAS, in the course of providing these services, Starmaster Marketing will process personal data on behalf of the Client;

WHEREAS, the parties wish to ensure that such processing complies with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection laws;

NOW, THEREFORE, the parties agree as follows:

1. DEFINITIONS AND INTERPRETATION

1.1 Definitions

For the purposes of this DPA:

“Applicable Data Protection Law” means: - Regulation (EU) 2016/679 (General Data Protection Regulation - “GDPR”) - Romanian Law No. 190/2018 on data protection - Any other applicable EU or national data protection legislation

“Client Personal Data” means any Personal Data processed by the Processor on behalf of the Client pursuant to or in connection with the Main Agreement.

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the meanings given in the GDPR.

“Services” means the services provided by Starmaster Marketing as described in the Main Agreement, including but not limited to: - Web design and development - SEO services - PR and reputation management - Content creation - Google My Business management - Image revival services - Any other marketing services

“Sub-processor” means any third-party processor engaged by Starmaster Marketing to process Client Personal Data.

1.2 Interpretation

References to “Articles” are to Articles of the GDPR unless otherwise stated
Headings are for convenience only and do not affect interpretation
This DPA supplements the Main Agreement and does not replace it
In case of conflict, this DPA takes precedence over the Main Agreement regarding data protection

2. SCOPE AND ROLES

2.1 Relationship of the Parties

For the purposes of Client Personal Data processing: - The Client acts as the Controller (or Processor if the Client is itself processing on behalf of another party) - Starmaster Marketing acts as the Processor

2.2 Scope of Processing

This DPA applies to the processing of Client Personal Data by Starmaster Marketing in the course of providing the Services under the Main Agreement.

2.3 Client Responsibilities

The Client: - Represents that it has all necessary rights to provide Client Personal Data to the Processor - Is responsible for compliance with data protection laws in its role as Controller - Shall ensure that it has obtained all necessary consents and provided all required notices for the Processor to process Client Personal Data as contemplated by the Main Agreement - Is solely responsible for the accuracy, quality, and legality of Client Personal Data and the means by which Client acquired it

3. DETAILS OF PROCESSING

3.1 Subject Matter

Processing of Client Personal Data in connection with the Services as described in the Main Agreement.

3.2 Duration

The duration of processing is for the term of the Main Agreement, plus any retention period required by law or agreed in the Main Agreement.

3.3 Nature and Purpose of Processing

The Processor will process Client Personal Data for the following purposes: - Performance of the Services as described in the Main Agreement - Compliance with the Processor’s legal obligations - As reasonably necessary for the Processor’s legitimate business operations (e.g., internal record-keeping, quality assurance)

3.4 Type of Personal Data

Depending on the Services provided, Client Personal Data may include:

Contact Information: - Names (employees, customers, contacts) - Email addresses - Phone numbers - Postal/business addresses - Company names and positions

Customer Data (if applicable to Services): - Customer names and contact details - Purchase history - Website behavior data - Demographics - Preferences

Employee Data (if applicable): - Staff contact information - Role/position information - Photos (for website/marketing materials)

Online Identifiers: - IP addresses - Cookie identifiers - Website analytics data - Social media identifiers

Marketing Data: - Email engagement metrics - Website visitor behavior - Advertising interaction data

Other Data: - Any other personal data provided by the Client in connection with the Services - Photos, videos, audio recordings (for Revival Services)

3.5 Categories of Data Subjects

Client’s employees and contractors
Client’s customers and prospects
Client’s business contacts
Website visitors
Newsletter subscribers
Social media followers
Other individuals whose data the Client provides

3.6 Special Categories of Data

The Processor does not anticipate processing Special Categories of Personal Data (as defined in Article 9 GDPR) unless: - Specifically agreed in writing - The Client has obtained explicit consent or has another legal basis - Additional safeguards are implemented

If Special Categories of Data will be processed, this must be documented in Annex A with specific security measures.

