Attestia.eu — Terms of Service

Version: 1.0
Effective date: 2026-04-22
Last updated: 2026-04-22

§ 1. General Provisions

1. These Terms of Service (hereinafter: "Terms") set out the rules and conditions for using the Attestia.eu platform (hereinafter: "Platform" or "Service"), provided electronically by Trimalert sp. z o.o. (hereinafter: "Service Provider"). The Platform is made available under the trade name "Attestia" (hereinafter: "Attestia").
2. Service Provider:
   • Company: Trimalert sp. z o.o.
   • Registered office: ul. Przasnyska 7/319, 01-756 Warsaw, Poland
   • KRS (National Court Register): 0001233147
   • NIP (Tax ID): 5253085087
   • REGON (Statistical ID): 54440046800000
   • Share capital: PLN 5,000.00
   • Email: contact@attestia.eu
   • Website: https://attestia.eu
3. These Terms constitute the terms of service for electronically supplied services within the meaning of Article 8 of the Polish Act of 18 July 2002 on Provision of Services by Electronic Means (consolidated text: Journal of Laws 2020, item 344, as amended).
4. The Platform is intended exclusively for professional entities (B2B) — entrepreneurs, legal persons, organisational units without legal personality to which the law grants legal capacity, and natural persons conducting business activity. The Platform is not intended for consumers within the meaning of Article 22¹ of the Polish Civil Code.
5. Use of the Platform requires acceptance of these Terms and the Privacy Policy available at https://attestia.eu/privacy.

§ 2. Definitions

For the purposes of these Terms, the following terms shall have the following meanings:

1. Attestia / Service Provider — Trimalert sp. z o.o. with its registered office in Warsaw (ul. Przasnyska 7/319, 01-756 Warsaw, Poland), entered in the Register of Entrepreneurs of the National Court Register under KRS number 0001233147, NIP 5253085087, REGON 54440046800000, operating the Platform under the trade name "Attestia".
2. Platform — the web application available at https://app.attestia.eu and related services, enabling the automation of compliance processes with regulations concerning artificial intelligence.
3. User — a natural person acting on behalf of and for the benefit of the Organisation, holding an Account on the Platform.
4. Organisation — a professional entity (entrepreneur) that has entered into an agreement with Attestia for the provision of the Service by registering on the Platform.
5. Account — an individual User account on the Platform, secured by authentication credentials, assigned to an Organisation.
6. AI System — an artificial intelligence system within the meaning of Article 3(1) of Regulation (EU) 2024/1689 (EU AI Act), the data of which the Organisation enters into the Platform for the purpose of compliance assessment.
7. Risk Classification — a Platform functionality consisting of AI-assisted analysis and recommendation of the risk category of an AI System in accordance with the EU AI Act.
8. Compliance Documents — documents generated by the Platform using artificial intelligence, including but not limited to technical documentation (Annex IV of the EU AI Act), fundamental rights impact assessment (FRIA), declaration of conformity, and transparency notices (Art. 50).
9. Subscription Plan — the variant of the Service selected by the Organisation (Free, Pro, Team, Enterprise), determining the scope of functionalities and limits.
10. Billing Period — a monthly or annual period for which the Subscription Plan fee is charged.
11. Organisation Data — all data, information, and materials entered by Users into the Platform, including descriptions of AI Systems, questionnaire responses, evidence files, and documentation.
12. EU AI Act — Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act).
13. GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
14. Business Day — a day from Monday to Friday, excluding public holidays in the Republic of Poland.

§ 3. Description of the Service

1. Attestia provides a SaaS (Software as a Service) platform enabling the automation of compliance processes with the EU AI Act and other regulations concerning artificial intelligence.
2. The Platform offers the following functionalities (depending on the Subscription Plan):
   1. AI System Risk Classification — AI-assisted analysis of an AI system against risk categories under the EU AI Act (prohibited, high-risk, limited risk, minimal risk);
   2. Compliance Document Generation — automated creation of draft documentation required by the EU AI Act, including technical documentation (Annex IV), FRIA, and declarations of conformity;
   3. Compliance Dashboard — a panel enabling tracking of the compliance status of the Organisation's AI Systems;
   4. Regulatory Monitoring — notifications about regulatory changes and compliance deadlines;
   5. Audit Log — an immutable, chronological record of all compliance actions on the Platform;
   6. Document Export — export of generated documents in PDF and DOCX formats.
3. The detailed scope of functionalities available under each Subscription Plan is set out in the pricing schedule available at https://attestia.eu/pricing.

