DPA - Data Processing Agreement

Last Updated: December 17th, 2022

This Data Processing Agreement ("DPA") is entered into between Dabella Consulting, LLC. ("Ensta Web") and Customer jointly "the Parties"), and forms a part of the Services Agreement between the Parties, and reflects the Parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of Data Protection laws.

By signing this DPA, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent EnstaWeb processes personal Data for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Authorized Affiliates.

This DPA is effective on the date that it has been duly executed by both Parties ("Effective Date"), and amends, supersedes, and replaces any prior data processing agreements that the Parties may have been entered into. Any modifications to the terms of this DPA (whether handwritten or otherwise) will render this DPA ineffective unless EnstaWeb has separately agreed to those modifications in writing.

1. Definitions 

1.1. Affiliate - means any entity that directly or indirectly controls, is controlled by or is under common control with the subject entity. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.2. Authorised Affiliate - means Customer's Affiliate(s) which (a) are subject to Data Protection Laws; (b) are permitted to use the Services pursuant to the Agreement between Customer and EnstaWeb; and (c) have not signed their own Services Agreement with EnstaWeb and are not "Customers" as defined under this DPA.

1.3. CPA - means the California Consumer Privacy Act of 2018 (California Civil Code sections 1798.100 - 1798.199) and its accompanying regulations.

1.4. Controller - means the entity that determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, Customer is the Controller. For the purposes of this DPA, all references to Controller shall also mean "business" as defined in the CPA for CPA purposes.

1.5. Covered Services or Services - means the services that are ordered by the Customer from

Ensta Web involving the Processing of Personal Data on behalf of the Customer.

1.6. Customer - means the entity that signed the Services Agreement and that determines the purposes and means of Processing of Personal Data. The Customer is considered the "Controller" of the Personal Data provided pursuant to this DPA.

1.7. Data Breach - means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer's Personal Data transmitted, stored, or otherwise Processed.

1.8. Data Protection Laws - means any applicable law, statute, law, regulation or order by governmental authority of competent jurisdiction, or any judgment, decision, decree, injunction, writ, order, subpoena, or like action of any court, arbitrator or other government entity, and at all times during the term of the Services Agreement, including the laws of the European Union, the UK Data Protection Act 2018, the GDPR, and the CPA, all as amended or replaced from time to time, and any other foreign or domestic laws to the extent that they are applicable to a party in the course of its performance of the Services Agreement.

1.9. Data Subject - means either: 1) the individual within the European Economic Area and the United Kingdom to whom Personal Data relates for GDPR purposes, or 2) a "consumer," as such term is defined in the CPA for CPA purposes.

1.10. GDPR - means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

1.11. Personal Data - means either: 1) data about a specific natural person within the European Economic Area or the United Kingdom from which that person is identified or identifiable, as defined in GDPR or 2) "personal information" as defined in the CPA for CPA purposes, which is provided by or on behalf of Customer and Processed by EnstaWeb pursuant to the Services Agreement.

1.12. Processing - means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.


1.13. Processor - means the entity which Processes Personal Data on behalf of the Controller. For purposes of this DPA, EnstaWeb, including its Affiliates, is the Processor. For the purposes of this DPA, all references to Processor shall also mean "service provider" as defined in the CCPA for CCPA purposes.


1.14. Regulator - means any supervisory authority with authority under Data Protection Laws over all or any part of the provision or receipt of the Services or the Processing of Personal Data


1.15. Services Agreement - means any services agreement including, but not limited to, Ensta Web's online terms (available at https://www.EnstaWeb.io/terms-and-conditions) between EnstaWeb and Customer under which Covered Services are provided by EnstaWeb to Customer.


1.16. Standard Contractual Clauses - means the annex found in the European Commission decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available as of August 1, 2021 at https://eur-lex.europa.cu/eli/dec_impl/2021/914/oj).

1.17. Sub-processor - means any Processor engaged by EnstaWeb to Process Personal Data on behalf of EnstaWeb.

2. Services Agreement

This DPA supplements the Services Agreement and in the event of any conflict between the terms of this DPA and the terms of the Services Agreement, the terms of this DPA prevail with regard to the specific subject matter of this DPA.


3. Data Protection Laws

3.1. Roles of the Parties - The Parties acknowledge and agree that EnstaWeb will Process the Personal Data in the capacity of a Processor and that Customer will be the Controller of the Personal Data.

3.2. DPO - The Parties, to the extent required by the GDPR, will each designate a data protection officer (a "DPO*) and provide their contact details to the other Party where required by Data Protection Laws.


4. Controller Obligations

4.1. Instructions - Customer warrants that the instructions it provides to EnstaWeb pursuant to this DPA will comply with Data Protection Laws.

4.2. Data Subject and Regulator Requests - Customer shall be responsible for communications and leading any efforts to comply with all requests made by Data Subjects under Data Protection Laws and all communications from Regulators that relate to the Personal Data, in accordance with Data Protection Laws. To the extent such requests or communications require EnstaWeb's assistance, Customer shall immediately notify EnstaWeb in writing of the Data Subject's or Regulator's request.

4.3. Notice, Consent, and Other Authorizations - Customer agrees that the Personal Data it collects shall be in accordance with Data Protection Laws, including all legally required consents, bases of processing, approvals, and authorizations. Upon Ensta Web's request, Customer shall provide all information necessary to demonstrate compliance with these requirements.

