This Data Processing Agreement (“Agreement”) forms part of the agreement between the parties and is entered into in accordance with Article 28 of Regulation (EU) 2016/679 (“GDPR”).
1. Parties
This Agreement is entered into between:
Data Controller / Client:
The customer or business entity engaging CYBORA services (“Controller”)
and
Data Processor:
CYBORA
Address: Akademijos g. 4, 4th floor, North Wing, Vilnius, Lithuania, LT-08412
Email: support@cybora.tech
(“Processor”)
2. Purpose and Scope
This Agreement governs the processing of personal data by the Processor on behalf of the Controller in connection with the services described in the Terms & Conditions and any applicable service agreements.
The Processor shall process personal data solely for the purpose of providing call center, contact center, and AI-assisted communication services.
This Agreement applies to all processing activities carried out by the Processor under the Controller’s documented instructions.
In the event of conflict, this Agreement shall prevail with respect to data protection matters.
3. Definitions
Terms used in this Agreement shall have the meanings given to them in the GDPR, unless otherwise defined herein.
“Personal Data”, “Processing”, “Data Subject”, “Controller”, and “Processor” shall have the meanings set forth in Article 4 GDPR.
References to GDPR include the UK GDPR where applicable.
“Services” shall mean the services described in the Terms & Conditions.
4. Categories of Data and Data Subjects
4.1 Categories of Personal Data
- Identification data (e.g., name, business contact details)
- Contact data (e.g., phone number, email address)
- Call metadata and call recordings
- Communication content
- Technical and usage data
4.2 Categories of Data Subjects
- End customers
- Business contacts
- Call participants
- Employees or representatives of the Controller
5. Processor Obligations
The Processor shall:
- process personal data only on documented instructions from the Controller;
- ensure that persons authorized to process personal data are bound by confidentiality obligations;
- implement appropriate technical and organizational security measures;
- assist the Controller in fulfilling data subject rights requests;
- notify the Controller without undue delay after becoming aware of a personal data breach.
6. Controller Obligations
The Controller represents and warrants that:
- it has a lawful basis for processing and sharing personal data with the Processor;
- data subjects have been appropriately informed;
- instructions provided to the Processor comply with applicable data protection laws;
- required consents for outbound communications have been obtained where applicable.
7. Use of Sub-Processors
The Controller authorizes the Processor to engage sub-processors for service delivery purposes.
The Processor shall ensure that sub-processors are subject to equivalent data protection obligations.
A current list of sub-processors shall be made available upon request.
The Processor remains responsible for the performance of its sub-processors.
8. International Data Transfers
Personal data may be transferred outside the EU or UK, including to the United States, where necessary for service delivery.
Such transfers shall be subject to appropriate safeguards, including Standard Contractual Clauses (SCCs) or UK IDTA.
Where applicable, the Processor may rely on recognized adequacy frameworks such as the EU–US Data Privacy Framework.
Consistent data protection standards shall be applied across all transfers.
9. Security Measures
The Processor shall implement appropriate technical and organizational measures to protect personal data, including access controls, encryption, monitoring, and incident response procedures.
Security measures shall be proportionate to the risks associated with the processing activities.
The Processor shall regularly review and update its security practices.
Details of security measures may be provided upon reasonable request.
10. Data Subject Rights Assistance
The Processor shall assist the Controller, where applicable, in responding to requests from data subjects.
Such assistance shall include access, rectification, erasure, restriction, objection, and data portability requests.
The Processor shall not respond directly to data subjects unless authorized by the Controller.
Requests shall be handled without undue delay.
11. Personal Data Breach Notification
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.
The notification shall include all relevant information required under Article 33 GDPR, where available.
The Processor shall cooperate with the Controller to mitigate and remediate the breach.
Incident response procedures shall be maintained and tested periodically.
12. Audit and Compliance
The Processor shall make available information reasonably necessary to demonstrate compliance with this Agreement.
Audits may be conducted by the Controller or an independent auditor, subject to reasonable notice.
Audits shall not unreasonably interfere with Processor operations.
Confidentiality obligations shall apply to audit results.
13. Data Retention and Deletion
Upon termination of the services, the Processor shall, at the Controller’s choice, delete or return all personal data.
Retention may continue where required by law.
Deletion shall be performed securely and irreversibly where feasible.
This clause survives termination of the Agreement.
14. Liability
Each party shall be liable for damages in accordance with applicable data protection laws.
Nothing in this Agreement limits liability where such limitation is prohibited by law.
Liability allocation shall be interpreted consistently with the Terms & Conditions.
This Agreement does not create joint controllership unless explicitly agreed.
15. Governing Law
This Agreement shall be governed by the laws of the Republic of Lithuania, unless mandatory data protection laws require otherwise.
Disputes shall be resolved in accordance with the dispute resolution provisions of the Terms & Conditions.
This clause does not affect mandatory rights of data subjects.
Jurisdiction shall lie with the competent courts of Lithuania.
16. Contact Details
For data protection matters related to this Agreement:
Data Protection Officer (DPO):
📧 dpo@cybora.tech
Support:
📧 support@cybora.tech
📞 +370 640 12261
