Data Privacy Agreement

DPA EU

Last updated May 15, 2025

This Data Protection Addendum (“DPA”) is incorporated by reference into and forms a part of the agreement between the Customer and Unipie Inc., a company incorporated in the United States with its principal place of business at 1401 21st ST STE 5305, Sacramento, CA 95811, United States (“Unipie”), pursuant to which Unipie provides the Services to the Customer (the “Agreement”). By executing the applicable Order Form, the Customer agrees to the terms of this DPA, which shall be effective as of the Effective Date of the Order Form. No separate signature is required for this DPA to be binding.

This DPA applies to the extent that Unipie processes Personal Data on behalf of the Customer in the course of providing the Services, where such processing is subject to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, or equivalent legislation. Capitalized terms not otherwise defined in this DPA shall have the meanings given to them in the Agreement. The Parties agree that the terms and conditions of this DPA shall govern the processing of Customer Personal Data and shall prevail over any conflicting provisions in the Agreement with respect to such processing.

1. Definitions

Applicable Laws and Regulations: EU Data Protection Laws and/or US Privacy Laws as applicable.

Authorised Subprocessors: (a) those Subprocessors set out in Annex 4 (Authorised Subprocessors); and (b) any additional Subprocessors consented to in writing by the Customer in accordance with section 6.1.

Consumer: As defined under the US Privacy Laws, as applicable.

Data Controller / Controller: As defined in the EU Data Protection Laws and, under US Privacy Laws, includes “business” as defined in the CCPA.

Data Processor / Processor: As defined in the EU Data Protection Laws and, under US Privacy Laws, includes “service provider” as defined in the CCPA.

EU Data Protection Laws: GDPR and all laws implementing or supplementing the same, and any other applicable data protection or privacy laws in the USA, and in countries explicitly agreed between parties.

EEA: European Economic Area.

Customer Personal Data: The data described in Annex 1 and any other Personal Data Processed by Unipie or any Subprocessor on behalf of the Customer pursuant to or in connection with the Agreement.

Personal Data: As defined in EU Data Protection Laws and under the US Privacy Laws, including “personal information” as defined in the CCPA.

Restricted Transfer: A transfer of Customer Personal Data by Customer to Unipie (or any onward transfer), where such transfer would be prohibited by EU Data Protection Laws in the absence of the protection provided by the EU Standard Contractual Clauses.

Sell / Selling: As defined in the US Privacy Laws, as applicable.

Share / Sharing: As defined under the CCPA.

Standard Contractual Clauses: The standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced by a competent authority under the relevant EU Data Protection Laws.

Subprocessor: Any additional Data Processor (including any third party and any Unipie Affiliate) appointed by Unipie to Process Customer Personal Data on behalf of the Customer or any Customer Affiliate.

Supervisory Authority: (a) An independent public authority established by a Member State pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Applicable Laws and Regulations.

US Privacy Laws: Applicable US state privacy laws, including but not limited to:

  • California Consumer Privacy Act (CCPA, as amended by the CPRA)
  • Virginia Consumer Data Protection Act (VCDPA)
  • Colorado Privacy Act (CPA)
  • Connecticut Data Privacy Act (CTDPA)
  • Utah Consumer Privacy Act (UCPA)
  • Texas Data Privacy and Security Act (TDPSA)
  • Florida Digital Bill of Rights (FDBR)
  • Oregon Consumer Privacy Act (OCPA)

Any other terms used but not otherwise defined in the DPA or Agreement shall have the meaning set forth under the Applicable Laws and Regulations, as applicable.

2. Data Processing Terms

In the course of providing the Services to the Customer and pursuant to the Agreement, Unipie may Process Customer Personal Data as a Data Processor on behalf of the Customer. Unipie agrees to comply with the following provisions with respect to any Customer Personal Data submitted by or for the Customer to the Services or otherwise collected and Processed by or for the Customer by Unipie.

2.1 Processing of the Customer Personal Data

Unipie shall only Process the types of Customer Personal Data relating to the categories of Data Subjects for the purposes of the Agreement and for the specific purposes as set out in Annex 1 to this DPA and shall not Process, transfer, modify, amend or alter the Customer Personal Data or disclose or permit the disclosure of the Customer Personal Data to any third party other than in accordance with the Customer’s documented instructions, unless Processing is required by law.

The Parties agree that Customer shall serve as single point of contact and be solely responsible for internal coordination, review and submission of any Processing instructions in respect of which Customer is the Data Controller.