4. PROCESSOR OBLIGATIONS

4.1 Compliance with Instructions

The Processor shall: - Process Client Personal Data only on documented instructions from the Client, including regarding international transfers - Inform the Client immediately if, in its opinion, an instruction infringes Applicable Data Protection Law - Not process Client Personal Data for any purpose other than as instructed by the Client

Documented Instructions: The Client’s instructions are: 1. This DPA and its Annexes 2. The Main Agreement 3. Any additional written instructions provided by the Client from time to time

4.2 Confidentiality

The Processor shall ensure that: - Persons authorized to process Client Personal Data are subject to confidentiality obligations (whether contractual or statutory) - Such persons process Client Personal Data only as instructed by the Client - Access to Client Personal Data is limited to those who need it to perform the Services

4.3 Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

Technical Measures: - Pseudonymization and encryption of personal data - Ongoing confidentiality, integrity, availability and resilience of processing systems - Regular testing and evaluation of security measures - Ability to restore availability and access to data after incidents - Secure data backup and recovery procedures - Access controls and authentication - Firewalls and intrusion detection - Anti-virus and anti-malware protection - Secure data disposal procedures

Organizational Measures: - Data protection policies and procedures - Staff training on data protection - Access control policies (role-based access, least privilege principle) - Incident response procedures - Business continuity and disaster recovery plans - Vendor management procedures - Regular security audits and reviews

Current security measures are detailed in Annex B.

4.4 Sub-processing

4.4.1 General Authorization

The Client provides general authorization for the Processor to engage Sub-processors. Current Sub-processors are listed in Annex C.

4.4.2 Sub-processor Requirements

The Processor shall: - Conduct due diligence on all Sub-processors - Impose data protection obligations on Sub-processors that are no less protective than this DPA - Ensure Sub-processors provide sufficient guarantees of appropriate security measures - Remain fully liable to the Client for Sub-processor performance

4.4.3 Notification of Changes

The Processor shall: - Notify the Client of any intended changes (additions or replacements) to Sub-processors - Provide at least 30 days’ advance notice - Update Annex C accordingly

4.4.4 Client Objection Right

The Client may object to a new or replacement Sub-processor on reasonable data protection grounds by notifying the Processor within 14 days of notification. If the Client objects: - The parties shall discuss in good faith - If no resolution, the Client may terminate the affected Services with 30 days’ notice without penalty

4.5 Data Subject Rights

4.5.1 Assistance to Client

The Processor shall, taking into account the nature of processing, assist the Client by implementing appropriate technical and organizational measures to fulfill the Client’s obligations to respond to Data Subject requests to exercise their rights under Applicable Data Protection Law, including:

Right of access (Article 15)
Right to rectification (Article 16)
Right to erasure (Article 17)
Right to restriction of processing (Article 18)
Right to data portability (Article 20)
Right to object (Article 21)
Rights related to automated decision-making (Article 22)

4.5.2 Forwarding Requests

If the Processor receives a Data Subject request directly: - The Processor shall forward it to the Client without undue delay (within 2 business days) - The Processor shall not respond directly to the Data Subject unless authorized by the Client - The Processor may notify the Data Subject that they should direct requests to the Client

4.5.3 Assistance Fees

The Processor shall provide reasonable assistance at no additional charge. If assistance requires significant additional work beyond the scope of the Services, the Processor may charge reasonable fees agreed in advance.

4.6 Personal Data Breach

4.6.1 Notification to Client

The Processor shall notify the Client without undue delay (and in any event within 24 hours) after becoming aware of a Personal Data Breach affecting Client Personal Data.

4.6.2 Breach Notification Content

The notification shall include, to the extent possible: - Description of the nature of the breach - Categories and approximate number of Data Subjects affected - Categories and approximate number of personal data records affected - Likely consequences of the breach - Measures taken or proposed to address the breach - Contact point for further information

4.6.3 Investigation and Remediation

The Processor shall: - Investigate the breach and provide regular updates - Take reasonable steps to mitigate the breach - Cooperate with the Client’s investigation - Provide all information necessary for the Client to notify authorities/Data Subjects if required - Document all breaches, including facts, effects, and remedial actions

4.6.4 No Acknowledgment of Liability

Notification of a breach under this section does not constitute acknowledgment of fault or liability.

