Data Processing Agreement

1. Parties to the Agreement

This Data Processing Agreement ('DPA') is entered into between:

2. Subject Matter of Processing

The Controller engages the Processor to process third-party personal data (the Controller's clients) necessary for providing the quote generation service through the Cotiza platform, in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR) and Article 33 of Spanish Organic Law 3/2018 (LOPDGDD).

3. Data Subject to Processing

The Processor will process the following data of the Controller's clients on behalf of the Controller:

• Identifying and contact data: name, surname, email, phone number, address
• Tax data: Tax ID (NIF/CIF), company name, fiscal address
• Project data: job descriptions, location, property photographs
• Commercial data: quote history, amounts, statuses

Data subjects are clients or potential clients of the Controller, natural persons or representatives of legal entities.

4. Duration

This DPA shall enter into force upon the Controller's registration with Cotiza and shall remain in effect while the Controller maintains an active account. Following termination of the service, the Processor shall delete the data in accordance with this agreement.

5. Processor Obligations

The Processor undertakes to:

• Process personal data only on documented instructions from the Controller, including transfers to third countries, unless required to do so by Union or Member State law
• Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in section 6
• Not engage another processor without prior specific or general written authorization of the Controller. In the case of general written authorization, inform the Controller of any intended changes
• Assist the Controller in fulfilling its obligation to respond to requests for exercising data subjects' rights
• Assist the Controller in ensuring compliance with obligations relating to security of processing, breach notification, impact assessments, and prior consultations
• At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless storage is required
• Make available to the Controller all information necessary to demonstrate compliance with obligations, and allow for and contribute to audits

6. Security Measures

The Processor shall implement the following technical and organizational measures:

Technical measures:

• Data encryption in transit using TLS 1.3 and at rest using AES-256
• Secure authentication system with JWT tokens and support for two-factor authentication
• Role-based access control following the principle of least privilege
• Automatic daily backups with 30-day retention and encryption
• Continuous monitoring and access logging

Organizational measures:

• Confidentiality agreements with all personnel
• Data protection training for personnel with access
• Documented incident management procedures
• Periodic security audits

7. Sub-processors

The Controller expressly authorizes the Processor to sub-contract the following services:

• Supabase Inc.: database storage and authentication
• Anthropic PBC: AI processing for quote generation
• Vercel Inc.: application hosting
• Stripe Inc.: payment processing
• Resend Inc.: email delivery

These providers are located in the USA and transfers are covered by the EU-US Data Privacy Framework or EU Standard Contractual Clauses.

The Processor shall inform the Controller of any intended changes to the list of sub-processors, giving the Controller the opportunity to object. Unjustified objection shall not prevent the change.

8. Data Breach Notification

9. Controller Obligations

The Controller undertakes to:

• Ensure a valid legal basis exists for processing their clients' personal data
• Inform their clients about the processing of their data and their rights, including disclosure to processors
• Provide accurate and up-to-date data
• Give documented instructions in compliance with data protection regulations

10. Return or Deletion of Data

Upon termination of the service, the Processor shall, at the choice of the Controller, return all personal data or delete them, unless there is a legal obligation to retain them. The Controller shall have 30 days after closing their account to request data export. After this period, complete deletion will proceed.

11. Liability

Each party shall be liable for damages caused by breaching its obligations under GDPR and this DPA. The Processor shall only be liable for damages caused by processing where it has not complied with GDPR obligations specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller.

12. Contact