Data Processing Agreement
AGP1 — a product of BizCode Sp. z o.o. Last updated: February 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the Customer and BizCode Sp. z o.o. and reflects the parties’ agreement regarding the processing of personal data by BizCode on behalf of the Customer.
1. Definitions
1.1. “Customer” — the organization that has entered into the Terms of Service for the use of AGP1.
1.2. “Processor” — BizCode Sp. z o.o. with its registered office at ul. Życzliwa 25/2, 53-030 Wrocław, Poland, KRS: 0000626823, NIP: PL8992794147, REGON: 364949966.
1.3. “Controller” — the Customer, who determines the purposes and means of processing personal data entered into the Service.
1.4. “Service” — the AGP1 application available at https://agp1.bizcode365.com.
1.5. “Personal Data” — any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR, entered into the Service by or on behalf of the Customer.
1.6. “GDPR” — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
1.7. “Sub-processor” — a third party engaged by BizCode to process Personal Data on behalf of the Customer.
2. Scope and Purpose of Processing
2.1. The Customer, as Controller, entrusts BizCode, as Processor, with the processing of Personal Data solely for the purpose of providing the Service as described in the Terms of Service.
2.2. Categories of data subjects:
- Customer’s clients and prospective clients
- Customer’s business contacts and partners
- Customer’s employees and collaborators (as CRM users)
2.3. Categories of personal data:
- Contact data: names, email addresses, phone numbers, job titles
- Company data: company names, addresses, industry
- Business relationship data: opportunities, activities, notes, transaction history
- User account data: names, email addresses, roles
2.4. Processing operations: collection, storage, retrieval, modification, deletion, and any other operations necessary to provide the Service.
2.5. Duration: Personal Data is processed for the duration of the Customer’s use of the Service, plus the retention period specified in the Privacy Policy.
3. Obligations of the Processor
BizCode shall:
3.1. Process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data outside the EEA, unless required to do so by applicable law — in which case BizCode shall inform the Customer of that legal requirement before processing, unless prohibited by law.
3.2. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Art. 32 GDPR, including:
- Encryption of data in transit (TLS)
- Access controls and authentication mechanisms
- Regular backups
- Logical separation of Customer data (multi-tenant architecture)
3.4. Not engage another processor (Sub-processor) without prior written authorization from the Customer, subject to Section 6 below.
3.5. Assist the Customer, taking into account the nature of processing, in fulfilling the Customer’s obligations to respond to requests from data subjects exercising their rights under GDPR (Chapter III).
3.6. Assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to BizCode.
3.7. At the choice of the Customer, delete or return all Personal Data to the Customer after the end of the provision of the Service, and delete existing copies unless applicable law requires storage of the Personal Data. Data export is available in CSV or JSON format, as specified in the Terms of Service (Section 5.3).
3.8. Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, subject to reasonable notice and scope.
4. Obligations of the Controller
The Customer shall:
4.1. Ensure that it has a lawful basis for processing Personal Data entered into the Service.
4.2. Ensure that data subjects have been informed about the processing in accordance with Articles 13 and 14 GDPR.
4.3. Be responsible for the accuracy, quality, and legality of Personal Data provided to BizCode.
5. Data Breach Notification
5.1. BizCode shall notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s Personal Data.
5.2. The notification shall include:
- A description of the nature of the breach
- The categories and approximate number of data subjects and records concerned
- The likely consequences of the breach
- The measures taken or proposed to address the breach
6. Sub-processors
6.1. The Customer provides general authorization for BizCode to engage Sub-processors for the purpose of providing the Service.
6.2. The current list of Sub-processors includes:
| Sub-processor | Purpose | Location |
|---|---|---|
| DigitalOcean LLC | Cloud hosting and infrastructure | EU (Frankfurt, Germany) |
| PostHog Inc. | Product analytics (anonymized IDs only) | EU |
| Brevo (Sendinblue SA) | Transactional email delivery | EU (France, Belgium) |
6.3. BizCode shall inform the Customer of any intended changes to the list of Sub-processors by notifying the Customer by email at least 14 days before the new Sub-processor begins processing data.
6.4. The Customer may object to a new Sub-processor within 14 days of notification. If the objection is not resolved, the Customer may terminate the agreement.
6.5. BizCode shall impose on each Sub-processor, by way of a contract, the same data protection obligations as set out in this DPA.
7. International Transfers
7.1. BizCode processes all Customer Personal Data within the European Economic Area (EEA).
7.2. If a transfer outside the EEA becomes necessary (e.g., due to a change of Sub-processor), BizCode shall ensure that appropriate safeguards are in place in accordance with Chapter V GDPR (e.g., Standard Contractual Clauses) and shall obtain prior written consent from the Customer.
8. Audit Rights
8.1. The Customer may audit BizCode’s compliance with this DPA once per calendar year, with at least 30 days’ written notice.
8.2. Audits shall be conducted during normal business hours and shall not unreasonably interfere with BizCode’s operations.
8.3. If an audit is performed by a third-party auditor, such auditor must execute a confidentiality agreement acceptable to BizCode.
9. Liability
9.1. Each party’s liability under this DPA is subject to the limitations set out in the Terms of Service (Section 8).
10. Term and Termination
10.1. This DPA enters into force upon the Customer’s acceptance of the Terms of Service and remains in effect for the duration of the Customer’s use of the Service.
10.2. Obligations related to confidentiality, data deletion, and data return survive termination of this DPA.
11. Governing Law
11.1. This DPA is governed by the laws of the Republic of Poland.
11.2. Any disputes arising from this DPA shall be resolved by the competent court in Wrocław, Poland.
Processor: BizCode Sp. z o.o. ul. Życzliwa 25/2, 53-030 Wrocław, Poland KRS: 0000626823 | NIP: PL8992794147 [email protected]