DATA PROCESSING AGREEMENT (DPA)
Version: 2.1 Effective Date: 30 April 2026 Replaces: Version 2.0 (effective 30 April 2026)
1. PARTIES
This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service ("Main Agreement") between:
(a) Customer — the legal entity (or natural person acting in a professional capacity) identified in the Customer's account in the ESGdesk™ platform, acting as the Data Controller ("Customer" or "Controller"); and
(b) Vivopack sp. z o.o., a limited liability company organized under the laws of Poland, with its registered office at Łużycka 104A, 59-900 Zgorzelec, Poland, registered in the National Court Register (KRS) under number 0000908021, VAT-EU: PL5252867586, brand owner and operator of the ESGdesk™ platform (the "Platform" or "Service"), acting as the Data Processor ("ESGdesk" or "Processor").
ESGdesk™ is a brand and trading name owned and operated by Vivopack sp. z o.o.
The Customer and ESGdesk are referred to individually as a "Party" and collectively as the "Parties".
2. SUBJECT MATTER, NATURE, PURPOSE AND DURATION
2.1 Subject matter
This DPA governs the processing of personal data by ESGdesk on behalf of the Customer in connection with the provision of the ESGdesk™ Service.
2.2 Nature and purpose of processing
ESGdesk processes personal data on Customer's documented instructions for the sole purpose of providing the Service, which includes:
- Storage and organization of the Customer's environmental, social, and governance ("ESG") data;
- Generation of carbon footprint calculations and ISO/CSRD-aligned reports;
- AI-assisted document scanning (extraction of ESG data from invoices and bills);
- User account management, authentication, and team collaboration features;
- Customer-initiated external auditor access (see Section 11);
- Billing, subscription management, and customer support.
2.3 Duration
This DPA remains in effect for as long as ESGdesk processes personal data on behalf of the Customer under the Main Agreement, and thereafter as required to fulfill the obligations set out in Section 13 (Termination and Data Return).
2.4 Categories of data subjects and personal data
The categories of data subjects and personal data processed under this DPA are described in Appendix A.
3. ROLES AND RESPONSIBILITIES
3.1 Customer as Controller
The Customer is the Data Controller of all personal data uploaded to, generated by, or processed through the Service in connection with the Customer's account. The Customer determines the purposes and means of processing, including:
- Which natural persons (employees, contractors, auditors) are granted access to the Service;
- What ESG data, evidence files, and documents are uploaded;
- The lawful basis for processing personal data of its data subjects (e.g., employment contracts, legitimate interest, consent);
- Compliance with information duties towards data subjects (Articles 13–14 GDPR).
3.2 ESGdesk as Processor
ESGdesk acts as a Data Processor and processes personal data only on documented instructions from the Customer, except where required to do so by EU or Member State law, in which case ESGdesk shall inform the Customer of that legal requirement before processing, unless prohibited by that law on important grounds of public interest.
3.3 Customer's documented instructions
The Customer's documented instructions are set out in:
- The Main Agreement;
- This DPA;
- The Customer's actions, configurations, and settings within the Platform's user interface;
- Any additional written instructions provided by the Customer to ESGdesk.
ESGdesk shall immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable Union or Member State data protection provisions.
4. CONFIDENTIALITY
ESGdesk ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. ESGdesk requires its personnel to comply with applicable confidentiality obligations even after the termination of their engagement.
5. SECURITY MEASURES (ARTICLE 32 GDPR)
ESGdesk implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The technical and organizational measures implemented by ESGdesk are set out in Appendix B.
ESGdesk shall periodically review and update such measures as appropriate, and shall not materially decrease the overall level of security during the term of this DPA.
6. SUB-PROCESSORS
6.1 General authorization
The Customer grants ESGdesk a general authorization to engage the sub-processors listed in Appendix C for the processing of personal data under this DPA.
6.2 Sub-processor obligations
ESGdesk shall enter into a written agreement with each sub-processor that imposes data protection obligations no less protective than those set out in this DPA, in accordance with Article 28(4) GDPR.
