Data Processing
Agreement

Last updated: October 15, 2025

Summary

Heading 2

1. Introduction and Scope

This Data Processing Agreement ("DPA") is entered into between Security Consultants OÜ, an Estonian company, and each of its clients (each a Client). It forms part of and is incorporated by reference into the Master Service Agreements (MSAs) or other service contracts between Security Consultants OÜ (the Company) and the Client. 

This DPA applies only to the extent that Security Consultants OÜ processes Personal Data on behalf of the Client in connection with the services under the MSA, in which case the Client is the Data Controller and Security Consultants OÜ acts as a Data Processor.

 In general, Security Consultants OÜ operates as an independent data controller when providing consulting services. Therefore, in situations where Security Consultants OÜ processes Personal Data for its own purposes (for example, to comply with its legal and regulatory obligations such as anti-money laundering (KYC) checks, tax and accounting requirements, or other internal business purposes), Security Consultants OÜ will be acting as an independent Data Controller, and such processing is governed by the Company’s own privacy policies and legal obligations rather than this DPA. 

By entering into an MSA or using Security Consultants OÜ’s services, the Client agrees to the terms of this DPA, which is hereby incorporated into the MSA by reference. In the event of any conflict between this DPA and the MSA with respect to data protection matters, the provisions of this DPA shall prevail.

2. Definitions

For purposes of this DPA, the following terms have the meanings set out below. Capitalized terms not defined in this DPA shall have the meanings given in the applicable data protection laws or in the MSA:

  • Personal Data: any information relating to an identified or identifiable natural person (Data Subject); this includes any data defined as "personal data", "personally identifiable information", etc., under applicable Data Protection Laws.
  • Data Subject: an identified or identifiable natural person to whom Personal Data relates.
  • Processing (and Process): any operation or set of operations performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction, whether by automated means or not.
  • Data Controller (or simply Controller): the entity which alone or jointly with others determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, the Client acts as Data Controller when Security Consultants OÜ processes Personal Data on the Client’s behalf.
  • Data Processor (or simply Processor): the entity which Processes Personal Data on behalf of the Controller. For purposes of this DPA, Security Consultants OÜ acts as Data Processor to the Client when it processes Personal Data on the Client’s behalf.
  • Data Protection Laws: all laws and regulations relating to data protection, privacy, and the Processing of Personal Data that apply to the respective party’s operations or the Services. This includes, where applicable, the EU General Data Protection Regulation (EU) 2016/679 (GDPR) and Estonia’s data protection laws, as well as any other applicable data protection or privacy statutes and regulations.
  • Client Personal Data: any Personal Data that Security Consultants OÜ Processes on behalf of the Client under the MSA (i.e. data controlled by the Client and processed by the Company as a service provider).
  • Subprocessor: any third party (including any subcontractor, agent or affiliate) engaged by Security Consultants OÜ to assist in Processing Client Personal Data on behalf of the Client as described in the MSA. 

3. Roles of the Parties

The parties acknowledge that, with regard to the Processing of Client Personal Data under the services: the Client is the Data Controller and Security Consultants OÜ is the Data Processor acting on the Client’s behalf. Each party will comply with its respective obligations under Data Protection Laws for its role. The Client is responsible for determining the purposes and means of Processing of Personal Data provided to Security Consultants OÜ under the MSA, and Security Consultants OÜ will process such data only on the Client’s documented instructions and in accordance with this DPA (except where otherwise required by applicable law, as described below).

3.1. Obligations of the Client (Data Controller)

The Client, as Data Controller, agrees to:

  • Lawful Use of Data: Ensure that all Personal Data provided or made available to Security Consultants OÜ for Processing has been collected and is being shared with Security Consultants OÜ in compliance with Data Protection Laws. The Client shall have obtained all necessary consents or provided all necessary notices to Data Subjects, or have another valid legal basis, for the Processing of Personal Data by Security Consultants OÜ as contemplated in the MSA. The Client is solely responsible for the accuracy, quality, and legality of the Personal Data it provides, and the means by which it was obtained.
  • Instructions: Provide documented instructions to Security Consultants OÜ that are lawful and relevant to the Processing. The Client shall not instruct Security Consultants OÜ to process Personal Data in a manner that would violate applicable laws. Security Consultants OÜ is only obligated to follow the Client’s documented instructions for Processing; if the Client issues an instruction that Security Consultants OÜ believes violates the GDPR or other Data Protection Laws, Security Consultants OÜ will inform the Client of its opinion without undue delay.
  • Data Subject Requests: Cooperate with Security Consultants OÜ to enable compliance with Data Subject rights. It remains the Client’s primary responsibility to address requests from Data Subjects (such as access, correction, deletion, or objection requests) relating to Client Personal Data; however, the Client may require Security Consultants OÜ’s assistance as described in this DPA.
  • Other Compliance: Overall, ensure that Client’s use of the services and instructions to Security Consultants OÜ will not put either party in breach of Data Protection Laws. 