§ 4. Key Disclaimers Regarding the Nature of the Service

This section constitutes an integral and material part of these Terms. By using the Platform, the User confirms that they have read and accept the following disclaimers.

1. Attestia is a compliance automation tool, NOT a law firm. The Platform does not provide legal services, does not give legal advice, and does not replace professional legal counsel.
2. Risk Classification is an AI-assisted recommendation, NOT a binding legal determination. The result of Risk Classification is of an exclusively informational and auxiliary nature. Ultimate responsibility for the correct classification of an AI System rests with the Organisation (as the provider or deployer of the AI System within the meaning of the EU AI Act).
3. Compliance Documents generated by the Platform are working drafts, NOT finalised legal documents. Every generated document requires review, customisation, and approval by a qualified lawyer or compliance specialist before use for regulatory purposes.
4. Attestia does not certify compliance with the EU AI Act or any other regulation. The Platform does not replace conformity assessments performed by notified bodies for high-risk AI systems.
5. Attestia is not liable for regulatory penalties imposed on the Organisation as a result of decisions based on Risk Classifications or Compliance Documents generated by the Platform.
6. The interpretation of the EU AI Act is dynamic and evolving. Harmonised standards, European Commission guidelines, national implementations, and case law may affect the proper interpretation of the provisions. Attestia endeavours to ensure that the Platform reflects the current state of the law, but does not guarantee the completeness or currency of regulatory information.
7. The Platform uses artificial intelligence (AI). Risk Classification and Compliance Document generation use the Azure OpenAI model (GPT-5.4). AI-generated content may contain errors or inaccuracies. The User is obliged to verify all AI-generated content before use.

§ 5. Registration and Account

1. Use of the Platform requires the creation of an Account by registering at https://app.attestia.eu.
2. Registration is available only to adults acting on behalf of and for the benefit of professional entities (B2B). By registering an Account, the User represents that:
   1. they are authorised to represent the Organisation;
   2. the Organisation is a professional entity within the meaning of Section 1.4;
   3. the data provided is true, complete, and current.
3. Registration requires providing: an email address, first and last name, Organisation name, and creating a password. Alternatively, registration is available via Google or GitHub accounts (OAuth).
4. Upon registration, an Organisation is automatically created, to which the User is assigned in the role of Owner. The Owner may invite additional Users and assign roles in accordance with the Platform's permission hierarchy.
5. The User is obliged to:
   1. maintain the confidentiality of authentication credentials (password, access tokens);
   2. promptly notify Attestia of any unauthorised access to the Account;
   3. keep Account and Organisation data up to date.
6. Attestia shall not be liable for damages resulting from a breach of Account security if the breach occurred due to reasons attributable to the User (e.g., sharing passwords with third parties).
7. One Account is assigned to one natural person. Account sharing is prohibited.

§ 6. Subscription Plans and Fees

6.1. Subscription Plans

1. The Platform is available under the following Subscription Plans:

2. The detailed scope of functionalities for each Plan, including limits and restrictions, is set out in the pricing schedule available at https://attestia.eu/pricing.
3. Prices are stated as net amounts. VAT is added at the rate applicable in the Organisation's jurisdiction, in accordance with applicable value added tax provisions.
4. For Organisations established in EU Member States other than Poland, holding an active EU VAT number, the reverse charge mechanism applies.

6.2. Payments

5. Payments for Subscription Plans are processed by the payment operator Stripe, Inc. (hereinafter: "Stripe"). Attestia does not store payment card data — such data is processed exclusively by Stripe in accordance with PCI DSS requirements.
6. Available payment methods: payment card (Visa, Mastercard), SEPA Direct Debit (for payers within the SEPA area). For the Enterprise Plan, bank transfer is also available.
7. The subscription is automatically renewed for the next Billing Period (monthly or annual), unless the Organisation cancels the subscription before the end of the current Billing Period.
8. Attestia issues VAT invoices in electronic form, available in the Organisation's settings panel and sent to the Account Owner's email address.