6.3 Notification of changes
ESGdesk shall notify the Customer in advance of any intended addition or replacement of sub-processors. Such notification shall be provided:
- Via email to the Customer's primary contact registered in the account; AND
- Via in-app notification within the ESGdesk Platform.
The notification period shall be at least thirty (30) days before the new sub-processor begins processing personal data.
6.4 Customer's right to object
The Customer may object to a proposed change of sub-processor on reasonable grounds related to data protection within fourteen (14) days from receipt of the notification. If the Customer reasonably objects and the Parties cannot agree on a resolution, the Customer's exclusive remedy is to terminate the Main Agreement and this DPA in accordance with Section 13.
6.5 Liability for sub-processors
ESGdesk remains fully liable to the Customer for the performance of the sub-processor's obligations.
7. ASSISTANCE WITH DATA SUBJECT REQUESTS
7.1 Cooperation
Taking into account the nature of the processing, ESGdesk shall assist the Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests for exercising data subject rights under Articles 15–22 GDPR (right of access, rectification, erasure, restriction, data portability, objection, and rights related to automated decision-making).
7.2 In-platform tools
ESGdesk provides the Customer with self-service tools within the Platform to fulfill data subject requests, including:
- Data export functionality (Article 20 GDPR portability), producing a structured machine-readable bundle of the Customer's data;
- Account deletion mechanisms with cascade handling (including ownership transfer for company Owner roles);
- Audit log access for tracking processing activities;
- Pseudonymization of deleted user identifiers in audit logs (preserving compliance with retention obligations while removing personal identifiers).
7.3 Response time for direct assistance
For data subject requests requiring ESGdesk's direct involvement (i.e., where self-service tools are insufficient), ESGdesk shall respond to the Customer's request for assistance within seven (7) business days, unless a shorter response time is required by applicable law.
7.4 Cost
Assistance under this Section 7 is included at no additional cost, except where the Customer's request requires disproportionate effort, in which case the Parties shall agree in writing on reasonable compensation before the work is undertaken.
8. DATA BREACH NOTIFICATION
8.1 Notification timeline
ESGdesk shall notify the Customer without undue delay, and in any event within seventy-two (72) hours after becoming aware of a personal data breach affecting the Customer's data.
8.2 Content of notification
The notification shall, to the extent reasonably possible, include:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned;
- The likely consequences of the breach;
- The measures taken or proposed by ESGdesk to address the breach and to mitigate its possible adverse effects;
- The contact point at ESGdesk for further information (privacy@esgdesk.ai).
8.3 Cooperation
ESGdesk shall provide reasonable cooperation and assistance to the Customer in connection with any breach notification obligations the Customer may have under Article 33 GDPR (notification to supervisory authority) and Article 34 GDPR (communication to data subjects).
8.4 Customer's responsibility
The Customer is responsible for assessing whether the breach must be notified to the relevant supervisory authority and/or to the affected data subjects, and for making such notifications in accordance with applicable law.
9. AUDITS AND INSPECTIONS
9.1 Customer's audit right
ESGdesk shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
9.2 Audit procedure
The Customer shall provide ESGdesk with at least thirty (30) days' prior written notice of any audit, except in the event of a personal data breach or where required by a supervisory authority. Audits shall:
- Take place no more than once per twelve (12) months, unless triggered by a material breach of this DPA or required by a competent supervisory authority;
- Be conducted during ESGdesk's normal business hours;
- Be subject to reasonable confidentiality obligations;
- Not unreasonably interfere with ESGdesk's business operations.
9.3 Third-party certifications and reports
The Customer agrees that ESGdesk's compliance obligations under this Section may be satisfied by ESGdesk providing the Customer with up-to-date certifications, attestations, or reports issued by independent third parties (e.g., ISO 27001, SOC 2, or equivalent) where available.
