Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between SIMtrix ("Processor") and the Customer ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller in connection with the SIMtrix platform. This DPA is effective for the duration of the service agreement and shall automatically terminate upon termination of the service.

Controller (Customer): Determines the purposes and means of processing personal data. The Controller is responsible for ensuring the lawfulness of data collection and for providing appropriate privacy notices to data subjects. Processor (SIMtrix): Processes personal data only on documented instructions from the Controller and solely for the purpose of providing the Service. The Processor shall not process personal data for any other purpose.

Data subjects: Controller's employees, contacts, leads, and customers as stored in Bitrix24 CRM. Categories of data: Phone numbers, names (as associated with phone numbers in Bitrix24), SMS message content (relayed), call metadata (numbers, timestamps, duration), call recordings (if enabled). Processing operations: Relay of SMS messages, relay of telephony signaling, temporary storage and forwarding of call recordings, synchronization of contact data with Bitrix24.

The Processor shall: (a) Process personal data only on documented instructions from the Controller; (b) Ensure that personnel authorized to process personal data have committed to confidentiality; (c) Implement appropriate technical and organizational security measures (see Section 6); (d) Assist the Controller in responding to data subject requests; (e) Delete or return all personal data upon termination, at the Controller's choice; (f) Make available all information necessary to demonstrate compliance; (g) Allow and contribute to audits conducted by the Controller or an auditor mandated by the Controller (with reasonable notice and during business hours).

The Controller provides general authorization for the Processor to engage sub-processors. Current sub-processors: Hetzner Online GmbH — Server hosting — Germany (EU) Stripe, Inc. — Payment processing — USA (SCCs) Google LLC (Firebase) — Push notifications — USA (SCCs) 1C-Bitrix (Bitrix24) — CRM integration — Controller's Bitrix24 region The Processor shall notify the Controller of any intended changes to sub-processors at least 14 days in advance. The Controller may object to a new sub-processor within 14 days.

The Processor implements the following measures: Encryption: TLS 1.3 for data in transit; AES-256-GCM for sensitive data at rest (OAuth tokens, API keys). Access Control: Role-based access control (RBAC); multi-tenant isolation via PostgreSQL Row Level Security (RLS); JWT-based authentication. Infrastructure: Dedicated VPS in Germany; Docker containerization; automated security updates; firewall rules. Monitoring: Application error tracking; automated alerting for anomalies; regular log review. Backup: Daily encrypted backups with 30-day retention; tested restore procedures. Personnel: Confidentiality agreements; security awareness training.

In the event of a personal data breach, the Processor shall: (a) Notify the Controller without undue delay and in any event within 48 hours of becoming aware of the breach; (b) Provide the following information: nature of the breach, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed to address the breach; (c) Cooperate with the Controller in investigating and mitigating the breach; (d) Document all breaches, including facts, effects, and remedial actions taken.

Personal data is stored and processed within the EU (Germany). Where sub-processors outside the EU are engaged, the Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as adopted by the European Commission.

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. The Processor's total liability under this DPA shall not exceed the amounts paid by the Controller for the Service in the 12 months preceding the event giving rise to the claim.

This DPA shall be governed by and construed in accordance with the laws of the Republic of Poland. The competent courts in Poland shall have exclusive jurisdiction over any disputes arising from this DPA.