DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) is an integral part of the SingleList Terms of Use (“Agreement”), governing the use of SingleList, a web-based data collection and AI-driven analytics platform provided as Software as a Service (SaaS) and accessible at singlelist.io. It is entered into between LLC SingleList, a private limited liability company established under the laws of the Republic of Lithuania, company code 307113879, with its registered office at Palanga, Kuršių tak. 20C K3-2, LT-00317, Lithuania (“Processor”) and the Customer (“Controller”; each individually a “Party” and collectively the “Parties”) and applies to the extent that the Processor processes Customer Data on behalf of the Controller in the performance of the Agreement.
By agreeing to the Agreement, the Controller agrees to the terms of this Addendum. This Addendum is an inseparable part of the Agreement.
The Parties aim to ensure that data processing complies with the requirements of the General Data Protection Regulation (EU) 2016/679 (“GDPR”). Therefore, the Parties have concluded this Addendum.
1. DEFINITIONS
1.1. Unless otherwise specified in this Addendum, all capitalized terms not defined herein shall have the meaning assigned to them in the Agreement.
1.2. “Customer Data” means any personal data of a data subject that the Processor processes on behalf of the Controller under or in connection with the Agreement.
1.3. The terms “personal data”, “data subject”, “processing”, “Controller”, and “Processor” used in this Addendum shall have the meanings assigned to them by the GDPR.
2. OBJECT OF THE AGREEMENT
2.1. In performing the Agreement concluded by the Parties, the Processor acts according to the instructions of the Controller and processes Customer Data as specified in this Addendum.
2.2. The nature, object, purpose, and duration of the personal data processing, as well as the types of personal data and categories of data subjects processed, are specified in Annex 1 of this Addendum.
3. OBLIGATIONS OF THE PROCESSOR
3.1. The Processor undertakes to limit the processing of Customer Data to what is necessary to perform the Agreement.
3.2. The Processor processes Customer Data on behalf of the Controller and in accordance with their instructions. The Processor must contact the Controller if they do not know or do not understand the Controller's instructions.
3.3. The Processor undertakes to process Customer Data in compliance with applicable legal requirements and recommendations from supervisory authorities.
3.4. The Processor undertakes to ensure the confidentiality and security of the Customer Data processed by the Processor.
3.5. Upon receipt of any request or requirement related to Customer Data, the Processor shall immediately, but no later than within three (3) business days, inform the Controller and forward such request to them, unless prohibited by applicable law.
3.6. At the request of the Controller (for an additional fee calculated according to the Processor's business rates if such request exceeds the normal execution of tasks provided for in the Agreement), the Processor undertakes to:
3.6.1. assist the Controller in responding to requests from data subjects;
3.6.2. provide information and documents requested by the Controller;
3.6.3. cooperate with the Controller in performing data protection impact assessments and prior consultations with the supervisory authority.
3.7. Some Controller instructions, including the fulfillment of the Controller's obligations, data destruction, or data return from the Processor, may be subject to additional charges. In such cases, unless agreed otherwise, the Processor shall notify the Controller of such costs in advance. If the Controller refuses to cover such costs, their requests or requirements will not be executed or will be executed only to the extent that it does not require additional effort compared to the Processor's normal functions in performing the Agreement. Such behavior or actions by the Processor shall not be considered a breach of this Addendum or the Agreement. In such cases, the Controller assumes all risks for non-compliance with data subject requests or requirements or applicable data protection laws.
4. OBLIGATIONS OF THE CONTROLLER
4.1. The Controller is solely responsible for assessing the legality of the Customer Data processing and protecting the rights of data subjects, and is therefore considered the Controller as defined in Article 4(7) of the GDPR.
4.2. The Controller has provided all necessary privacy notices and/or obtained all consents and rights required by applicable law so that the Processor can process Customer Data related to the use of SingleList under the Agreement and this Addendum.
4.3. The Controller has the right to give instructions regarding the nature, scope, and method of Customer Data processing. At the Processor's request, the Controller shall immediately confirm verbal instructions to the Processor in writing or text form (e.g., by email).
4.4. The Controller shall immediately notify the Processor of any errors or irregularities identified in the processing of Customer Data performed by the Processor.
4.5. The Controller confirms that the processing of Customer Data by the Controller is carried out in compliance with the requirements of applicable laws.