9.4 Cost
Each Party bears its own costs in connection with audits, except where an audit reveals a material non-compliance by ESGdesk with this DPA, in which case ESGdesk shall reimburse the Customer's reasonable audit costs.
10. INTERNATIONAL DATA TRANSFERS
10.1 Primary processing location
The Customer's personal data is primarily stored and processed within the European Economic Area (EEA), specifically in data centers located in Frankfurt, Germany (managed by Lovable Technologies AB through Supabase infrastructure).
10.2 Transfers to third countries
Certain processing activities may involve the transfer of personal data outside the EEA, in particular to the United States, in connection with sub-processors listed in Appendix C. Such transfers are made under one or more of the following safeguards:
- The European Commission's Standard Contractual Clauses ("SCCs") for the transfer of personal data to third countries (Module 2 or Module 3, as applicable), incorporated by reference into the relevant sub-processor agreements;
- The EU-US Data Privacy Framework ("DPF"), where the recipient is certified under the DPF program and the transfer is covered by the certification;
- Other appropriate safeguards as set out in Article 46 GDPR.
10.3 AI processing disclosure
The AI document scanning functionality (Elisa) is powered by Google's Gemini AI models. Input data submitted to this feature may be transferred to Google's processing infrastructure in the United States. Such transfers are made under SCCs and the DPF. Customers may disable AI features through the Platform settings.
10.4 Customer's right to information
Upon written request, ESGdesk shall provide the Customer with reasonable evidence of the legal basis and safeguards relied upon for any specific international transfer.
11. CUSTOMER-INITIATED EXTERNAL AUDITOR ACCESS
This Section governs the Service feature that allows Customers on PRO subscription plans to grant time-limited read-only access to external third-party auditors (e.g., accounting firms, ISO certification bodies, CSRD assurance providers, banks, investors).
11.1 Trigger and customer warranty
External auditor access is initiated solely by the Customer (acting through an Owner or Admin role). Before granting access, the Customer must affirmatively confirm in the Platform user interface that:
- The Customer has identified the auditor as a legitimate party with a valid legal basis to access the data for audit purposes;
- The Customer has a valid Data Processing Agreement (or equivalent contractual arrangement) directly in place with the auditor;
- The auditor will process the data solely on the Customer's documented instructions, in accordance with Article 28 GDPR;
- The Customer remains the sole Controller of the data and is responsible for the auditor's actions.
ESGdesk does not permit the granting of auditor access unless this warranty is recorded.
11.2 Roles in the auditor access flow
- The Customer is the Controller and remains the Controller for all personal data accessed by the auditor.
- The External Auditor is the Customer's own Processor, engaged under a separate agreement between the Customer and the auditor. ESGdesk has no contractual relationship with the auditor regarding personal data processing.
- ESGdesk acts as a neutral infrastructure facilitator: it provides the technical mechanism for time-limited, monitored access, but does not instruct or supervise the auditor's processing activities.
11.3 ESGdesk's role limitations
ESGdesk:
- Is not a party to the data processing relationship between the Customer and the auditor;
- Is not liable for the auditor's actions or omissions outside the scope of access provided through the Platform;
- Does not endorse, vet, or independently verify the auditor's qualifications or compliance posture.
11.4 Technical safeguards
The auditor access mechanism includes:
- Read-only access: auditors cannot modify, delete, or upload data;
- Time-limited access: each access grant must be set to either ninety (90) days or one hundred and eighty (180) days; no other durations (including unlimited or open-ended access) are permitted;
- Separate authentication: auditors authenticate via magic-link sent to the email address designated by the Customer;
- Full audit trail: all access events and actions taken by the auditor are logged and visible to the Customer through the Platform's data access log;
- Immediate revocation: the Customer may revoke an auditor's access at any time without prior notice;
- Notice to auditor: a notice is sent to the auditor at the time of grant explaining their role as the Customer's Processor (not ESGdesk's Processor) and the limits of ESGdesk's involvement.
