Data Processing Agreement (DPA)

Updated: 2026-06-19

This data processing agreement (the DPA) forms an integral part of the Terms of Use and is concluded pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 (GDPR). It sets out how MB „Didysis Uvis" (the Processor) processes personal data on behalf of the Client (the Controller) when the Client enters third parties' personal data into the UVIS system (the System).

1. Roles of the parties

With respect to personal data that the Client enters into the System about its clients, partners or employees, the Client is the data controller and the Processor is the data processor. The Processor processes such data only on the Controller's documented instructions, which consist of the Terms of Use, this DPA and the use of the System's functionality.

2. Subject matter, nature, purpose and duration

  • Subject matter and nature: storage and processing of personal data in the course of providing bookkeeping and CRM (cloud, SaaS) services.
  • Purpose: to enable the Controller to keep its accounts and manage client relationships using the System.
  • Duration: processing continues for as long as the Terms of Use are in force (while the Client's account is active), with a transition period after termination (see Section 9).

3. Types of data and categories of data subjects

  • Data subjects: the Client's customers, suppliers, partners, employees and other individuals whose data the Client enters into the System.
  • Types of data: names, contact details, company and personal codes, bank account and payment data, information contained in invoices and documents. The Client should not upload special category (sensitive) data unless necessary.

4. Processor's obligations

  • process personal data only on the Controller's documented instructions, including transfers outside the EEA, unless required by law;
  • ensure that persons authorised to process the data are bound by confidentiality;
  • implement appropriate technical and organisational security measures (see Section 5);
  • assist the Controller in fulfilling data subjects' rights and its obligations under GDPR Articles 32–36 (security, breach notification, impact assessment), taking into account available information;
  • upon the end of the services, at the Controller's choice, delete or return the personal data (see Section 9);
  • make available to the Controller the information necessary to demonstrate compliance with these obligations.

5. Security measures

The Processor applies measures consistent with GDPR Article 32, including: isolation of each client's data in a separate database schema (multi-tenant isolation), encryption of sensitive keys, storage of passwords only as cryptographic hashes, HTTPS connection, access control and backups.

6. Sub-processors

The Controller grants a general authorisation to engage sub-processors. The following are currently engaged:

  • Server / hosting provider – hosting of the System (EU).
  • Stripe – payment processing (when choosing a paid plan).
  • Google – optional, when connecting Google Sheets / Drive or signing in with Google, and for sending emails.
  • Anthropic – provision of AI functions (only when AI / the Pro plan is active).

The Processor ensures that sub-processors are subject to no less protective data protection obligations. The Processor will give prior notice of any intended change or addition of sub-processors, giving the Controller the opportunity to reasonably object.

7. Assistance to the Controller

Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organisational measures in fulfilling its obligation to respond to requests by data subjects exercising their rights (access, rectification, erasure, restriction, portability, objection). Most of these actions can be performed by the Controller itself through the System's functions and data export.

8. Personal data breach notification

On becoming aware of a personal data breach, the Processor notifies the Controller without undue delay and provides the available information so that the Controller can meet its notification obligations under GDPR Articles 33–34.

9. Deletion and return of data

Upon termination, the Controller may, for a reasonable transition period, download (export) its data. After this period, the Processor will, at the Controller's choice, delete or return the personal data and destroy existing copies, except where retention is required by law.

10. Audit

The Processor makes available to the Controller the information necessary to demonstrate compliance with GDPR Article 28 obligations and allows for reasonable inspections (audits), carried out at a time and scope agreed in advance, without disclosing other clients' data or trade secrets.

11. International transfers

Where personal data is transferred outside the EEA (e.g. via Anthropic or, in certain cases, Stripe / Google), the transfer is based on appropriate safeguards – the European Commission's Standard Contractual Clauses (SCC) or adequacy decisions.

12. Liability and governing law

The liability limitations of the Terms of Use apply to the parties' liability. This DPA is governed by the law of the Republic of Lithuania and the GDPR. In the event of a conflict between this DPA and the Terms of Use regarding the processing of personal data, this DPA prevails.

13. Contact

Email: info@uvis.pro
Website: www.uvis.pro