4.7 Data Protection Impact Assessment (DPIA)

The Processor shall provide reasonable assistance to the Client in conducting DPIAs when required under Article 35 GDPR, including providing: - Description of processing operations - Assessment of necessity and proportionality - Information about security measures - Other information reasonably requested

4.8 Prior Consultation

The Processor shall provide reasonable assistance to the Client in fulfilling obligations to consult with Supervisory Authorities under Article 36 GDPR if required.

4.9 Records of Processing Activities

The Processor shall maintain accurate and up-to-date records of processing activities as required by Article 30 GDPR, including: - Name and contact details of the Processor and each Sub-processor - Categories of processing carried out on behalf of each Controller - Where applicable, international data transfers with documentation of safeguards - General description of technical and organizational security measures

These records shall be made available to the Client or Supervisory Authorities upon request.

5. INTERNATIONAL DATA TRANSFERS

5.1 Transfer Restrictions

The Processor shall not transfer Client Personal Data outside the European Economic Area (EEA) without: - Prior written authorization from the Client, AND - Appropriate safeguards in place as required by Chapter V GDPR

5.2 Authorized Transfers

The following international transfers are authorized:

Countries with Adequacy Decisions: - Transfers to countries deemed adequate by the European Commission are permitted

Standard Contractual Clauses (SCCs): - The Processor may transfer data to Sub-processors using EU Standard Contractual Clauses - Current SCC-covered transfers are listed in Annex C

Other Safeguards: - Binding Corporate Rules (if applicable) - Approved Codes of Conduct or Certification mechanisms - Other mechanisms approved under Article 46 GDPR

5.3 Obligations for Transfers

For transfers outside adequacy decisions, the Processor shall: - Execute appropriate transfer mechanisms (e.g., SCCs) - Ensure Sub-processors in third countries provide adequate safeguards - Inform the Client of any inability to comply with transfer requirements - Assist the Client in conducting Transfer Impact Assessments if required

5.4 Government Access Requests

If the Processor receives a legally binding request from a public authority for disclosure of Client Personal Data transferred outside the EEA: - The Processor shall notify the Client unless prohibited by law - The Processor shall challenge the request if there are reasonable grounds - The Processor shall provide minimum necessary data in response

6. AUDIT RIGHTS

6.1 Client Audit Rights

The Client (or its appointed auditor) may, upon reasonable notice (at least 30 days) and during normal business hours: - Audit the Processor’s compliance with this DPA - Inspect relevant processing facilities, systems, and documentation - Interview relevant personnel

6.2 Audit Limitations

Frequency: - Routine audits: Once per year - Additional audits may be conducted if there is evidence of non-compliance or following a Personal Data Breach

Notice: - At least 30 days’ written notice required - Audits must not unreasonably interfere with the Processor’s business

Scope: - Limited to matters relevant to the Processor’s obligations under this DPA - Subject to confidentiality obligations - Does not include audits of Sub-processors (unless specifically agreed)

Costs: - Client bears its own audit costs - Processor may charge reasonable fees for audit participation beyond 1 day per year

6.3 Third-Party Certifications

In lieu of an audit, the Processor may provide: - Third-party audit reports (e.g., SOC 2, ISO 27001) - Independent security assessments - Compliance certifications

Such reports may satisfy the Client’s audit rights if they adequately demonstrate compliance.

6.4 Remediation

If an audit reveals non-compliance: - The Processor shall promptly remedy identified issues - The Processor shall provide a remediation plan within 14 days - The Client may conduct follow-up audits to verify remediation

7. DATA RETURN AND DELETION

7.1 Return or Deletion Upon Termination

Upon termination or expiration of the Main Agreement, or earlier upon Client’s request, the Processor shall, at the Client’s choice:

Option A - Return: - Return all Client Personal Data to the Client in a commonly used, machine-readable format - Provide confirmation of return

Option B - Deletion: - Delete all Client Personal Data in its possession or control - Provide certification of deletion

Timeline: - Within 30 days of termination/request - Or such other period as agreed in writing

7.2 Exceptions

The Processor may retain Client Personal Data to the extent: - Required by Applicable Law (e.g., accounting, tax records) - Necessary for the Processor’s legitimate interests (e.g., defending legal claims)

Retained data shall: - Be subject to ongoing confidentiality and security obligations - Be deleted when no longer required - Not be used for any other purpose

7.3 Sub-processor Deletion

The Processor shall ensure that Sub-processors also return or delete Client Personal Data in accordance with this section.