6.3. Overdue Payments

9. In the event of a failed payment attempt, Attestia will make up to 3 retry attempts (on days 1, 3, and 7 from the date of the failed payment).
10. After 14 days from the first failed payment attempt, without successful settlement of the outstanding amount, Attestia reserves the right to:
    1. restrict access to the Platform (read-only mode);
    2. suspend the Organisation's Account;
    3. after an additional 30 days — delete the Account and Organisation data, in accordance with the procedure set out in Section 12.

6.4. Subscription Plan Changes

11. The Organisation may change the Subscription Plan at any time:
    1. Upgrade (change to a higher Plan) — the change takes effect immediately, with a prorated charge for the remainder of the current Billing Period;
    2. Downgrade (change to a lower Plan) — the change takes effect at the beginning of the next Billing Period. AI Systems and Users exceeding the limits of the new Plan are switched to read-only mode (data is not deleted).

6.5. Refunds

12. Due to the nature of the Service (immediate access to a digital tool), the Organisation agrees to the commencement of the Service before the expiry of any applicable withdrawal period.
13. Attestia applies the following refund policy:
    1. annual subscription — prorated refund for unused full months, upon written request submitted within 30 days of the start of the subscription;
    2. monthly subscription — no refunds for a commenced Billing Period;
    3. Free Plan — not subject to refunds.

§ 7. Use of Artificial Intelligence — Transparency Notice (Art. 50 EU AI Act)

1. Attestia uses artificial intelligence (the Azure OpenAI GPT-5.4 model, provided by Microsoft Corporation via the Microsoft Azure service) for the following purposes:
   1. generating Risk Classification recommendations for AI Systems;
   2. generating draft Compliance Documents;
   3. generating regulatory explanations and analyses.
2. Identification of AI-generated content. All content generated by artificial intelligence on the Platform is marked with an "AI-assisted" label or equivalent designation. Documents generated in PDF and DOCX formats include the note: "Document generated with the assistance of artificial intelligence by Attestia.eu. Requires review by a qualified specialist."
3. Human oversight. The Platform employs a triple verification mechanism for Risk Classification:
   1. rules engine (deterministic) — analysis based on EU AI Act provisions;
   2. AI recommendation — analysis using a language model;
   3. User review and approval — the final decision rests with a human.
   The User has the ability to reject or correct AI recommendations at every stage.
4. Accuracy. AI recommendations are probabilistic in nature and may contain errors. Attestia displays a confidence score with each Risk Classification. Classifications with low confidence or concerning borderline cases (grey areas) require mandatory expert review.
5. Data processing by AI. AI System descriptions entered by the User are transmitted to the Azure OpenAI service (EU region — Sweden) in pseudonymised form (without Organisation name, User personal data, or billing data) solely for the purpose of generating Risk Classifications or Compliance Documents. This data:
   1. is processed in the EU region (Azure Sweden, swedencentral) and is not transferred outside the European Economic Area;
   2. is not used by Microsoft for AI model training (in accordance with Azure OpenAI terms);
   3. is processed transiently (transient processing) — it is not stored on the Azure OpenAI side after processing is completed.

§ 8. Intellectual Property Rights

8.1. Attestia's Intellectual Property

1. The Platform, its source code, algorithms, user interface, design, document templates, classification rules engine, regulatory knowledge base, the trademarks "Attestia" and "Attestia.eu", and all other elements of the Platform constitute the intellectual property of Attestia or its licensors and are protected by copyright law, industrial property law, and other intellectual property protection provisions.
2. These Terms do not transfer any intellectual property rights in the Platform to the User or the Organisation. The Organisation receives only a limited, non-exclusive, non-transferable, revocable licence to use the Platform within the scope of the selected Subscription Plan, for the duration of the subscription.

8.2. Organisation Data

3. The Organisation retains full ownership rights to Organisation Data entered into the Platform, including AI System descriptions, questionnaire responses, and evidence files.
4. The Organisation grants Attestia a limited licence to process Organisation Data solely for the purpose of providing the Service (including processing by Azure OpenAI for the purpose of generating Risk Classifications and Compliance Documents).

