1. Parties
Controller (“Client”)
Name / company: [Client legal name]
Address: [address]
Country: [country]
Contact email: [email]
VAT / company ID (if any): […]
Processor (“Processor”)
Tomasz Urban trading as BadTrip Software
Ks. Konarskiego 33/6, 39-200 Dębica, Poland
NIP: 8722379591
Email: tomasz@badtrip.software
Effective date: [YYYY-MM-DD] · Project / SOW reference: [offer ID or title]
2. Roles and subject matter
- Client is the controller (or a processor engaging BadTrip as a sub-processor — if so, Client warrants it has authority to appoint the Processor). Processor processes personal data only as a processor for the Project.
- Subject matter: software development, maintenance, hosting setup, debugging, migration, or related IT services under the main contract / offer for the Project.
- Duration: from the Effective date until the earlier of (a) end of the Project plus any agreed support window, or (b) deletion/return of Project personal data under §9.
- Nature and purpose: access, storage, transmission, analysis, testing, configuration, and similar operations strictly as needed to deliver the Project, on Client’s documented instructions.
- Types of personal data and categories of data subjects are listed in Annex A. Client shall not provide special-category data (GDPR Art. 9) or criminal-data (Art. 10) unless Annex A expressly lists them and a valid Art. 9/10 basis is stated by Client.
3. Instructions
- Processor shall process Project personal data only on documented instructions from Client, including this DPA, the main contract/SOW, and written tickets/emails that clearly direct processing — unless required to do otherwise by EU or Member State law, in which case Processor informs Client before processing (unless the law prohibits that notice).
- If Processor believes an instruction infringes the GDPR or other EU/Member State data protection law, Processor shall inform Client without undue delay.
- Client is responsible for the lawfulness of processing, transparency to data subjects, and the accuracy of instructions. Processor is not obliged to assess Client’s wider compliance program.
4. Confidentiality
Processor ensures that persons authorised to process Project personal data are under an appropriate obligation of confidentiality (contractual or statutory) and process such data only as needed for the Project.
5. Security (Art. 32)
Taking into account the state of the art, cost, and the nature/scope/context/risks of processing, Processor implements appropriate technical and organisational measures, including as relevant:
- access control (unique credentials, least privilege, MFA where available on systems Processor controls);
- encryption in transit (TLS) for remote access and public endpoints Processor configures;
- secure development practices and secret handling for code and environments Processor manages;
- device security on Processor’s workstations (disk encryption, OS updates, malware protection);
- logging of administrative access where systems under Processor’s control allow it.
Client remains responsible for security of systems, accounts, and cloud tenants under Client’s ownership, except measures expressly assigned to Processor in the SOW.
6. Sub-processors
- Client authorises Processor to use the sub-processors listed in Annex B (general authorisation). Processor shall impose data-protection obligations on sub-processors no less protective than those in this DPA, in substance.
- Processor shall inform Client of intended changes to Annex B (addition or replacement) in advance (email is enough), giving Client a reasonable opportunity to object on reasonable data-protection grounds. If Client objects and the parties cannot agree, either party may terminate the affected Project services related to that processing without penalty for that objection alone, subject to payment for work already performed.
- Processor remains responsible to Client for sub-processors’ performance of their obligations under this DPA.
7. International transfers
Processor shall not transfer Project personal data outside the EEA/UK adequacy area except:
- on Client’s documented instruction (e.g. Client’s own US SaaS);
- where a sub-processor in Annex B transfers under a valid Chapter V mechanism (adequacy, SCCs, etc.); or
- as required by law.
Client instructs Processor to use Client-chosen tools and regions stated in the SOW or Annex B.
8. Assistance
Taking into account the nature of processing, Processor shall reasonably assist Client with:
- responses to data-subject requests (Arts. 15–22), when Client cannot fulfil them alone with the systems it controls;
- security, breach notification to Client without undue delay after becoming aware of a personal data breach affecting Project personal data processed by Processor;
- DPIAs and prior consultation (Arts. 35–36), where relevant and proportionate;
- demonstrating compliance with Art. 28, including by providing information reasonably requested by Client.
