Data Processing Agreement (DPA) – Web Solutions, Design, and Support Services

1. Introduction

This Data Processing Agreement (“DPA”) is made and entered into by and between NovoEssential SIA (“Data Controller”) and the User (“Data Processor”) for the processing of personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (“GDPR”).

2. Purpose of Data Processing

The Data Processor will process personal data only for the purpose of providing the services agreed between the parties, which may include the sale of digital products, customer support, and communications. The Data Processor shall not process the personal data for any purpose other than as specified in this agreement or as instructed by the Data Controller.

3. Types of Personal Data Processed

The Data Processor may process the following types of personal data on behalf of the Data Controller:

Name
Email address
Billing and shipping address
Payment information (through third-party payment processors)
Purchase history and transaction data
IP address and device information

4. Data Subject Rights

The Data Processor shall assist the Data Controller in fulfilling its obligations under applicable data protection laws to respond to requests from data subjects exercising their rights. These rights may include access, correction, deletion, and restriction of processing of personal data.

5. Data Security Measures

The Data Processor will implement appropriate technical and organizational measures to ensure the security of personal data and protect it from unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures will include encryption, access controls, and regular audits of the security practices.

6. Subprocessors

The Data Processor may engage subcontractors or subprocessors (“Subprocessors”) to process personal data on behalf of the Data Controller. The Data Processor shall ensure that Subprocessors are bound by written agreements that impose the same data protection obligations as those set out in this DPA. The Data Controller has the right to approve any new Subprocessors.

7. Data Retention

Personal data shall not be retained by the Data Processor longer than necessary for the purposes of fulfilling the services agreed upon with the Data Controller, and in compliance with applicable laws. Upon termination of the agreement, the Data Processor shall securely delete or return all personal data, as instructed by the Data Controller.

8. Transfer of Personal Data

If personal data is transferred outside the European Economic Area (“EEA”), the Data Processor will ensure that appropriate safeguards are in place, such as the use of standard contractual clauses or other legally recognized mechanisms for international data transfers.

9. Liability

The Data Processor will be liable for any damages arising from its failure to comply with this DPA, including any violations of applicable data protection laws. The Data Processor agrees to indemnify and hold the Data Controller harmless from any claims, losses, or damages arising out of such non-compliance.

10. Termination

Either party may terminate this DPA if the other party materially breaches its obligations under this agreement and fails to remedy the breach within 30 days of receiving written notice. Upon termination, the Data Processor will cease processing personal data and return or delete all personal data as instructed by the Data Controller.

11. Governing Law and Dispute Resolution

This DPA shall be governed by the laws of Hong Kong, without regard to its conflict of law principles. Any disputes arising from this DPA shall be resolved through binding arbitration in Hong Kong.

12. Changes to this Agreement

The Data Processor reserves the right to update or amend this DPA at any time. Any changes will be communicated to the Data Controller, and the updated DPA will apply to future data processing activities.