8.3. AI-Generated Documents

5. Compliance Documents generated by the Platform using data entered by the Organisation constitute the property of the Organisation with respect to the substantive content derived from Organisation Data.
6. Templates, structures, and formatting elements of Compliance Documents constitute the intellectual property of Attestia. The Organisation may use generated documents for internal and regulatory purposes but may not resell the templates or document generator independently.
7. Attestia reserves the right to use anonymised, aggregated statistical data (e.g., distribution of risk categories, most common types of AI systems) for the purpose of improving the Platform and creating industry reports, without disclosing Organisation Data.

§ 9. Acceptable Use

1. The Organisation and its Users undertake to use the Platform solely in accordance with its intended purpose and in compliance with applicable law.
2. The following is expressly prohibited:
   1. using the Platform to document AI systems whose deployment is prohibited under Article 5 of the EU AI Act (prohibited practices);
   2. using Risk Classifications or Compliance Documents to intentionally mislead regulatory authorities, auditors, or third parties;
   3. entering content into the Platform that is unlawful, infringes the rights of third parties, or contains malicious software;
   4. attempting to gain unauthorised access to the Platform, its infrastructure, the accounts of other Users, or the data of other Organisations;
   5. decompiling, reverse-engineering, disassembling, or otherwise attempting to obtain the source code of the Platform;
   6. automated downloading of data from the Platform (scraping), except for use of the provided API in accordance with documentation;
   7. reselling, sublicensing, or making the Platform available to third parties without the prior written consent of Attestia (except for the Enterprise Plan with the white-label option);
   8. sharing Accounts between multiple natural persons;
   9. circumventing the limitations arising from the Subscription Plan.
3. In the event of a breach of acceptable use rules, Attestia reserves the right to:
   1. request the Organisation to cease the breach;
   2. temporarily suspend access to the Platform;
   3. immediately terminate the agreement in the event of serious or repeated breaches (Section 12.5).

§ 10. Data Protection

1. The controller of Users' personal data (account data: first name, last name, email address) is Trimalert sp. z o.o. with its registered office in Warsaw (ul. Przasnyska 7/319, 01-756 Warsaw, Poland), operating the Platform under the "Attestia" brand.
2. With respect to the processing of Organisation Data containing personal data (e.g., AI System descriptions referring to natural persons), Attestia acts as a data processor within the meaning of Article 28 of the GDPR, and the Organisation as the data controller. The detailed terms of data processing entrustment are governed by a separate Data Processing Agreement (DPA), constituting Annex 1 to these Terms.
3. Detailed information regarding the processing of personal data, including purposes, legal bases, data subject rights, categories of recipients, and retention periods, is contained in the Privacy Policy available at https://attestia.eu/privacy.
4. Attestia uses the following sub-processors:

5. The Organisation undertakes to inform persons whose personal data it enters into the Platform about the processing of such data in accordance with Articles 13 and 14 of the GDPR.

§ 11. Liability and Limitation of Liability

11.1. Organisation's Liability

1. The Organisation bears sole liability for:
   1. the accuracy and completeness of Organisation Data entered into the Platform;
   2. the final decision on Risk Classification of its AI Systems — regardless of the Platform's recommendations;
   3. the review, customisation, and approval of Compliance Documents before their use for regulatory purposes;
   4. the implementation of required compliance measures under the EU AI Act and other regulations;
   5. reporting serious incidents (Article 73 of the EU AI Act) to the relevant authorities;
   6. the accuracy of tax and billing data.

