Sofidus.techBook a demo
Legal

Data Processing Agreement

The GDPR Article 28 data processing terms that apply when Sofidus processes data on behalf of customers.

DATA PROCESSING AGREEMENT (DPA) (EN)

Effective date: 2026‑03‑17

Purpose of this Data Processing Agreement (DPA)

This DPA defines how we process Personal Data on behalf of the Customer when delivering our Services. Its purpose is to establish the rights and obligations of both parties in accordance with GDPR Article 28, ensuring that processing is lawful, secure, and performed only on documented Customer instructions.

Who this DPA is for

This DPA applies to Customers acting as data controllers who use the Services to process personal data of employees, users, contractors, project participants, or other individuals. It applies to both direct customers and those subscribing through the Microsoft Commercial Marketplace.

Parties

This DPA forms part of the Main Agreement between:

UAB Engman Arccon (“Processor”, “Supplier”), company code 304861433, registered office: A. Goštauto g. 8, LT‑01108 Vilnius, Lithuania

and

the Customer identified in the Order or subscription (“Controller”, “Customer”).

Together — the Parties.

1. Subject Matter and Duration

Subject matter

The Processor will process Personal Data on behalf of the Controller solely to provide the Services described in the Main Agreement and this DPA.

Duration

This DPA remains in effect for the full term of the Main Agreement and until all Personal Data is deleted or returned per Section 10.

2. Roles and Instructions

  • Controller = data controller under GDPR
  • Processor = data processor under GDPR

Documented instructions

Processor shall process Personal Data only based on the Controller’s documented instructions, unless EU or Member State law requires otherwise.

Controller responsibilities

The Controller is responsible for:

  • ensuring lawful processing
  • providing required privacy notices
  • obtaining necessary consents
  • ensuring data is accurate

3. Scope of Processing

Categories of data subjects

  • end-users
  • administrators
  • project participants
  • bidders
  • any individuals whose data is submitted to the Services

Categories of Personal Data

  • identity & contact data
  • account & authentication data (incl. SSO identifiers)
  • roles/permissions
  • project file metadata
  • audit, usage, and telemetry logs
  • support correspondence
  • any data uploaded by the Customer

_No special categories are intentionally required._

Purpose and nature

  • provision and maintenance of the Services
  • security
  • support
  • billing and subscription administration (if applicable)

Operations performed

  • collection
  • storage
  • access
  • transfer
  • deletion
  • organization & structuring

Data location

Primary hosting in Microsoft Azure EU (see Annex III for sub‑processors).

4. Confidentiality and Personnel

Processor ensures that all personnel authorized to process Personal Data:

  • are bound by confidentiality obligations
  • receive privacy/security training
  • access data only under least‑privilege principles

5. Security of Processing

Processor implements appropriate technical and organizational measures (TOMs) considering:

  • nature and scope of processing
  • state of the art
  • costs
  • risks to data subjects

A summary of TOMs is provided in Annex II.

6. Sub‑processing

  • Controller authorizes sub‑processors listed in Annex III
  • Processor ensures sub‑processors follow equivalent data protection obligations (Art. 28(4))
  • Controller will be notified of sub‑processor changes in advance
  • Controller may object for valid data protection reasons
  • If unresolved, Controller may suspend affected Services

7. International Data Transfers

Processor may transfer data outside:

  • EEA
  • UK
  • Switzerland

only when compliant with GDPR Chapter V.

Transfers rely on:

  • Adequacy decisions (e.g., UK decision)
  • Standard Contractual Clauses (SCCs)
  • supplementary safeguards when appropriate

Primary hosting remains in the EU.

Support staff accessing data from third countries may do so exclusively under SCCs and related safeguards.

8. Assistance to Controller

Processor will assist the Controller with:

  • data subject requests
  • DPIAs (Data Protection Impact Assessments)
  • demonstrating GDPR compliance
  • consultations with supervisory authorities

9. Personal Data Breach Notification

Processor will notify the Controller without undue delay after becoming aware of a breach.

The notification includes:

  • nature of breach
  • number of data subjects affected
  • potential consequences
  • remediation and mitigation steps

Processor will cooperate fully during breach handling.

10. Return and Deletion of Data

Upon termination:

  • Controller may request return and/or deletion of Personal Data
  • unless retention is required by law

Standard retention

  • Data retained up to 90 days post‑termination
  • Then moved to restricted access (soft deletion)
  • Then permanently erased (hard deletion) from systems and backups

Deletion certificates provided on request.

11. Audits and Compliance

Processor will make available documentation required to demonstrate compliance, including security reports and third‑party certifications.

Controller may conduct an audit:

  • once every 12 months
  • after major incidents
  • during business hours
  • with reasonable notice
  • without disrupting Services
  • relying on existing certifications where possible

12. Microsoft Commercial Marketplace Specifics

When Services are acquired through Azure Marketplace / AppSource:

  • Microsoft receives limited technical/transaction data (billing, metering, licensing)
  • Microsoft acts as an independent controller for such data
  • Processor receives only minimal publisher‑level identifiers

SSO (Microsoft Entra ID)

Processor receives only:

  • user/object ID
  • name
  • email
  • tenant ID
  • assigned roles/groups (if configured)

Passwords are never received.