3.2. Obligations of Security Consultants OÜ (Data Processor)

When acting as the Client’s Data Processor, Security Consultants OÜ agrees to the following obligations, in each case in accordance with applicable Data Protection Laws (including GDPR Article 28(3)):

  • Process Only on Instructions: Security Consultants OÜ will process Client Personal Data only on the documented instructions of the Client and for the purposes explicitly specified in the MSA or this DPA, unless Processing is required by European Union or Member State law to which Security Consultants OÜ is subject (in which case Security Consultants OÜ shall inform the Client of that legal requirement before processing, unless the law prohibits such notice). If Security Consultants OÜ believes an instruction from the Client violates GDPR or other applicable law, it will inform the Client.
  • Confidentiality: Security Consultants OÜ will ensure that any persons it authorizes to process Client Personal Data (including employees, agents, and contractors) are subject to appropriate confidentiality obligations (either by contract or under statutory law). Security Consultants OÜ will not disclose Client Personal Data to any third party unless permitted by the Client or this DPA, or as required by law.
  • Security Measures: Security Consultants OÜ shall implement and maintain appropriate technical and organizational measures to protect Client Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, or disclosure, ensuring a level of security appropriate to the risk. These measures shall include, as appropriate, the measures referred to in Article 32(1) GDPR (such as pseudonymization and encryption of data, measures to ensure ongoing confidentiality, integrity, availability and resilience of processing systems, the ability to restore data in a timely manner, and processes for regularly testing and assessing security effectiveness).
  • Use of Subprocessors: Security Consultants OÜ will only engage Subprocessors to assist in Processing Client Personal Data in accordance with the Subprocessors section of this DPA. In any case, Security Consultants OÜ will remain liable for the performance of its Subprocessors as further described below.
  • Assistance with Data Subject Rights: Taking into account the nature of the processing, Security Consultants OÜ will assist the Client by appropriate technical and organizational measures, insofar as possible, in fulfilling the Client’s obligation to respond to requests from Data Subjects to exercise their rights (access, rectification, erasure, restriction, objection, data portability, etc.) under Data Protection Laws. If Security Consultants OÜ directly receives any request from a Data Subject concerning Personal Data that is part of Client Personal Data, it will promptly notify the Client and will not respond to the request except on the documented instructions of the Client or as required by applicable law (in which case Security Consultants OÜ will inform the Client of that requirement, unless legally prohibited from doing so).
  • Assistance with Compliance: Security Consultants OÜ will assist the Client in ensuring compliance with the Client’s obligations under Articles 32 to 36 of the GDPR (and equivalent provisions of other Data Protection Laws), taking into account the nature of processing and the information available to Security Consultants OÜ. This includes providing assistance with security measures, breach notification, data protection impact assessments (DPIAs), and prior consultation with supervisory authorities, as reasonably required.
  • Breach Notification: In the event Security Consultants OÜ becomes aware of a Personal Data Breach (as defined in GDPR) affecting Client Personal Data, Security Consultants OÜ will notify the Client without undue delay. Such notification shall be made promptly after Security Consultants OÜ discovers the breach, and shall include sufficient information regarding the nature of the breach and known or suspected impacts to enable the Client to fulfill any obligations to report the breach to regulators or Data Subjects under Data Protection Laws. Security Consultants OÜ will further take reasonably necessary measures to contain and mitigate the effects of the breach, and will cooperate with the Client in the investigation, mitigation, and remediation of the breach.
  • Return or Deletion of Data: Upon termination or expiration of the MSA, or upon the Client’s written request at any time, Security Consultants OÜ will cease Processing and, at the choice of the Client, securely delete or return all Client Personal Data (including copies) that it processes on the Client’s behalf, within a reasonable timeframe. 
  • Records and Compliance: Security Consultants OÜ shall maintain all records of Processing as required by Article 30(2) of GDPR (and/or other applicable laws). It will also make available to the Client all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA and allow for audits as described below.
  • Audit Rights: At the Client’s request, Security Consultants OÜ will permit and contribute to audits and inspections of its processing activities for the Client, either by the Client itself or an independent auditor appointed by the Client (who is not a competitor of Security Consultants OÜ, and who is bound by appropriate confidentiality obligations). The Client must provide reasonable advance notice of any audit and conduct it in a manner that does not unduly disrupt Security Consultants OÜ’s operations. 