11.2. Limitation of Attestia's Liability

2. To the maximum extent permitted by applicable law, the total liability of Attestia towards the Organisation arising from or in connection with the use of the Platform, regardless of the legal basis (contract, tort, unjust enrichment, or otherwise), is limited to the total amount of fees actually paid by the Organisation to Attestia in the 12 months immediately preceding the event giving rise to the claim.
3. Attestia shall not be liable for:
   1. indirect damages, lost profits, loss of data, loss of reputation, or other consequential damages, even if Attestia was previously informed of the possibility of their occurrence;
   2. regulatory penalties imposed on the Organisation by supervisory authorities (including under the EU AI Act, GDPR, or other regulations), resulting from decisions made by the Organisation based on Risk Classifications or Compliance Documents generated by the Platform;
   3. errors in AI-generated content, if the Organisation did not review and verify such content in accordance with Section 4 of these Terms;
   4. changes in the legal landscape (new regulations, guidelines, case law, harmonised standards) introduced after the generation of Risk Classifications or Compliance Documents;
   5. incompatibility or changes in third-party services (Microsoft Azure OpenAI, Supabase, Stripe), including changes in AI model behaviour;
   6. interruptions in access to the Platform resulting from planned maintenance (with prior notification), force majeure events, or failures of third-party infrastructure;
   7. acts or omissions of Users, including breaches of Account security attributable to the User.
4. The limitations of liability set out in this section shall not apply in the event of:
   1. damages caused intentionally or through gross negligence of Attestia;
   2. liability the limitation of which is not permissible under mandatory provisions of Polish or EU law.

11.3. No Warranties

5. The Platform is provided on an "AS IS" and "AS AVAILABLE" basis. Attestia does not provide any warranties, express or implied, in particular:
   1. warranties of fitness for a particular purpose;
   2. warranties of uninterrupted or error-free operation of the Platform;
   3. warranties of completeness, accuracy, or currency of the regulatory knowledge base;
   4. warranties that use of the Platform will ensure compliance with the EU AI Act or any other regulation.

§ 12. Term and Termination

12.1. Term

1. The agreement for the provision of the Service is concluded for an indefinite period (Free Plan) or for the duration of the Billing Period with automatic renewal (paid Plans).

12.2. Termination by the Organisation

2. The Organisation may terminate the agreement (cancel the subscription) at any time through the Account settings panel. Termination is effective at the end of the current Billing Period — until that time, the Organisation retains full access to the Platform.
3. Before cancelling the subscription, the Organisation should export Organisation Data and generated Compliance Documents (export function available in the Platform panel).

12.3. Termination by Attestia

4. Attestia may terminate the agreement with 30 days' notice, notifying the Organisation at the Account Owner's email address. In such case, Attestia shall refund the prorated portion of the fee for the unused Billing Period.
5. Attestia may terminate the agreement with immediate effect in the event of:
   1. a material breach of these Terms by the Organisation or its Users, including breach of Section 9 (acceptable use), if the breach has not been remedied within 14 days of a request to do so;
   2. use of the Platform for unlawful purposes;
   3. payment arrears exceeding 44 days (14 days grace period + 30 days after suspension).

12.4. Effects of Termination

6. Upon termination of the agreement:
   1. access to the Platform is deactivated;
   2. the Organisation may request export of Organisation Data in JSON/CSV format within 30 days of termination. After this period, Organisation Data will be deleted;
   3. the Audit Log is retained in pseudonymised form for a period of 10 years from the date of the last entry, in accordance with the requirements of Article 18 of the EU AI Act. Pseudonymisation involves replacing User and Organisation identifiers with irreversible cryptographic hashes;
   4. billing data is retained for the period required by tax law (5 years in Poland);
   5. Users' personal data (first name, last name, email) is deleted within 30 days of termination, unless further processing is necessary for legal reasons.

§ 13. Platform Availability and Technical Support

13.1. Availability

1. Attestia endeavours to ensure that the Platform is available 24 hours a day, 7 days a week. Attestia does not guarantee uninterrupted availability of the Platform.
2. Planned maintenance will be carried out, where possible, during night-time hours (CET/CEST) with prior notification to Users (minimum 24 hours before the planned downtime).
3. Availability guarantee (SLA — Service Level Agreement):

13.2. Technical Support

4. Technical support is available via email at: support@attestia.eu.
5. The scope of technical support covers assistance with using the Platform. Technical support does not include legal advice, regulatory interpretation, or compliance consultations.