Material assistance beyond ordinary Project work may be charged at the agreed hourly rate (net + VAT as per the main contract), unless the need arises from Processor’s breach of this DPA.
9. Return or deletion
At Client’s choice, upon end of Project processing services, Processor shall delete or return Project personal data in Processor’s possession (and delete existing copies), unless EU or Polish law requires storage. Client shall export data from Client-owned systems itself. Processor may retain minimal records needed for legal claims, accounting, or dispute defence, isolated from production use.
10. Audits
Processor shall make available information necessary to demonstrate Art. 28 compliance and allow for audits by Client or an independent auditor mandated by Client, upon reasonable written notice (at least 14 days), no more than once per 12 months unless a breach is reasonably suspected. Audits shall not unreasonably disrupt Processor’s business or other clients; remote review of documentation is preferred. Client bears its own audit costs unless a material breach of this DPA by Processor is confirmed.
11. Liability and order of documents
- Liability under this DPA follows the liability clauses of the main contract / Terms of Service for the Project, including mandatory GDPR liability that cannot be limited.
- Order of precedence for data protection: (1) mandatory law; (2) this DPA; (3) main contract/SOW; (4) website Terms. For commercial terms (fees, IP, timelines), the main contract prevails.
12. Governing law
This DPA is governed by the law of the Republic of Poland. Disputes are handled as under the main contract (courts competent for Processor’s place of business in Poland for B2B, without prejudice to mandatory consumer or controller rights).
Annex A — Processing details
Complete per project. Delete unused rows.
| Purpose of processing | [e.g. develop and maintain Client’s web app; fix production bugs; migrate database] |
|---|---|
| Categories of data subjects | [e.g. Client’s end users, customers, employees, newsletter subscribers] |
| Types of personal data | [e.g. name, email, account ID, IP, usage logs, billing contact — list only what Processor will actually access] |
| Special categories (Art. 9)? | [None / specify + Client’s legal basis] |
| Processing operations | [access, storage, backup restore, export, deletion, testing on staging copies, …] |
| Systems / locations | [e.g. Client AWS eu-central-1; staging on DigitalOcean FRA; Processor laptop for development] |
Annex B — Authorised sub-processors
Default list for typical BadTrip engagements. Strike through or add rows per project.
| Sub-processor | Role | Region (typical) |
|---|---|---|
| Client-designated cloud / SaaS | Hosting, DB, email, etc. under Client contract | As Client configures |
| DigitalOcean / other VPS named in SOW | Infrastructure if provisioned by Processor for Client | EU (prefer) |
| Amazon Web Services EMEA / AWS as in SOW | Cloud resources if in scope | As SOW (prefer EU) |
| Git hosting used for the Project (e.g. GitHub / GitLab) | Source code; avoid production personal data in repos | Per vendor |
| [Add others: email, error tracking, …] | […] | […] |
Tools used only on Processor’s side with no Project personal data (e.g. local editor, generic AI coding assistants on non-personal snippets) are not sub-processors for that data. Client should not paste production personal data into third-party AI tools unless listed here and approved.
13. Signatures
By signing (or accepting in writing / email with this DPA attached), the parties agree to this Data Processing Agreement for the Project referenced above.
Controller
Name: ___________________________
Title: ___________________________
Date: ___________________________
Signature: ______________________
Processor
Name: Tomasz Urban
Title: BadTrip Software
Date: ___________________________
Signature: ______________________
Disclaimer
Template for typical software/IT subprocessing under GDPR Art. 28 and Polish law. Not personalised legal advice. For health data, large-scale monitoring, or Client’s own customer DPA that must prevail word-for-word, have counsel review or use the Client’s paper with Annex A/B filled for BadTrip.