11.5 Customer responsibilities
The Customer is responsible for:
- Verifying the auditor's identity, legitimacy, and legal basis for processing prior to granting access;
- Maintaining a valid DPA or equivalent agreement with the auditor;
- Setting an appropriate access duration commensurate with the audit scope;
- Promptly revoking access when the audit is concluded or no longer required;
- Monitoring the auditor's activity through the audit log;
- Notifying ESGdesk through privacy@esgdesk.ai if the Customer suspects misuse of access.
12. LIABILITY
12.1 Limitation of liability
The total aggregate liability of each Party arising out of or in connection with this DPA shall be limited to the amount actually paid by the Customer to ESGdesk under the Main Agreement during the twelve (12) months preceding the event giving rise to liability. This limitation applies to the maximum extent permitted by applicable law.
12.2 Exclusions
The limitation in Section 12.1 does not apply to:
- Damage caused by intent or gross negligence;
- Liability that cannot be limited or excluded under mandatory provisions of applicable law (including Article 82 GDPR claims by data subjects).
12.3 Apportionment under GDPR
Where both Parties are involved in the same processing and are responsible under Article 82(4) GDPR for damage caused by such processing, each Party shall be liable in proportion to its responsibility for the event giving rise to the damage. A Party that has paid full compensation for the damage suffered shall be entitled to claim back from the other Party that part of the compensation corresponding to the other Party's responsibility.
13. TERMINATION AND DATA RETURN
13.1 Triggers
This DPA terminates automatically upon termination or expiration of the Main Agreement.
13.2 Data return and deletion
Upon termination of the Main Agreement and at the choice of the Customer, ESGdesk shall:
(a) Export window: During a period of ninety (90) days following termination ("Export Window"), the Customer may download all personal data through the in-platform export functionality (Article 20 GDPR-compliant data bundle including ESG data, reports, evidence files, and audit logs).
(b) Hard deletion: After the Export Window expires, ESGdesk shall delete all personal data from its production systems, including from sub-processor systems where technically feasible. Backups containing personal data are retained for a maximum of an additional thirty (30) days for disaster recovery purposes and are then automatically overwritten.
(c) Pseudonymization for legally required retention: Where retention of certain records is required by law (e.g., financial records under the Polish Accounting Act, audit logs under information security obligations), the personal data within such records shall be pseudonymized to the extent technically feasible.
13.3 Customer responsibility for export
The Customer is solely responsible for downloading and securely storing exported data within the Export Window. ESGdesk has no obligation to retain data beyond the Export Window or to recover data after deletion has occurred.
13.4 Confirmation of deletion
Upon written request from the Customer made within thirty (30) days after the Export Window, ESGdesk shall provide written confirmation that deletion has occurred.
14. GENERAL PROVISIONS
14.1 Order of precedence
In the event of a conflict between this DPA and the Main Agreement, this DPA prevails with respect to data protection matters.
14.2 Amendments
ESGdesk may amend this DPA from time to time to reflect changes in applicable law, regulatory guidance, or the Service. Material amendments will be notified to the Customer in advance via email and in-app notification, with a notice period of at least thirty (30) days. Continued use of the Service after the effective date of an amendment constitutes acceptance of the amended DPA.
14.3 Governing law and jurisdiction
This DPA is governed by the laws of Poland. The Parties submit to the exclusive jurisdiction of the courts competent for the registered office of Vivopack sp. z o.o. (Zgorzelec, Poland), without prejudice to any mandatory rules of jurisdiction under the GDPR or applicable consumer protection law.
14.4 Severability
If any provision of this DPA is held to be invalid or unenforceable, the remainder of this DPA shall remain in full force and effect, and the Parties shall negotiate in good faith a replacement provision that achieves, to the extent legally permissible, the original economic and legal intent.
14.5 No third-party beneficiaries
Except as expressly provided herein (in particular for data subjects under Article 82 GDPR), this DPA does not create any rights for any person other than the Parties.