2.2 Unipie Personnel

Unipie shall take reasonable steps to ensure the reliability of any of its employees, agents or contractors who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need access as strictly necessary for the purposes set out above, and that all such individuals:

  • Are informed of the confidential nature of the Customer Personal Data and are aware of Unipie's obligations under this DPA and the Agreement
  • Have undertaken appropriate training in relation to the Applicable Laws and Regulations
  • Are subject to confidentiality undertakings or professional or statutory obligations of confidentiality
  • Are subject to user authentication and log on processes when accessing the Customer Personal Data

2.3 Security

Unipie shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, which may include:

  • Pseudonymisation and encryption of Customer Personal Data
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • The ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing

2.4 Subprocessing

Unipie shall not engage any Subprocessor other than with the prior general authorisation of the Customer. With respect to each Subprocessor, Unipie shall:

  • Carry out adequate due diligence
  • Include terms in the contract which are similar to those set out in this DPA
  • Incorporate the Standard Contractual Clauses or such other mechanism for transfers outside of the EEA
  • Remain fully liable to the Customer for any failure by each Subprocessor

Customer hereby authorises Unipie to engage those Authorised Subprocessors set out in Annex 4.

2.5 Data Subject Rights

Unipie shall promptly notify the Customer if it receives a request from a Data Subject under any Applicable Laws and Regulations in respect of Customer Personal Data. Unipie shall co-operate as requested by the Customer to enable the Customer to comply with any exercise of rights by a Data Subject.

2.6 Personal Data Breach

Unipie shall notify the Customer immediately upon becoming aware of or reasonably suspecting a Personal Data Breach, providing sufficient information to allow the Customer to meet any obligations to report a Personal Data Breach.

2.7 Data Protection Impact Assessment and Prior Consultation

Unipie shall provide reasonable assistance to the Customer with any record of processing activities, data protection impact assessments, and prior consultations to any Supervisory Authority.

2.8 Deletion or Return of Customer Personal Data

Upon Customer’s request, Unipie shall:

  • Return a copy of all Customer Personal Data to the Customer
  • Securely wipe all Customer Personal Data Processed by Unipie or any Authorised Subprocessor
  • Provide written certification to the Customer that it has complied fully

Unipie may retain Customer Personal Data only as required by law.

2.9 Audit Rights

Unipie shall make available to the Customer on request all relevant certificates regarding data privacy and security, and allow for and support audits by the Customer or another auditor mandated by the Customer.

2.10 Indemnity and Liability

Unipie shall indemnify and hold harmless the Customer from and against all allegations, claims, actions, suits, demands, damages, liabilities, obligations, losses, settlements, judgments, fines and sanctions, costs and expenses arising out of any wilful and/or negligent breach of obligations as Data Processor as set out under this DPA and Applicable Laws and Regulations.

2.11 Governing Law and Jurisdiction

The terms of this DPA and any dispute or claim arising out of it shall be governed by and interpreted in accordance with German law and the Parties irrevocably agree that the courts of Berlin shall have exclusive jurisdiction.

2.12 General Terms

This DPA shall terminate automatically upon termination of the Agreement or expiry or termination of all service contracts entered into by Unipie with the Customer. Any obligation imposed on Unipie under this DPA in relation to the Processing of Personal Data shall survive any termination or expiration of this DPA.

ANNEX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

Categories of data subjects: Employees of Customer, and users of current and potential clients of the Customer.

Categories of personal data transferred: Contact information (Name, Surname, Email, Phone number), IP address, profile picture (where provided), statistical data.

Sensitive data transferred: n/a

Frequency of the transfer: As required for the provision of services.

Nature of the processing: Storage, processing, technical support, disclosures as compelled by law.

Purpose(s) of the data transfer and further processing: Contact for sales purposes, provision of Unipie services.

Retention period: For the duration of the Agreement, deletable on request.

ANNEX 2: TECHNICAL AND ORGANISATIONAL MEASURES

The technical and organisational measures are included herein by reference: https://www.minoa.io/toms

ANNEX 3: STANDARD CONTRACTUAL CLAUSES

By signing this DPA, the Parties agree to sign by reference and adhere to the Standard Contractual Clauses (Module Two “Transfer from controller to processor”) as provided in the European Commission Implementing Decision (EU) 2021/914.

Data exporter: As defined above for “Customer”.

Data importer: Unipie Inc., 251 Little Falls Drive, Wilmington, New Castle County, Delaware 19808. Contact: Max Elster, CEO, max@minoa.io.

Supervisory Authority: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Alt-Moabit 59-61, 10555 Berlin. Email: mailbox@datenschutz-berlin.de

ANNEX 4: AUTHORISED SUBPROCESSORS

The customer authorizes subprocessors listed in the Minoa Trust Center (https://app.vanta.com/trust-center/view/subprocessors) at the time of signing this DPA. Access to the Trust Center and registration for automatic notifications about new or changing subprocessors can be provided upon request sent to richard@minoa.io.

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.