3.2.1. Subprocessors

The Client provides Security Consultants OÜ a general authorization to engage third-party Subprocessors in the course of providing the services, subject to the conditions set forth in this section. 

  • Impose Equivalent Obligations: Enter into an agreement with the Subprocessor imposing data protection obligations that are no less protective than those set out in this DPA, in particular obligations to Process Personal Data only on Security Consultants OÜ’s instructions and to implement appropriate technical and organizational measures to protect the data. This ensures that the Subprocessor is held to the same standards of data protection as required of Security Consultants OÜ under this DPA and Article 28 of the GDPR.
  • Remain Liable: Remain fully liable to the Client for the Subprocessor’s performance of the obligations under this DPA. 
  • Notification of Changes: Inform the Client of any intended addition or replacement of Subprocessors in advance, by updating a Subprocessor list.

3.2.2. Data Security

Security Consultants OÜ is committed to maintaining the security and integrity of Client Personal Data. The Company implements and regularly updates appropriate technical and organizational security measures to protect Personal Data against unauthorized access, misuse, alteration, loss, or destruction. 

3.2.3. Data Subject Rights and Cooperation

As noted above, Security Consultants OÜ will cooperate with the Client to enable the Client to fulfill its obligations to Data Subjects. If a Data Subject contacts Security Consultants OÜ with a request to access, correct, delete, or exercise other rights (such as data portability or objection) regarding their Personal Data processed under the MSA, Security Consultants OÜ will promptly forward the request to the Client (unless otherwise prohibited by law). Security Consultants OÜ will not independently respond to any such Data Subject request.

Additionally, upon the Client’s request, Security Consultants OÜ will reasonably assist the Client in responding to Data Subject requests insofar as Security Consultants OÜ is able, given the nature of the processing and the information available. 

If the Client needs to conduct a Data Protection Impact Assessment (DPIA) or consult with a Supervisory Authority in accordance with GDPR Articles 35 and 36 (or equivalent provisions of other laws), Security Consultants OÜ will provide reasonable cooperation and assistance to the Client, upon request, to facilitate compliance. 

3.2.4. Personal Data Breach Notification

In the event of a Personal Data Breach (meaning a confirmed security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data) affecting Client Personal Data, Security Consultants OÜ will:

  1. Notify the Client without undue delay after becoming aware of the breach. Security Consultants OÜ will contact the Client via the designated security or privacy contact provided (or, if none, an executive or account contact) and will provide a description of the nature of the breach, the categories and approximate volume of data and Data Subjects concerned, and the likely consequences of the breach, to the extent such information is known at the time.
  2. Mitigate and Cooperate: Security Consultants OÜ will immediately take reasonable steps to contain and mitigate the effects of the breach. 
  3. Prevention: Following a breach, Security Consultants OÜ will review and, as necessary, update its security measures to prevent future incidents.

4. Term and Termination of the DPA

This DPA shall become effective and legally binding between the parties once the Client enters into an MSA or service agreement with Security Consultants OÜ that expressly incorporates this DPA. The DPA will remain in effect for the duration of the MSA and so long as Security Consultants OÜ continues to process Client Personal Data, until deletion of all Client Personal Data in accordance with this DPA.

5. International data transfers

Security Consultants OÜ processes Client Personal Data within the European Economic Area (EEA). If, in the course of providing the services, any transfer of Client Personal Data to a country outside the EEA becomes necessary, Security Consultants OÜ will ensure that such transfer complies with applicable Data Protection Laws by implementing an appropriate and legally valid transfer mechanism. This may include the use of the European Commission’s Standard Contractual Clauses and, where required, supplementary technical and organizational measures to ensure an adequate level of protection.

6. Governing Law

This DPA, and any disputes or claims arising out of or in connection with it, shall be governed by and construed in accordance with the laws of Ireland. In addition, to the extent required by EU law, the parties will adhere to the requirements of the EU GDPR. Unless otherwise specified in the MSA, the parties agree that any dispute arising under this DPA shall be subject to the jurisdiction of the competent courts of Ireland.

7. Miscellaneous

This DPA is an integral part of the MSA between Security Consultants OÜ and the Client. By using the Company’s services or by signing the MSA, the Client is deemed to have accepted and agreed to this DPA, without the need for a separate signature. If a separate signed DPA is required by the Client or by law, the parties can execute a duplicate copy of this DPA to satisfy that requirement, but in any event this DPA shall apply to all relevant services as if it were formally signed by both parties.

8. Contact and Requests

Any questions or notices regarding this DPA should be directed to Security Consultants OÜ’s data protection contact at privacy@security-consultant.com.