14.6 Contact for data protection matters
Email: privacy@esgdesk.ai Postal address: Vivopack sp. z o.o., Łużycka 104A, 59-900 Zgorzelec, Poland (marked "Data Protection")
APPENDIX A — CATEGORIES OF DATA SUBJECTS AND PERSONAL DATA
A.1 Categories of data subjects
The personal data processed under this DPA may concern the following categories of data subjects:
- Customer's employees and team members with access to the Customer's ESGdesk account;
- Customer's contractors and consultants with access to the Customer's ESGdesk account;
- External auditors invited by the Customer through the Auditor Access feature (Section 11);
- Workforce members of the Customer whose aggregated employment metrics (headcount, gender breakdown, turnover) are reported as part of ESG data, where such data is identifiable to specific individuals;
- Suppliers, vendors, and counterparties referenced in evidence documents (e.g., invoices) uploaded by the Customer;
- Customer support correspondents who interact with ESGdesk's support channels.
A.2 Categories of personal data
The following categories of personal data may be processed:
Account and identification data:
- Email address
- Full name
- User role and permissions within the Customer's organization
- Authentication data (hashed passwords, MFA tokens, recovery codes)
Activity and audit data:
- IP address (pseudonymized to /24 subnet for IPv4 / /64 prefix for IPv6 in legal acceptance records)
- User agent (truncated to 500 characters)
- Login timestamps, page views, actions taken in the Platform
- Audit log entries (immutable, append-only)
ESG operational data:
- Aggregated employment metrics (headcount by gender, hires, dismissals)
- Energy consumption per location
- Water and waste metrics
- Health & safety incidents
Evidence documents:
- Invoices, bills, receipts, certificates, reports uploaded by the Customer that may contain personal data of third parties (e.g., supplier contact persons)
Communication data:
- Email correspondence with ESGdesk customer support
Billing data:
- Company billing details (legal name, address, VAT/Tax ID)
- Invoice records
- Payment status (no card or payment account numbers are stored by ESGdesk; all payment data is processed by Stripe)
A.3 Categories of special data
ESGdesk does not request, intend, or expect the Customer to process special categories of personal data (Article 9 GDPR) or criminal conviction data (Article 10 GDPR) through the Platform. The Customer is responsible for ensuring that no such data is uploaded to the Service.
APPENDIX B — TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)
ESGdesk implements the following technical and organizational measures to ensure a level of security appropriate to the risk:
B.1 Access control
- Multi-factor authentication (MFA) supported and enforced for all platform_admin roles;
- Role-Based Access Control (RBAC) with four primary roles: Owner, Admin, Contributor, Auditor;
- Row-Level Security (RLS) enforced on all database tables containing personal data;
- Tenant isolation: Customers' data is logically separated by company_id, with cross-tenant access blocked at the database level;
- Time-limited access for external auditors (max 90 days);
- Time-limited support access (max 24 hours) requiring explicit Customer consent;
- Progressive authentication throttling (6 fails / 60s lock; 10 fails / 15min lock; 20 fails / 60min lock).
B.2 Encryption
- Data in transit: TLS 1.2+ for all client-server communication;
- Data at rest: encrypted by infrastructure provider (Lovable / Supabase, AES-256);
- OAuth tokens encrypted using pgcrypto with keys stored in Supabase Vault;
- Strict Transport Security (HSTS) with preload enabled;
- Content Security Policy (CSP) headers preventing XSS attacks.
B.3 Audit logging and monitoring
- Append-only audit log with database trigger enforcement;
- GDPR-compliant pseudonymization of deleted user identifiers in retained logs;
- Frontend error monitoring via Sentry (EU-Frankfurt ingest region; user_id only, no PII; sensitive fields scrubbed in beforeSend hook; Session Replay disabled);
- Authentication security events logged in dedicated table;
- Data access logs visible to Customer for activities related to their account.
