Data Processing
Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between the Customer ("Controller") and Uku Viam OÜ ("Processor", "Uku") for the provision of Uku's accounting practice management software. It governs the Processor's processing of Personal Data on behalf of the Controller in accordance with Regulation (EU) 2016/679 ("GDPR").

2. Scope and Duration

This DPA applies to all Processing of Personal Data carried out by the Processor in connection with the Services. The DPA enters into force when the Controller accepts Uku's Terms of Use and remains in effect for the duration of the main service agreement. Obligations that by their nature should survive termination (such as confidentiality, data return or deletion, and audit cooperation in respect of past processing) shall continue to apply after termination.

4. Categories of Data Subjects

• The Controller's employees and administrators
• The Controller's clients and their representatives
• End users of the services provided by the Controller

6. Technical and Organisational Measures

6.1 Security measures

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including but not limited to:

• Encryption of data in transit using TLS 1.3 or higher
• Encryption of data at rest using AES-256
• Mandatory multi-factor authentication for personnel with access to production systems
• Regular security assessments, including independent SOC 2 Type I audits
• A documented incident response procedure with 24/7 monitoring
• Regular employee training on data protection and information security

6.2 Access controls

The Processor applies the following access control principles to Personal Data processed under this DPA:

• Authentication. Multi-factor authentication is required for all personnel accessing systems that process Personal Data.
• Authorisation. Access is granted on the basis of role-based access control (RBAC).
• Least privilege. Personnel are granted only the access strictly necessary to perform their duties.
• Monitoring. All access to production systems is logged and reviewed.

A summary of the Processor's technical and organisational measures is available on request and is described in greater detail in the Processor's SOC 2 Type I report, which may be shared under a non-disclosure agreement.

8. Assistance with Data Subject Rights

Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising their rights under GDPR Chapter III, including:

• Right of access — providing access to Personal Data
• Right to rectification — correcting inaccurate Personal Data
• Right to erasure — deleting Personal Data upon legitimate request
• Right to data portability — providing Personal Data in a structured, commonly used, machine-readable format
• Right to object — respecting objections to specific processing activities
• Right to restriction of processing

Where a Data Subject contacts the Processor directly with such a request, the Processor shall forward the request to the Controller without undue delay and shall not respond to the Data Subject directly, unless authorised by the Controller.

10. Data Breach Notification

The Processor maintains 24/7 monitoring systems for the detection of security incidents. In the event of a Personal Data breach affecting the Controller's data, the Processor shall:

• Notify the Controller without undue delay and in any event within 48 hours of becoming aware of the breach.
• Provide the Controller with information sufficient to meet its own notification obligations under GDPR Article 33, including:
  • the nature of the breach and, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned;
  • the likely consequences of the breach;
  • the measures taken or proposed to address the breach and mitigate its possible adverse effects;
  • contact details of the Processor's point of contact for further information.
• Cooperate with the Controller and take reasonable steps to contain, investigate, and remediate the breach.

Notification of a breach does not constitute an acknowledgement by the Processor of any fault or liability.

12. Audits and Compliance

• The Processor undergoes independent SOC 2 Type I audits. Audit reports are made available to the Controller on request, subject to a non-disclosure agreement.
• The Controller has the right to audit the Processor's compliance with this DPA, subject to at least 30 days' prior written notice, during normal business hours, and at the Controller's own cost. Audits shall not unreasonably interfere with the Processor's business operations.
• Where the Controller's audit needs are reasonably met by an existing SOC 2 Type I or equivalent third-party audit report, the Controller shall accept such report in lieu of an on-site audit.

14. Liability

The liability of each party under or in connection with this DPA shall be limited in accordance with the limitations of liability set out in the main service agreement between the parties. In any event, and without prejudice to liability that cannot be limited under applicable law, the aggregate liability of the Processor under this DPA shall not exceed the total fees paid by the Controller to the Processor under the main service agreement during the twelve (12) months preceding the event giving rise to the claim.

The Processor shall not be liable for any indirect, consequential, special, or punitive damages, loss of profits, loss of revenue, or loss of business arising out of or in connection with this DPA.

16. Contact Information

Data Protection Officer

• Email: dpo@getuku.com
• Address: Tondi 27, 11316 Tallinn, Estonia

Legal inquiries

• Email: legal@getuku.com