7.4 Backup Copies

Backup copies may be retained in accordance with the Processor’s standard backup retention periods (maximum 90 days), after which they shall be securely deleted.

8. LIABILITY AND INDEMNIFICATION

8.1 Liability Under GDPR

The parties acknowledge that under Article 82 GDPR: - Each party is liable for damages caused by processing that violates GDPR - The Processor is liable only where it has not complied with obligations specifically directed at processors or has acted outside or contrary to lawful instructions - The Processor is exempt from liability if it proves it is not in any way responsible for the event giving rise to the damage

8.2 Limitation of Liability

Subject to Section 8.1: - The Processor’s total liability under this DPA is limited to the amounts set forth in the Main Agreement - Neither party is liable for indirect, consequential, or special damages - These limitations do not apply to fraud, gross negligence, or willful misconduct

8.3 Indemnification

By Processor: The Processor shall indemnify the Client against: - Fines imposed by Supervisory Authorities due to the Processor’s non-compliance - Third-party claims arising from the Processor’s breach of this DPA - Reasonable costs of notification and remediation following a Personal Data Breach caused by the Processor

By Client: The Client shall indemnify the Processor against: - Claims arising from the Client’s unlawful processing instructions - Claims arising from the Client’s failure to obtain necessary consents - The Processor’s compliance with the Client’s lawful instructions

8.4 Insurance

The Processor represents that it maintains appropriate professional liability and cyber insurance coverage.

9. TERM AND TERMINATION

9.1 Term

This DPA comes into effect on the Effective Date and remains in force for the duration of the Main Agreement or as long as the Processor processes Client Personal Data, whichever is longer.

9.2 Termination

This DPA automatically terminates upon: - Termination of the Main Agreement, AND - Completion of data return/deletion obligations under Section 7

9.3 Survival

The following provisions survive termination: - Confidentiality obligations (Section 4.2) - Audit rights (Section 6) - for 1 year post-termination - Liability and indemnification (Section 8) - Data return/deletion (Section 7) - Governing law and dispute resolution (Section 10)

10. GENERAL PROVISIONS

10.1 Governing Law

This DPA is governed by the laws of Romania, without regard to conflict of law principles.

10.2 Jurisdiction

The courts of Constanța, Romania shall have exclusive jurisdiction over any disputes arising from this DPA, except where EU law provides otherwise.

10.3 Hierarchy

In case of conflict: 1. This DPA prevails over the Main Agreement on data protection matters 2. Mandatory provisions of GDPR prevail over this DPA 3. Orders or decisions of Supervisory Authorities prevail

10.4 Amendments

This DPA may only be amended: - By written agreement signed by both parties, OR - To reflect changes in Applicable Data Protection Law (effective immediately upon notice)

10.5 Severability

If any provision is found invalid or unenforceable: - The provision shall be modified to achieve the intended purpose to the maximum extent permitted - Other provisions remain in full effect

10.6 Entire Agreement

This DPA, together with the Main Agreement and Annexes, constitutes the entire agreement on data processing and supersedes all prior agreements or understandings.