5. SECURITY MEASURES
5.1. The Processor undertakes to apply appropriate technical and organizational security measures to protect Customer Data and undertakes to comply with the information security requirements set out in the GDPR. A minimum list of technical and organizational measures to be implemented by the Processor is provided in Annex 2 of the Addendum.
5.2. To ensure the security and integrity of data stored in electronic systems, the Processor generally uses security measures developed by third parties. These measures are standardized and apply to all similar services provided by the Processor and to all Customers. The Controller confirms that such measures are sufficient and appropriate to ensure an adequate level of protection for Customer Data, taking into account their processing and the nature of processing, the associated risks, and the type, volume, context, and purposes of the Customer Data.
5.3. The Processor may, at its discretion, change and update technical and organizational measures without separate notice to the Controller. Such changes and updates must ensure the same level of protection as the previous measures.
5.4. At the instruction and expense of the Controller, additional technical and organizational measures may be implemented that are not directly related to or necessary for the performance of the Agreement.
6. SUB-PROCESSING
6.1. The Controller agrees that the Processor may use other data processors to fulfill its contractual obligations under the Agreement and this Addendum. The Controller, through this Addendum, grants general authorization to the Processor to use other data processors as described in this section.
6.2. The Processor remains responsible for compliance with the obligations of this Addendum and for any acts or omissions of sub-processors that cause the Processor to breach any of its obligations under this Addendum.
6.3. New data processors will be added to Annex 1 of this Addendum. If the Controller does not approve of a new data processor, an objection to the planned change must be submitted to the Processor within two (2) weeks of receiving information about the change. If an objection is submitted, the Processor may, at its discretion, provide the service without the planned change or suggest an alternative processor and coordinate this with the Controller. If providing the service without the intended changes is unreasonable for the Processor, for example, due to disproportionate costs, or if an agreement on an alternative processor cannot be reached, the Controller and the Processor may terminate this Addendum and the Agreement by providing one (1) month's prior written notice.
7. CONFIDENTIALITY
7.1. The Processor must maintain confidentiality while processing Customer Data on behalf of the Controller.
7.2. In performing its obligations under this Addendum, the Processor ensures that persons authorized to process personal data are committed to confidentiality. Upon request, the Processor shall provide the Controller with evidence of such confidentiality obligations.
8. PLACE OF PROCESSING
8.1. The processing of Customer Data is essentially carried out within the territory of the European Union / European Economic Area.
8.2. The Controller authorizes the Processor to transfer or access Customer Data outside the European Union / European Economic Area, provided that:
8.2.1. such transfer is necessary for the performance of the Agreement; and
8.2.2. appropriate safeguards are implemented to ensure an adequate level of protection for Customer Data in accordance with the GDPR.
9. AUDITS
9.1. The Controller has the right, upon providing one (1) month's prior written notice and during the Processor's normal business hours, to conduct an audit to verify whether the Processor's activities in processing Customer Data on behalf of the Controller comply with the GDPR and the provisions of this Addendum. This audit shall be performed without disrupting the Processor's business operations and without creating risks to the security measures applied by the Processor. The Controller may perform these audits personally or through third parties. In any case, audits are performed at the Controller's expense. Audits may also be performed based on existing Processor market standard certificates, certificates or reports issued by an independent institution (such as auditors, external data protection officers, or external data protection auditors), or self-assessments. The Processor shall cooperate during the inspections.
9.2. The Processor will not grant the Controller or any third party hired by the Controller access to the Processor's systems and IT infrastructure used to provide services under the Agreement.
10. DELETION OF PERSONAL DATA
10.1. Upon termination of the service provision, the Processor will store Customer Data related to the Controller's account for six (6) months. During this period, the Controller may, on their own initiative and at their own expense, access and export their data. After the storage period expires, all such data will be irreversibly deleted and cannot be recovered.
11. DATA BREACH NOTIFICATION
11.1. Upon becoming aware of a personal data breach, the Processor shall immediately, but no later than within seventy-two (72) hours, inform the Controller by email or in writing and, if possible, provide the following information:
11.1.1. the date and time when the data breach may have occurred, and the date and time when the Processor became aware of the data breach;
11.1.2. a description of the nature of the data breach, including, if possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
11.1.3. details of a contact person who can provide more information;
11.1.4. a description of the potential consequences;
11.1.5. a description of the measures the Processor has implemented or intends to implement to address the data breach and mitigate potential negative consequences;
11.1.6. other relevant information.
