This Data Processing Agreement ("Agreement") forms part of the Terms of Service between:

• Data Controller: The customer that uses Sitelens services
• Data Processor: S.C. Haktos Creative S.R.L., a company registered in Romania, operating Sitelens ("Processor")

This Agreement ensures compliance with Article 28 of the GDPR and includes the Standard Contractual Clauses (SCCs) for international data transfers.

1. Subject Matter and Duration

This Agreement governs the processing of personal data in the context of the Sitelens analytics service. It is effective for as long as the Controller uses the Processor's services.

2. Nature and Purpose of Processing

• Purpose: To provide website analytics and engagement tracking services
• Nature: Collecting, organizing, and aggregating non-personal analytics data
• Duration: For the term of the subscription and up to 3 years for backups

3. Type of Data and Data Subjects

• By default, Sitelens does not process personal data.
• Any personal data submitted via custom events is under the Controller’s responsibility.
• Data subjects may include website visitors, depending on the Controller's use.

4. Obligations of the Controller

• Ensure legal basis for any personal data sent via custom events
• Inform data subjects appropriately
• Not to send sensitive data (e.g., health, biometric, special category data) without safeguards

5. Obligations of the Processor

• Process data only on documented instructions from the Controller
• Implement appropriate technical and organizational security measures
• Ensure confidentiality and training of staff
• Assist Controller in fulfilling data subject rights
• Delete or return data upon termination of services

6. Technical and Organizational Measures

• Data is hosted in EU-Central (Germany) on Digital Ocean and/or AWS
• No IP addresses are stored or logged
• HTTPS encryption for all data in transit
• LocalStorage only (no cookies)
• No cross-site or third-party tracking

7. Sub-processors

Sitelens does not use any sub-processors.

8. International Transfers

For any data transfers outside the EEA:

• Processor agrees to be bound by Standard Contractual Clauses (SCCs) (Module 2, Controller-to-Processor)
• The data importer ensures safeguards equivalent to GDPR

9. Audit Rights

Upon reasonable notice, the Controller may audit Processor’s compliance (limited to once per year or upon security incident).

10. Data Breach Notification

Processor shall notify the Controller without undue delay of any personal data breach affecting Controller data.

11. Liability

Each Party is responsible for its own breaches of GDPR or this DPA. Liability limitations from the main Terms apply.

12. Governing Law

This Agreement is governed by the laws of Romania.

Annex I – Data Processing Details

• Data Exporter: Controller
• Data Importer: [Your Company Name], Romania
• Subject Matter: Anonymous session analytics (no PII)
• Categories of data: Anonymous session and engagement metadata
• Recipients: None
• Safeguards: Encryption, access control, limited data retention

Annex II – Technical and Organizational Measures

• Encryption in transit (HTTPS)
• Local-only session ID storage
• GeoIP country lookup with IP discard
• No personal identifiers stored
• Regular security reviews

Contact Information

For questions regarding this Data Processing Agreement:

Sitelens (operated by S.C. Haktos Creative S.R.L.)

Str. Panselelor 1, bl. P11, ap. 14, Sannicolau-Mare, Timis, Romania

Email: privacy@sitelens.cx

This Agreement shall form part of the contractual relationship between Controller and Processor and is deemed accepted upon subscription to Sitelens.