10.7 Notices

All notices under this DPA shall be in writing and sent to:

For Client: [Client contact details as provided at beginning of DPA]

For Processor: Star Products SRL (Starmaster Marketing) Email: [INSERT PRIVACY EMAIL] Address: [INSERT REGISTERED ADDRESS]

10.8 No Third-Party Beneficiaries

This DPA does not confer rights on any third party, except: - Data Subjects may enforce certain provisions as third-party beneficiaries to the extent permitted by GDPR - Supervisory Authorities have enforcement rights under GDPR

10.9 Assignment

Neither party may assign this DPA without the other’s prior written consent, except: - The Processor may assign to an affiliate or in connection with a merger, acquisition, or sale of substantially all assets - Assignment does not relieve the assigning party of its obligations

11. DEFINITIONS OF SERVICES

For clarity, the following services involve the processing of Client Personal Data:

11.1 Web Design & Development

Personal Data Processed: Website visitor data (IP addresses, cookies), contact form submissions, user account information (if applicable), CMS admin credentials, client employee contact information

Processing Activities: Website analytics implementation, contact form setup, user account management, content management system configuration

11.2 SEO Services

Personal Data Processed: Website analytics data, search console data, customer behavior data, competitor analysis data that may include personal information

Processing Activities: Analytics tracking, keyword research, content optimization, backlink analysis, performance reporting

11.3 PR Services

Personal Data Processed: Client contact information, media contact lists, spokesperson information, client employee data included in press materials

Processing Activities: Press release distribution, media outreach, article placement, reputation monitoring

11.4 Reputation Management

Personal Data Processed: Client employee/owner information, customer review data (from public sources), online mentions of individuals

Processing Activities: Monitoring online reviews and mentions, reputation analysis, review response management

11.5 Google My Business Management

Personal Data Processed: Business owner information, customer reviews (public data), Q&A interactions, messaging data

Processing Activities: Profile optimization, review monitoring, customer interaction management, performance tracking

11.6 Content Creation (Blog Posts, Social Media)

Personal Data Processed: Client contact information, subject matter expert information, customer testimonials (if included), analytics data

Processing Activities: Content research, creation, publication, engagement tracking

11.7 Image Revival Services

Personal Data Processed: Photos of individuals (often deceased family members), audio recordings, client contact information, biographical information

Processing Activities: Image restoration, colorization, animation, audio processing, video creation

Special Note: This service may involve sensitive personal data and requires explicit consent from the Client.

11.8 Video/Photo Editing

Personal Data Processed: Images and videos containing individuals, client employee data, subject information

Processing Activities: Editing, enhancement, storage of visual materials

11.9 Marketing Analytics

Personal Data Processed: Email engagement data, website visitor behavior, advertising interaction data, conversion data

Processing Activities: Campaign tracking, audience analysis, performance reporting

SIGNATURES

By signing below, the parties agree to be bound by the terms of this Data Processing Agreement.

CLIENT:

Signature: _________________________________

Name: _________________________________

Title: _________________________________

Date: _________________________________

PROCESSOR (Star Products SRL / Starmaster Marketing):

Signature: _________________________________

Name: _________________________________

Title: _________________________________

Date: _________________________________

ANNEX A: SPECIAL CATEGORIES OF PERSONAL DATA

To be completed if Special Categories of Personal Data (Article 9 GDPR) will be processed:

☐ Special Categories of Personal Data will NOT be processed

☐ Special Categories of Personal Data WILL be processed as follows:

Types of Special Category Data: ☐ Racial or ethnic origin ☐ Political opinions ☐ Religious or philosophical beliefs ☐ Trade union membership ☐ Genetic data ☐ Biometric data for identification ☐ Health data ☐ Sex life or sexual orientation data

Legal Basis for Processing Special Category Data: ☐ Explicit consent (Article 9(2)(a)) ☐ Employment, social security, social protection law (Article 9(2)(b)) ☐ Vital interests (Article 9(2)(c)) ☐ Legitimate activities (Article 9(2)(d)) ☐ Data made public by Data Subject (Article 9(2)(e)) ☐ Legal claims (Article 9(2)(f)) ☐ Substantial public interest (Article 9(2)(g)) ☐ Health/social care (Article 9(2)(h)) ☐ Public health (Article 9(2)(i)) ☐ Archiving/research/statistics (Article 9(2)(j))

Additional Security Measures for Special Category Data: [Describe enhanced security measures, such as encryption, access restrictions, etc.]