11.2. The Processor cooperates with the Controller to address the data breach and mitigate its negative consequences, as well as to enable the Controller to inform the supervisory authority and data subjects about the data breach.
11.3. The Processor implements appropriate corrective measures, including notifying the Controller, investigating the relevant breach, and preparing a report on the causes of the data breach.
12. LIABILITY
12.1. The Processor is liable for damage caused by the processing of Customer Data only if it has not complied with the obligations set out in the GDPR specifically applicable to data processors or if it has acted outside of or contrary to the Controller's lawful instructions. The Processor is liable only for damage directly caused by its breach. The Processor's liability shall be subject to the liability terms set out in the Agreement, including any limitations thereof. The Processor's total liability is limited to the amount paid by the Controller to the Processor under the Agreement during the last six (6) months prior to the occurrence of the circumstances giving rise to the liability.
12.2. The Controller is responsible for any damage incurred by the Processor due to the Controller's breach of this Addendum and/or the requirements of applicable laws.
13. FINAL PROVISIONS
13.1. If the provisions of this Addendum conflict with the terms set out in the Agreement, the provisions of this Addendum shall prevail.
13.2. This Addendum enters into force after the Controller (or their authorized representatives) agrees to the Agreement and remains valid for as long as the Processor processes Customer Data on behalf of the Controller.
13.3. This Addendum is governed by and construed in accordance with the laws of the Republic of Lithuania.
13.4. Any claims or disputes arising from a breach, termination, or invalidity of this Addendum or any of its provisions shall be resolved in a competent court according to the Processor's registered office.
13.5. Inseparable parts of the Addendum are:
13.5.1. Annex 1 – Data Processing Details;
13.5.2. Annex 2 – Security Measures.
ANNEX 1
DATA PROCESSING DETAILS
| Object, nature, and purpose of data processing | Processing of Customer Data to enable the Customer (or its representatives acting on behalf of the Customer) to use SingleList in accordance with the Agreement. |
| Types/categories of Customer Data processed | The Processor may process any category of personal data that the Customer (or its authorized representatives on the Customer's behalf) decides to process while using SingleList, including but not limited to search actions performed, saved lists of real estate objects and list content, list analysis actions performed, queries to the artificial intelligence (AI) chatbot, its responses, etc. |
| Categories of data subjects | Natural persons whose personal data the Controller processes using SingleList. |
| Duration of data processing | For as long as the Controller uses SingleList. |
| List of sub-processors |
Microsoft Ireland Operations Ltd.: customer data storage, AI functions. Oxylabs UAB: provides technology for data retrieval. |
| Jurisdiction | Lithuania, Netherlands. |
ANNEX 2
SECURITY MEASURES
Taking into account best practices, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of risk to the rights and freedoms of natural persons, the Processor shall implement the following technical and organizational measures:
1. Encryption Measures
Measures by which readable text/information is converted into an unreadable, difficult-to-interpret sequence of characters (ciphertext) using encryption methods.
Description of encryption measures: symmetric/asymmetric encryption is applied to communications between participants and/or servers.
2. Physical Access Control
Measures that physically prevent unauthorized persons from accessing IT systems and equipment used to process personal data, as well as confidential files and data media.
Description of physical access control measures: limiting unauthorized access to data processing systems by locking premises, using access cards, and other locks.
3. Logical Access Control
Measures preventing unauthorized persons from processing or using data.
Description of logical access control measures: system access management, use of secure passwords, and login using one-time passwords (OTP).
4. Data Access Control
Measures ensuring that persons authorized to use data processing systems can access personal data only according to their assigned access rights and that data cannot be read, copied, modified, or removed without authorization during processing, use, and storage.
Data access control measures: access to the server and database is possible only with a username, password, and one-time password (OTP).
5. Separation Rule
Measures ensuring that data collected for different purposes are processed separately and isolated from other data and systems to prevent unintentional use for purposes other than those for which they were collected.
Separation measures: separate processing of data collected for different purposes based on permission measures, use and development of software and information systems based on customer separation, and separation of development and production environments.
6. Availability Control
Measures ensuring that personal data is protected against accidental destruction or loss.
Description of the availability control system: data is stored on reliable cloud servers with a backup procedure; automatic data backups are performed every 24 hours.
7. Documentation and Procedures
Internal documents related to data processing, ensuring that data is processed in accordance with the requirements of applicable laws.
Lists of documents and procedures: internal personal data processing procedures.