Data Processing Agreement (DPA)

This document forms an annex to the main service agreement for the Redimo UKS portal concluded between the Parties.

By accepting this DPA during organisation onboarding, the Parties confirm that data in further interactions with the Redimo UKS portal will be processed under the conditions agreed below.

The acceptance record (timestamp, IP address, user identifier, DPA version, Privacy Policy version) is stored by the Processor in the auditable audit_event table for 5 years.

Controller: the organisation identified during onboarding (name, ID, seat, statutory representative), which determines the purposes and means of processing personal data of its members, owners and employees as input into the Redimo UKS platform.

Processor: Redimo, s. r. o., Píniová 12, 821 07 Bratislava, Company ID 46 509 852, Tax ID 2023420641, VAT ID SK2023420641, registered with the Municipal Court Bratislava III, section Sro, file 78868/B. Privacy and security contacts are dpo@redimo.sk and security@redimo.sk.

The Parties have agreed on this relationship in line with Art. 28 GDPR and § 34 of Slovak Act 18/2018.

The subject of processing is the technical operation of the Redimo UKS portal which allows the Controller to manage membership, documents, voting, finances, meter reading and communication with members in electronic form.

The Processor processes personal data exclusively in line with the Controller's instructions recorded in the platform configuration of agendas or in written form (including electronic form).

The DPA enters into force upon acceptance during onboarding and lasts for the duration of the main service agreement.

After the main agreement ends, data is processed only to the extent necessary for return or destruction of data and for the Processor's legal archival obligations.

Nature: collection, structured storage, search, disclosure to authorised persons, encrypted transfer, backup, anonymisation and erasure of personal data in electronic form.

Purpose: providing the Controller with reliable electronic record-keeping, evidentially preserving resolutions and votes, and supporting the Controller's statutory obligations (in particular under Slovak Acts 182/1993, 431/2002, 222/2004, 657/2004, 250/2012).

Identification data (name, surname, date of birth, personal ID number only when required by law and only in encrypted form), contact details (email, phone, postal address), dwelling/share data, payment and receivables data, voting and attendance data, meter readings, attachments uploaded by the Controller (minutes, invoices).

The Processor actively minimises the scope of processed data and does not collect data not needed for the purposes in section 4.

Members of the association / club / society (dwelling owners, share owners, registered members).

Statutory representatives, chairperson, treasurer, auditor and other functional roles within the Controller's internal regulations.

Employees of the Controller, external administrators and engaged suppliers when recorded as counterparties of financial transactions.

(a) The Processor processes personal data only on documented instructions from the Controller, including transfers to a third country (no planned transfers outside the EEA).

(b) The Processor ensures that persons authorised to process personal data are bound by confidentiality or are under a statutory obligation of confidentiality.

(c) The Processor takes all security measures pursuant to Art. 32 GDPR (see section 8).

(d) The Processor respects the conditions for engaging another processor under section 9.

(e) Considering the nature of processing, the Processor assists the Controller in fulfilling obligations regarding data subject rights (section 10).

(f) The Processor assists the Controller in fulfilling obligations under Art. 32 — 36 GDPR (security, DPIA, prior consultation).

(g) After the end of provision of services, on the Controller's choice, the Processor deletes or returns all personal data and deletes existing copies (section 13).

(h) The Processor makes available all information necessary to demonstrate compliance and allows for audits (section 11).

Encryption in transit: all communication channels between client and portal protected with TLS 1.3 and perfect forward secrecy.

Encryption at rest: database and file storage on Redimo-owned infrastructure are protected by disk encryption and application-level encryption of sensitive fields.

Access control: role-based access (RBAC) integrated with Keycloak OIDC, principle of least privilege, mandatory two-factor authentication for administrative accounts.

Audit logs: critical operations logged into the audit_event table (5 years), immutable append-only records, integrity seal per record.

Continuity: daily backups to a separate Redimo backup node, regular recovery checks, and defined RTO/RPO targets.

Code security: regular SAST/DAST, controlled release process, vulnerability disclosure under /.well-known/security.txt.

Physical security: infrastructure providers declare standard data-centre controls and security certifications in their current documentation.

The Controller grants the Processor general written authorisation to engage other processors listed in the up-to-date register at /legal/subprocessors.

The Processor will inform the Controller of plans to add or replace another processor at least 30 days in advance via the RSS feed at /legal/subprocessors.xml and/or by email notification to the organisation contact email.

Within 30 days the Controller has the right to object to the change. If the Parties cannot agree, the Controller may terminate the main agreement without penalty.

The Processor imposes the same data protection obligations on every other processor as set out in this DPA, in particular by means of a written contract.

The Processor provides the Controller with technical and organisational tools to handle requests under Art. 15 — 22 GDPR — in particular the DSAR interface at /account/privacy and the server endpoints /api/v1/privacy/dsar-requests.

If a data subject's request is sent directly to the Processor, the Processor forwards it to the Controller without undue delay (within 5 business days) and provides the necessary cooperation.

Handling the request itself is the Controller's responsibility, since it determines the scope of data, legal bases and communicates with the data subject.

Once a year the Processor will make available to the Controller available security-audit results and the current Security Policy.

The Controller has the right, at its own cost, to perform an audit or commission an audit by an independent auditor — at least 30 days in advance, during business hours and in a manner not jeopardising the interests of other Processor customers.

If there is serious suspicion of a breach of Processor obligations, an audit can be carried out on shorter notice by agreement.

The Processor notifies the Controller of every personal data breach without undue delay, no later than 24 hours after becoming aware of it, so the Controller can fulfil its 72-hour notification obligation to the supervisory authority (Art. 33(1) GDPR).

The notification contains: description of the nature of the breach, categories and approximate number of data subjects and records concerned, contact for the DPO, description of likely consequences and description of measures taken or proposed.

The Processor maintains a register of breaches and assists the Controller with notification to data subjects under Art. 34 GDPR where required.

After the end of services (or other termination of the DPA), upon Controller's instruction, the Processor will: (a) return all personal data in a structured, commonly used machine-readable format (JSON/CSV) within 30 days; or (b) securely delete all personal data including backup copies within 90 days.

The Processor provides the Controller with a written confirmation of deletion including a list of destroyed storage media, timestamps and destruction method.

This does not affect the Processor's obligations to retain data based on statutory archival duties (e.g. accounting records) — those are kept in isolated form and securely destroyed after the legal period expires.

The Parties are liable for breaches of obligations under GDPR and Slovak Act 18/2018 to the extent they have contributed to the breach (Art. 82 GDPR).

The Processor's maximum cumulative liability towards the Controller arising from the DPA and the main agreement is capped at the annual fees paid to the Processor in the immediately preceding 12 months, except for cases of gross negligence, intentional breach or harm to data subjects.

Penalties from the supervisory authority are paid by each Party in proportion to its responsibility for the breach.

This DPA is governed by the law of the Slovak Republic, in particular Regulation (EU) 2016/679 (GDPR) and Slovak Act 18/2018 on personal data protection.

The supervisory authority is the Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava 27, https://dataprotection.gov.sk/.

Disputes arising from the DPA shall be resolved before the materially and locally competent court in the Slovak Republic.