GDPR Data Processing Addendum (DPA)
Last Updated:
1. Parties
This Data Processing Addendum (DPA) forms part of the agreement or terms between SharePedia ("Provider") and the natural or legal person using or purchasing the services ("Customer"). For GDPR purposes, the Customer is typically the Controller and SharePedia acts as Processor (or, where SharePedia determines purposes and means, as an independent Controller for those specific activities).
2. Subject Matter & Duration
This DPA governs the Processing of Personal Data in connection with services provided via https://nnnnet.cn. It remains effective as long as Provider Processes Personal Data on behalf of Customer or until deletion/return is complete.
3. Definitions
"GDPR" means Regulation (EU) 2016/679. "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Supervisory Authority", and "Personal Data Breach" have the meanings set out in GDPR.
4. Roles
Customer instructs Provider to Process Personal Data solely to deliver, maintain, secure, optimize, support, and improve the services and as further documented in Customer’s written instructions (including configuration or API calls). Provider shall promptly inform Customer if an instruction infringes GDPR.
5. Categories of Data & Data Subjects (Typical)
- Data Subjects: end users, account holders, site visitors, customers, support requesters.
- Personal Data: identifiers (name, username, email, IP, device/browser metadata), account preferences, usage logs, limited transactional metadata, support communications. Customer may supply additional optional data through free-form fields.
- No intentional Processing of special categories; Customer must not submit sensitive data unless expressly agreed.
6. Customer Responsibilities
Customer guarantees a lawful basis, provides required notices, and (where applicable) obtains consents for Provider’s Processing.
7. Provider Obligations
Provider will: (a) Process only on documented instructions; (b) implement appropriate technical and organizational measures; (c) ensure confidentiality commitments; (d) assist with Data Subject requests; (e) assist with DPIAs where relevant (proportionate to the service level); (f) maintain records required by GDPR.
8. Confidentiality
Personnel are bound by confidentiality and receive appropriate privacy/security training.
9. Security
Provider employs measures appropriate to risk, including (as applicable and evolving):
- Access controls & least privilege
- Password hashing / credential protection
- Encryption in transit (HTTPS/TLS) and at rest (where feasible)
- Network and application firewalls / filtering
- Logging & monitoring for anomalous activity
- Regular vulnerability management & patching
- Backup and recovery procedures
- Segregation of environments (production vs. test)
Customer is responsible for end-user access configuration (e.g., strong passwords, role-based controls) within the service.
10. Subprocessors
Customer authorizes Provider to engage Subprocessors for hosting, analytics, communications, or ancillary services. Provider will impose data protection obligations no less protective than this DPA. A current list or summary can be requested via [email protected]. Customer may object (on reasonable grounds) within 10 days of notice; if unresolved, Customer may discontinue affected services.
11. International Transfers
Where Personal Data is transferred outside the EEA/UK/Switzerland, Provider ensures an appropriate transfer mechanism (e.g., adequacy decision, Standard Contractual Clauses, or other lawful instrument). Supplemental safeguards will be implemented where required.
12. Data Subject Requests
Provider will, to the extent legally permitted, assist Customer by appropriate technical and organizational measures in responding to requests (access, rectification, erasure, restriction, portability, objection). Customer remains primarily responsible for verifying the requester and for fulfilling obligations not uniquely held by Provider.
13. Personal Data Breach Notification
Upon becoming aware of a Personal Data Breach affecting Customer Personal Data, Provider will without undue delay notify Customer, providing known details and cooperation. Customer is responsible for any required regulatory or Data Subject notifications unless agreed otherwise.
14. Audits & Information
Provider will make available information reasonably necessary to demonstrate compliance (e.g., summary security descriptions or third-party certification reports). Formal on-site audits require at least 30 days' notice, occur no more than once annually (unless mandated by a Supervisory Authority or following a confirmed material breach), and must protect confidentiality. Each party bears its own costs (unless Provider’s material non-compliance is found).
15. Retention, Return, Deletion
Upon termination or upon written request, Provider will delete or return Personal Data (at Customer’s choice) unless retention is required by law, security, dispute resolution, or backup integrity (in which case data will be isolated and securely deleted per standard purge cycles).
16. Liability
Liability under this DPA is subject to the limitations and exclusions set out in the underlying agreement. Nothing limits liability where not permitted by applicable law (e.g., intentional misconduct).
17. Amendments
Provider may update this DPA to reflect legal or operational changes. Material changes will be notified (e.g., via the site or email). Continued use after effective date constitutes acceptance.
18. Governing Law
This DPA is governed by the same law and jurisdiction as the underlying agreement, unless GDPR requires otherwise.
19. Conflict
If there is a conflict between this DPA and other terms, this DPA prevails for data protection matters.
20. Contact
Data protection inquiries: [email protected] or visit https://nnnnet.cn.
By continuing to use the services, Customer acknowledges and agrees to this DPA.