ANNEX B: TECHNICAL AND ORGANIZATIONAL MEASURES

Current Security Measures Implemented by Processor

1. TECHNICAL MEASURES

1.1 Access Control - Role-based access control (RBAC) - Multi-factor authentication for administrative access - Unique user accounts (no shared credentials) - Password policy: minimum 12 characters, complexity requirements - Automatic session timeout after 15 minutes of inactivity - Access logs maintained for 12 months

1.2 Encryption - Data in transit: TLS 1.2 or higher (HTTPS) - Data at rest: AES-256 encryption for sensitive data - Database encryption enabled - Encrypted backups - Encrypted email for sensitive communications

1.3 Network Security - Firewall protection on all systems - Intrusion detection/prevention systems (IDS/IPS) - Regular vulnerability scanning - DDoS protection - Network segmentation - VPN required for remote access

1.4 Malware Protection - Anti-virus software on all endpoints - Anti-malware on servers - Automatic updates and daily scans - Email filtering and attachment scanning

1.5 Backup and Recovery - Automated daily backups - Encrypted backup storage - Offsite backup storage - Regular restore testing (quarterly) - Disaster recovery plan in place - Recovery Time Objective (RTO): 24 hours - Recovery Point Objective (RPO): 24 hours

1.6 Logging and Monitoring - Centralized logging system - Security event monitoring - Anomaly detection - Log retention: 12 months minimum - Regular log review

1.7 Secure Development - Secure coding standards - Code review processes - Vulnerability testing before deployment - Penetration testing annually - Security patches applied within 30 days of release

1.8 Data Disposal - Secure deletion using industry-standard methods - Physical media destruction for hardware disposal - Certificate of destruction for sensitive data - Sanitization verification

2. ORGANIZATIONAL MEASURES

2.1 Data Protection Governance - Designated Data Protection Officer/Contact: [INSERT NAME] - Data protection policies and procedures documented - Privacy by Design and Default principles implemented - Data Protection Impact Assessments for high-risk processing

2.2 Personnel Security - Background checks for staff with access to personal data - Confidentiality agreements signed by all employees/contractors - Data protection training upon hire and annually thereafter - Clear job descriptions with data handling responsibilities - Separation of duties for sensitive operations

2.3 Access Management - Principle of least privilege - Need-to-know basis for data access - Regular access reviews (quarterly) - Immediate access revocation upon termination - Guest/temporary access with time limits

2.4 Incident Management - Personal Data Breach response plan - Incident response team designated - Breach notification procedures (24-hour timeline to Client) - Post-incident analysis and remediation - Breach register maintained

2.5 Vendor Management - Sub-processor due diligence process - Data Processing Agreements with all Sub-processors - Regular Sub-processor reviews - SLA monitoring

2.6 Business Continuity - Business Continuity Plan (BCP) in place - Disaster Recovery Plan (DRP) tested annually - Alternative processing sites identified - Emergency contact procedures

2.7 Physical Security - Controlled access to facilities (badge/key card) - Visitor sign-in and escort requirements - CCTV monitoring of server rooms - Locked cabinets for sensitive documents - Clean desk policy - Secure disposal bins for confidential waste

2.8 Awareness and Training - Annual data protection training for all staff - Phishing awareness training quarterly - Security awareness campaigns - Documented training completion records

2.9 Compliance and Audit - Annual internal security audits - Third-party security assessments (available upon request) - Regular compliance reviews - Documentation of security measures - Continuous improvement process

3. CERTIFICATIONS AND STANDARDS

Current Certifications: ☐ ISO 27001 (Information Security Management) ☐ ISO 27701 (Privacy Information Management) ☐ SOC 2 Type II ☐ Other: _________________________________

Compliance Frameworks Followed: ☑ GDPR ☑ ePrivacy Directive ☐ NIST Cybersecurity Framework ☐ Other: _________________________________

4. SECURITY INCIDENT HISTORY

Last 12 Months: Number of security incidents: _______ Number of Personal Data Breaches: _______ Details of any breaches: _________________________________

5. UPDATES TO SECURITY MEASURES

The Processor reserves the right to update these measures to: - Improve security - Address new threats - Comply with new regulations - Implement new technologies

The Client will be notified of material changes at least 30 days in advance.

