Data Processing Agreement (DPA)

This Data Processing Agreement ("Agreement") is entered into between:

  • Data Controller: Quiz creator at Faabul platform ("Controller")
  • Data Processor: Yomio s.r.o., operator of Faabul ("Processor")
  • Last Updated: 2025-02-25

This Agreement outlines the terms under which the Processor will process personal data on behalf of the Controller in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679.

1. Definitions

  • "Personal Data": Any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).

  • "Processing": Any operation performed on Personal Data (e.g., collection, storage, deletion) as defined in GDPR Article 4(2).

  • "Data Subject": An individual whose personal data is being processed.

  • "Sub-processor": A third-party service provider engaged by the Processor to assist in data processing.

2. Purpose and Scope

The Processor will process Personal Data on behalf of the Controller solely to provide quiz creation, hosting, and related services offered by Faabul. The Processor will not process Personal Data for any other purpose without prior written consent from the Controller.

3. Roles and Responsibilities

Controller Responsibilities:

  • Ensure a valid legal basis (e.g., consent) for collecting quiz taker data.
  • Comply with all GDPR obligations related to the data collected.
  • Provide accurate instructions to the Processor for data handling.

Processor Responsibilities:

  • Process Personal Data only based on the Controller’s instructions.
  • Implement appropriate technical and organizational measures to protect Personal Data.
  • Ensure personnel involved in data processing are bound by confidentiality.

4. Types of Personal Data Processed

Quiz Taker Data:

  • Quiz responses (text, selections)
  • Personal information collected by the Controller (e.g., name, email, custom fields)
  • Metadata (e.g. timestamps)

Special Categories of Data:

  • The Processor does not process special categories of personal data (GDPR Article 9) unless explicitly instructed by the Controller.

5. Sub-processing

The Controller authorizes the use of the following Sub-processors:

  • Google Firebase (hosting and storage)
  • Stripe (payment processing)
  • OpenAI (AI-powered features)
  • Google Analytics (platform analytics)

The Processor will publish of any changes to Sub-processors on this webpage, allowing the Controller to object within 30 days.

The Processor ensures that Sub-processors are bound by data protection obligations equivalent to those in this Agreement.

6. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor ensures appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs)
  • Data Privacy Framework (if applicable)

7. Security Measures

The Processor implements industry-standard security practices, including:

Data encryption at rest and in transit

  • Secure authentication methods (e.g. hashed passwords)
  • Regular security audits and vulnerability assessments
  • Access controls limiting data access to authorized personnel only

8. Data Subject Rights

The Processor will assist the Controller in fulfilling GDPR rights requests, including:

  • Access to Personal Data
  • Rectification of inaccurate data
  • Erasure (“right to be forgotten”)
  • Data Portability
  • Objection or restriction to processing

The Processor will promptly inform the Controller of any request received directly from a Data Subject.

9. Data Breach Notification

In the event of a Personal Data breach, the Processor will:

  • Notify the Controller without undue delay and within 72 hours of becoming aware.
  • Provide details about the breach, including the nature of the data involved, the number of affected Data Subjects, and remediation measures taken.

10. Data Rentention and Deletion

Personal Data will be retained as long as necessary to provide services or based on the Controller’s instructions.

Upon termination of this Agreement or the Controller’s request, the Processor will delete all Personal Data, unless retention is legally required.

11. Audits and Compliance

The Controller may conduct audits or request documentation to verify the Processor’s compliance with this Agreement. Audits must be scheduled with at least 30 days' notice and occur no more than once per year unless a significant data breach occurs.

12. Liability and Indemnity

Each party is liable for damages resulting from GDPR non-compliance, limited to their respective roles (Controller vs. Processor).

The Processor is not liable for any unauthorized data processing initiated by the Controller.

13. Term and Termination

This Agreement remains in effect as long as the Processor processes Personal Data on behalf of the Controller. Upon termination, all Personal Data will be deleted.

14. Governing Law and Jurisdiction

This Agreement is governed by the laws of the Czech Republic.