§ 14. Amendments to These Terms

1. Attestia reserves the right to amend these Terms. Attestia shall notify Organisations of any amendment:
   1. by email to the Account Owner's email address — with at least 30 days' notice before the amendments take effect;
   2. via a notification on the Platform.
2. The notification of amendments shall include: a description of material changes, the effective date of the new version, and a link to the full text of the amended Terms.
3. Continued use of the Platform after the effective date of the amended Terms constitutes acceptance of the amendments.
4. If the Organisation does not accept the amended Terms, it has the right to terminate the agreement with effect on the date the amended Terms enter into force, with the right to a prorated refund for the unused Billing Period.
5. Amendments to these Terms do not affect the rights and obligations of the parties arising from agreements concluded before the amended Terms entered into force, unless the amendment results from mandatory provisions of law.

§ 15. Force Majeure

1. Neither party shall be liable for non-performance or improper performance of obligations arising from these Terms if this is caused by force majeure, understood as an external, extraordinary event that is impossible to foresee and prevent, in particular: natural disasters, wars, acts of terrorism, epidemics, pandemics, general strikes, failures of telecommunications infrastructure of national or international scope, mass-scale cyberattacks, decisions of public authorities making it impossible to provide the Service.
2. The party affected by force majeure shall promptly notify the other party of its occurrence and expected duration.

§ 16. Governing Law and Dispute Resolution

1. These Terms are governed by and construed in accordance with the law of the Republic of Poland, taking into account mandatory provisions of European Union law (including the GDPR and the EU AI Act).
2. The Polish version of these Terms is the binding version. In the event of any discrepancy between the Polish version and translations into other languages, the Polish version shall prevail.
3. The parties shall endeavour to resolve amicably any disputes arising from or in connection with these Terms through negotiation.
4. If a dispute cannot be resolved through negotiation within 30 days, the dispute shall be submitted to mediation conducted by a mediator jointly selected by the parties or, in the absence of agreement on the mediator, by the Mediation Centre at the Court of Arbitration at the Polish Chamber of Commerce in Warsaw (Centrum Mediacji przy Sądzie Arbitrażowym przy Krajowej Izbie Gospodarczej w Warszawie).
5. If mediation is unsuccessful, disputes shall be resolved by the common court having jurisdiction over the registered office of Trimalert sp. z o.o. (Warsaw, Poland).
6. Notwithstanding the above, Attestia reserves the right to seek urgent relief (interim measures) before the court having jurisdiction over the place of infringement, in the event of infringement of intellectual property rights or confidentiality obligations.

§ 17. Confidentiality

1. The parties undertake to maintain the confidentiality of confidential information obtained in connection with the use of the Platform, in particular:
   1. Organisation Data (including AI System descriptions, which may constitute trade secrets);
   2. commercial terms of individual agreements (Enterprise Plan);
   3. technical information relating to the Platform that is not publicly available.
2. The confidentiality obligation does not apply to information that:
   1. is publicly available without breach of confidentiality obligations;
   2. was known to the party before its receipt from the other party;
   3. was obtained from third parties in a lawful manner;
   4. must be disclosed under applicable law, a court order, or a decision of an administrative authority — in which case the party obliged to disclose shall promptly notify the other party (to the extent legally permissible).
3. The confidentiality obligation shall remain in force for the duration of the agreement and for a period of 3 years following its termination.

§ 18. Final Provisions

1. If any provision of these Terms is found to be invalid, ineffective, or unenforceable by a competent court or authority, the remaining provisions of these Terms shall remain in force. The parties undertake to replace the invalid provision with a valid provision whose economic and legal purpose is as close as possible to the replaced provision.
2. Attestia may transfer the rights and obligations arising from these Terms to a third party (in particular in the event of a merger, acquisition, or sale of the business), upon notification to Organisations with at least 30 days' notice. An Organisation that does not accept the assignment may terminate the agreement with effect on the date of the assignment.
3. The Organisation may not transfer the rights and obligations arising from these Terms to a third party without the prior written consent of Attestia.
4. Failure by Attestia to enforce any provision of these Terms in a given instance shall not constitute a waiver of the right to enforce such provision in the future.
5. These Terms, together with the Privacy Policy, the Data Processing Agreement (DPA), and, in the case of the Enterprise Plan, a separate SLA agreement, constitute the entire agreement between the parties with respect to the use of the Platform and supersede all prior arrangements, understandings, and agreements relating to the same subject matter.
6. All notifications arising from these Terms shall be directed:
   1. to the Organisation — to the Account Owner's email address;
   2. to the Service Provider — to: contact@attestia.eu or the correspondence address of Trimalert sp. z o.o. (ul. Przasnyska 7/319, 01-756 Warsaw, Poland).
7. Annexes to these Terms:
   • Annex 1: Data Processing Agreement (DPA)
   • Annex 2: Pricing Schedule and Subscription Plan Specifications