AI model training

Customer Content and Personal Data are not used to train AI models unless the Customer explicitly opt‑ins.

13. Liability and Indemnity

Liability is governed by the Main Agreement. This DPA does not expand either Party’s liability except where legally required.

14. Order of Precedence

If there is a conflict between this DPA and the Main Agreement, the DPA prevails for matters related to Personal Data processing.

15. Contact Points

Processor: UAB Engman Arccon info@engman-arccon.com / support@sofidus.tech

Controller: As identified in the Order or subscription.

Annex I – Details of Processing

Data exporter: Controller (Customer) Data importer: Processor (UAB Engman Arccon)

Subject: Provision, operation, support, and improvement of the Services; security and auditability.

Categories of data subjects: End‑users, administrators, project participants, bidders.

Categories of Personal Data: Identity and contact data; account and authentication data (including SSO identifiers); roles/permissions; usage and audit logs; support communications; project metadata and other data uploaded by the Controller.

Special categories: Not required by default. Any such data is processed solely at the Controller’s discretion.

Retention: As defined in Section 12 of the DPA and in the Privacy Policy.

Frequency of transfers: Continuous, as required to provide the Services.

Annex II – Technical and Organizational Measures (TOMs)

Governance and Access Control (RBAC, least‑privilege, MFA, secure SDLC)

  • Access is granted strictly on a least‑privilege basis.
  • Role‑based access control (RBAC) ensures users receive only necessary permissions.
  • Administrators use multi‑factor authentication (MFA).
  • All updates follow secure SDLC and controlled change‑management processes.

Encryption (TLS 1.2+, AES‑256, cloud KMS)

  • Data in transit is protected by TLS 1.2 or higher.
  • Data at rest is encrypted using AES‑256.
  • Encryption keys are managed using secure cloud‑based Key Management Services (KMS).

Network and Platform Security

  • Network segmentation, firewalls, and Web Application Firewall (WAF).
  • Regular vulnerability scanning.
  • Security patching performed according to a defined maintenance schedule.

Logging and Monitoring (centralized logging, SIEM)

  • Centralized logging with automated monitoring and alerts (SIEM).
  • Tamper‑resistant audit logs ensure accountability and traceability.

Data Resilience (backups, replication, DR, RTO/RPO)

  • Regular backups and replication where applicable.
  • Disaster recovery procedures ensure restoration within defined RTO/RPO.

Testing (penetration tests, security assessments)

  • Periodic penetration tests.
  • Ongoing internal security evaluations and remediation.

Incident Response (IR plan, GDPR Art. 33–34)

  • Documented incident response plan.
  • GDPR‑compliant breach notification workflow.
  • Immediate mitigation and cooperation with the Controller.

Personnel (background checks, confidentiality, training)

  • Background checks where legally allowed.
  • Confidentiality obligations for all staff.
  • Ongoing privacy and security training.

Vendor Management (sub‑processor review and control)

  • Sub‑processor security assessments before engagement.
  • Contractual obligations aligned with GDPR Art. 28(4).
  • Continuous oversight and periodic reviews.

Annex III – Approved Sub‑processors

The Processor uses the following Sub‑processors to deliver, operate, and secure the Services. Each Sub‑processor processes Personal Data solely for the purposes defined in this DPA.

Infrastructure / Hosting

Microsoft Azure (EU — Poland region)

Purpose: Cloud hosting, compute, storage, networking, monitoring. Justification: Azure complies with major security standards (ISO/IEC 27001, SOC 1/2, etc.).

Authentication / Identity

Microsoft Entra ID (Azure Active Directory)

Purpose: User authentication and single sign‑on (SSO).

Optional third‑party SSO providers (if enabled by Customer):

  • Google
  • LinkedIn

Email & Notifications

Microsoft 365 (EU‑based)

Purpose: System notifications, transactional emails, account‑related communication.

If replaced, an equivalent secure EU‑based provider will be listed in the active Sub‑processor list.

Digital Signatures

UAB Nevda (Lithuania)

Purpose: Qualified electronic signature (QES) under eIDAS. Note: Fully EU‑compliant for identity‑verified signing workflows.

Payments

No external payment processors are currently used. Payments are executed directly between Customer and Processor via bank transfer. No Sub‑processor receives any payment card information.

Other Tools

Additional Sub‑processors may be added with prior notice to the Controller as required under Section 6.3 of the DPA.

Annex IV – International Transfers and SCCs

When Personal Data is transferred outside:

  • the EEA,
  • the United Kingdom, or
  • Switzerland,

all such transfers are carried out in accordance with GDPR Chapter V.

Where no adequacy decision exists, the Parties rely on:

EU Standard Contractual Clauses (SCCs)

Adopted under European Commission Implementing Decision (EU) 2021/914, using the appropriate module(s) and completed annexes.

Safeguards for International Transfers

  • Technical and organizational measures (Annex II) serve as SCC Annex II (TOMs).
  • Sub‑processor list (Annex III) serves as SCC Annex III.
  • Where required, supplementary measures (encryption, access controls, key management) are applied to maintain equivalence with GDPR protections.

Turn chaos into legacy.

See how Sofidus can unify your project data, cut administrative overhead, and give every stakeholder real-time clarity.

Request a demoStart free trial