B.4 Backup and disaster recovery
- Daily automated backups of the database;
- Point-in-Time Recovery (PITR) with up to 7-day window;
- Backup retention aligned with data deletion policy;
- Periodic restore tests.
B.5 Application security
- Rate limiting on critical endpoints;
- Bot protection (Cloudflare Turnstile) on signup, login, password reset, and contact forms;
- Server-side validation of all user inputs;
- Server-side determination of legal document versions (preventing client-side spoofing);
- File upload validation: MIME type whitelist, file size limits;
- Storage buckets configured as private with signed URL access only.
B.6 Personnel and process
- Confidentiality obligations for all personnel with access to Customer data;
- Security training for personnel involved in data processing;
- Documented data breach response procedure;
- Designated data protection contact: privacy@esgdesk.ai.
B.7 Change management
- All database schema changes managed through versioned migration system;
- Append-only audit log for legal document version changes;
- Demonstrable consent recording (timestamp, IP, user agent, context) for legal acceptances under Article 7 GDPR.
B.8 Sub-processor management
- Written agreements with all sub-processors imposing data protection obligations no less protective than this DPA;
- Periodic review of sub-processor compliance;
- Notification to Customers of material sub-processor changes (30 days advance notice).
APPENDIX C — LIST OF SUB-PROCESSORS
The following sub-processors are engaged by ESGdesk in the provision of the Service. The current authoritative list is also published at https://esgdesk.ai/legal/sub-processors and is updated as changes occur.
| # | Sub-processor | Role | Location | Transfer mechanism | Notes |
|---|---|---|---|---|---|
| 1 | Google Ireland Ltd. (Gemini AI) | AI document scanning & ELISA assistant | Ireland (EU); USA processing | Standard Contractual Clauses (SCCs) | — |
| 2 | Stripe Payments Europe, Ltd. | Subscription billing & payment processing | Ireland (EU); processing also in USA | Standard Contractual Clauses (SCCs) | — |
| 3 | Fakturownia sp. z o.o. | VAT invoice generation (EU customers) | Poland (EU) | EU hosting (no transfer) | — |
| 4 | Resend, Inc. | Transactional email delivery (no-reply@esgdesk.ai) | USA; EU edge delivery | Standard Contractual Clauses (SCCs) | — |
| 5 | Lovable Technologies AB | Application hosting, build & deployment, and underlying backend infrastructure | EU (Sweden) | EU hosting (no transfer) | Operating Supabase infrastructure for backend (Database, Auth, Storage, Edge Functions). Supabase Inc. acts as a sub-sub-processor under Lovable. |
| 6 | Functional Software, Inc. (Sentry) | Error monitoring & diagnostics (frontend & backend) | EU (Frankfurt) ingest; USA control plane | Standard Contractual Clauses (SCCs) | — |
| 7 | Cloudflare, Inc. | CDN, DNS, social preview worker (news subdomain) | Global edge; USA control plane | Standard Contractual Clauses (SCCs) | — |
END OF DPA v2.1
CHANGELOG
v2.1 — 30 April 2026
- §11.4 (Technical safeguards): Removed the "30 days default / 90 days maximum" formulation. Auditor access grants must now be set to either 90 days or 180 days — no other durations (including unlimited or open-ended access) are permitted. Aligns the contractual ceiling with the platform UI, the API constraint, and ToS v2.3 §§1.11 / 5.3.
v2.0 — 30 April 2026
- Initial Vivopack-branded full DPA replacing the simplified v1.1 template.
DOCUMENT METADATA (informational, not part of agreement)
- Document version: 2.1
- Document type: Data Processing Agreement (Article 28 GDPR)
- Effective date: 30 April 2026
- Replaces: Version 2.0 (effective 30 April 2026)
- Operator and brand owner: Vivopack sp. z o.o. (ESGdesk™ is a brand owned by Vivopack sp. z o.o.)
- Service: ESGdesk™ Platform
- Language: English (governing language)
- Contact for data protection matters: privacy@esgdesk.ai