Annex 1 — Data Processing Agreement (DPA)

Article 1. Subject Matter and Scope

1. This Data Processing Agreement (hereinafter: "DPA") constitutes an annex to the Terms and governs the terms of personal data processing entrustment by the Organisation (Controller) to Attestia (Processor) in connection with the use of the Platform, in accordance with Article 28 of the GDPR.
2. The Processor shall process personal data exclusively on behalf of and on the documented instructions of the Controller, within the scope and for the purpose specified in this DPA.

Article 2. Subject Matter of Processing

Article 3. Obligations of the Processor

1. The Processor undertakes to:
   1. process personal data exclusively on the basis of documented instructions of the Controller (including this DPA and the Terms), unless processing is required under EU or Polish law — in which case the Processor shall inform the Controller of such requirement before processing (unless the law prohibits such notification);
   2. ensure that persons authorised to process personal data have committed themselves to confidentiality or are under a statutory obligation of confidentiality;
   3. implement appropriate technical and organisational measures ensuring a level of security appropriate to the risk (Annex A to this DPA);
   4. engage the services of further processors (sub-processors) only in accordance with Article 5 of this DPA;
   5. assist the Controller in fulfilling the obligation to respond to requests of data subjects exercising their rights (Articles 15–22 of the GDPR);
   6. assist the Controller in fulfilling obligations under Articles 32–36 of the GDPR (security, breach notification, DPIA, prior consultation);
   7. upon termination of the services — delete or return all personal data, at the Controller's discretion, and delete existing copies, unless EU or Polish law requires further storage;
   8. make available to the Controller all information necessary to demonstrate compliance with obligations under Article 28 of the GDPR and enable the conduct of audits, including inspections.

Article 4. Personal Data Breach Notification

1. The Processor shall notify the Controller of a personal data breach without undue delay, no later than within 24 hours of becoming aware of the breach (to enable the Controller to meet the 72-hour deadline for notification to the supervisory authority under Article 33 of the GDPR).
2. The notification shall include at a minimum:
   1. a description of the nature of the breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
   2. the contact details of the contact point;
   3. a description of the likely consequences of the breach;
   4. a description of the measures taken or proposed to remedy the breach.

Article 5. Further Processors (Sub-processors)

1. The Controller grants general consent for the Processor to engage the further processors listed in Section 10.4 of the Terms.
2. The Processor shall inform the Controller of any intended change regarding the addition or replacement of a further processor with at least 30 days' notice, enabling the Controller to raise objections.
3. In the event of a justified objection by the Controller to a new further processor, the parties shall negotiate to find a resolution. If no resolution is reached within 30 days, the Controller has the right to terminate the agreement with immediate effect.
4. The Processor shall ensure that the same data protection obligations as set out in this DPA are imposed on further processors.

Article 6. Transfers of Data Outside the EEA

1. The Processor shall not transfer personal data outside the European Economic Area (EEA) without the prior consent of the Controller and without ensuring an adequate level of data protection in accordance with Chapter V of the GDPR.
2. Where a transfer of data outside the EEA is necessary (e.g., Resend — US), the Processor shall apply the Standard Contractual Clauses (SCCs) approved by European Commission Decision (EU) 2021/914.

Article 7. Audits

1. The Processor shall make available to the Controller, upon request and with reasonable advance notice (minimum 30 Business Days), information and documents necessary to demonstrate compliance with obligations under Article 28 of the GDPR.
2. The Controller may conduct an audit (independently or through an authorised auditor) no more than once per year, upon prior agreement of the date and scope. The costs of the audit shall be borne by the Controller.
3. Alternatively, the Processor may submit a SOC 2 Type II certificate (upon obtaining it) or an equivalent auditor's report as evidence of compliance with security requirements.

Annex A to the DPA — Technical and Organisational Measures