Last Updated: [INSERT DATE] Next Review: [INSERT DATE]

ANNEX C: LIST OF SUB-PROCESSORS

Approved Sub-Processors

The following Sub-processors are authorized to process Client Personal Data:

Sub-Processor NameService ProvidedLocationData ProcessedSafeguards

[Example: Google LLC]Analytics, Email (Google Analytics, Gmail)USAWebsite analytics data, email communicationsEU-US Data Privacy Framework, SCC

[Example: Amazon Web Services]Cloud hostingEU (Frankfurt)All data storedGDPR-compliant DPA, EU data center

[Example: Stripe, Inc.]Payment processingUSA/EUPayment transaction dataSCC, PCI-DSS compliant

[Example: Mailchimp/Intuit]Email marketingUSAEmail addresses, engagement dataSCC

Complete Sub-processor List:

1. [SUB-PROCESSOR NAME]

Service: [What service they provide]
Data Processed: [Types of Client Personal Data they access]
Location: [Country/region where data is processed]
Transfer Mechanism: [If outside EEA: SCC, Adequacy Decision, BCR, etc.]
DPA Effective Date: [Date]
Contact: [Email/phone]

2. [SUB-PROCESSOR NAME]

[Repeat format above]

3. [SUB-PROCESSOR NAME]

[Repeat format above]

Sub-Processor Change Notification Process

Notice Period: 30 days before adding/replacing a Sub-processor

Notification Method: - Email to Client’s designated contact - Posted on website [INSERT URL] (if applicable)

Client Objection Process: - Client must object in writing within 14 days of notification - Objection must state reasonable data protection grounds - Parties will discuss alternative solutions - If no resolution within 30 days, Client may terminate affected Services without penalty

Documentation: This Annex C will be updated to reflect current Sub-processors and made available to Client upon request.

Last Updated: [INSERT DATE]

ANNEX D: DATA PROCESSING DETAILS

Summary of Processing Activities

Controller: [Client Name]

Processor: Star Products SRL (Starmaster Marketing)

Services Provided: [Select applicable] ☐ Web Design & Development ☐ SEO Services ☐ PR Services ☐ Reputation Management ☐ Business Listings Management ☐ GDPR Consulting ☐ Branding ☐ Google My Business Management ☐ Logo Design ☐ Graphic Design ☐ Motion Graphics ☐ Video Editing ☐ Photo Editing ☐ Blog Post Writing ☐ Image Revival Services ☐ Other: _________________________________

Duration of Processing: Start Date: _________________________________ End Date: _________________________________ (or “ongoing”) Retention After Service End: _________________________________ days

Categories of Data Subjects: ☐ Client employees ☐ Client customers ☐ Website visitors ☐ Newsletter subscribers ☐ Business contacts ☐ Other: _________________________________

Types of Personal Data: ☐ Contact information (name, email, phone, address) ☐ Account credentials ☐ Payment information ☐ Website analytics data (IP addresses, cookies, behavior) ☐ Customer interaction data (reviews, messages, support tickets) ☐ Employment data (job title, company) ☐ Photos/videos/audio ☐ Marketing preferences ☐ Other: _________________________________

Purpose of Processing: [Describe specific purpose, e.g., “To provide SEO services including website analytics, keyword research, and performance reporting”]

Nature of Processing: ☐ Collection ☐ Recording ☐ Organization ☐ Storage ☐ Adaptation/alteration ☐ Retrieval ☐ Use ☐ Disclosure by transmission ☐ Dissemination ☐ Deletion/destruction

Data Location: Primary: _________________________________ Backup: _________________________________

Retention Period: Active Services: For duration of service agreement Post-Service: _______ days/months/years Legal Requirements: 7 years (accounting records)

International Transfers: ☐ No international transfers ☐ International transfers to: _________________________________ Transfer mechanism: _________________________________

END OF DATA PROCESSING AGREEMENT