5. Details of Processing Activities

5.1. The following table sets out the details of Processing:

6. Processor Obligations Supplementing the Standard Contractual Clauses

6.1. Scope of Processing - EnstaWeb will Process the Personal Data on documented instructions from Customer in such manner as is necessary for the provision of Services under the Service Agreement, except as may be required to comply with any legal obligation to which EnstaWeb is subject. EnstaWeb may make reasonable efforts to inform customers if, in its opinion, the execution of an instruction relating to the Processing of Personal Data could infringe on any Data Protection Laws. In the event EnstaWeb must Process or cease Processing Personal Data for the purpose of complying with a legal obligation, EnstaWeb will inform the Customer of that legal requirement before Processing or ceasing to Process, unless prohibited by the law.

6.2. Disclosure to Third Parties - Except as expressly provided in this DPA, EnstaWeb will not disclose Personal Data to any third party without Customer's consent. If requested or required by a competent governmental authority to disclose the Personal Data, to the extent legally permissible and practicable, Ensta Web will provide Customer with sufficient prior written notice in order to permit Customer the opportunity to oppose any such disclosure.

6.3. GDPR Articles 32-36 - Taking into account the nature of the Processing and the information available to EnstaWeb, EnstaWeb will provide reasonable assistance to Customer in complying with its obligations under GDPR Articles 32-36, which address obligations with regard to security, breach notifications, data protection impact assessments, and prior consultation.

7. Audit

7.1. Scope - EnstaWeb will maintain records of its Processing activities carried out on behalf of Customer and will make available to Customer the information reasonably necessary to demonstrate its compliance with the obligations set out in this DPA. EnstaWeb may limit the scope of information made available to Customer if Customer is a EnstaWeb competitor, provided that such limitation does not violate Data Protection Laws or the Standard Contractual Clauses. Customer's inspection rights under this DPA do not extend to Ensta Web's employee payroll, personnel records or any portions of its sites, books, documents, records, or other information that do not relate to the Services or to the extent they pertain to third parties

7.2. Process - Subject to thirty (30) days prior written notice from Customer and at the Customer's additional expense (including all reasonable costs and fees for any and all time EnstaWeb expends on such audit, in addition to the rates for services performed by EnstaWeb), EnstaWeb and Customer shall mutually agree to appoint a third-party auditor to verify that EnstaWeb is in compliance with the obligations under this DPA. In no event shall the Parties agree to a third-party auditor that is a competitor to EnstaWeb. Audits and inspections will be carried out at mutually agreed times during regular business hours. Customers shall be entitled to exercise this audit right no more than once every twelve (12) months. Customers shall not be entitled to an on-site audit of EnstaWeb's premises without demonstrating a compelling need for such an on-site audit. The Parties shall mutually agree upon the duration of the audit.

7.3. Confidentiality - All information obtained during any such request for information or audit will be considered EnstaWeb's confidential information under the Services Agreement and this DPA. The results of the inspection and all information reviewed during such inspection will be deemed Ensta Web's confidential information. The third party auditor may only disclose to Customer specific violations of this DPA if any, and the basis for such findings, and shall not disclose any of the records or information reviewed during the inspection.

8. Contracting with Sub-processors

Customer hereby gives its general authorization for Ensta Web to engage new Sub-processors in connection with the processing of the Personal Data as set forth in clause 9 of the Standard Contractual Clauses. A list of EnstaWeb's current Sub-processors is located at https:// www.EnstaWeb.io/privacy-policy#subprocessors. Customers must sign up at the aforementioned URL to receive email notifications concerning the addition of new Sub-processors. Customers

may reasonably object to the addition of any new Sub-processor within 15 calendar days of receiving such email notification, in which case EnstaWeb will use reasonable efforts to make a change in the Service or recommend a commercially reasonable change to avoid processing by such Sub-processor. If EnstaWeb is unable to provide an alternative, Customer may terminate the Services and shall pay EnstaWeb any fees or expenses not yet paid for all services provided pursuant to any Services Agreement. If Customer fails to sign up for these email notifications,

Customer shall be deemed to have waived its right to object to the newly added Subprocessors).

9. Transfers Outside of the EEA (European Economic Area)

9.1. Transfer - Customer acknowledges that EnstaWeb may, without Customer's prior written consent, transfer the Personal Data to a foreign jurisdiction provided such transfer is either (i) to a country or territory which has been formally recognized by the European Commission as affording the Personal Data an adequate level of protection or (in) the transfer is otherwise safeguarded by mechanisms, such as Standard Contractual Clauses and other certification

instruments, recognized and approved by the European Commission from time to time.

9.2. Standard Contractual Clauses - If Customer's use of the Services involves Customer's transfer of Personal Data from the United Kingdom or European Economic Area to EnstaWeb, or if entering into the Standard Contractual Clauses set forth in the Appendix to this DPA with EnstaWeb would otherwise help Customer satisfy a legal obligation relating to the international transfer of Personal Data, then (i) by entering into this DPA, the Parties are deemed to be signing such Standard Contractual Clauses, including each of its applicable Annexes and (ii) such Standard Contractual Clauses form part of this DPA and take precedence over any other provisions of this DPA to the extent of any conflict.

10. Additional Terms for California Data Subjects

To the extent that the CCPA applies, EnstaWeb agrees it will not: (a) sell California Data Subjects' Personal Data (as "sell" is defined in the CCPA); (b) retain, use, or disclose California Data Subjects' Personal Data for a commercial purpose other than providing the services specified in the Services Agreement; (c) retain, use, or disclose California Data Subjects Personal Data outside of the direct business relationship between Processor and Customer. EnstaWeb certifies that it understands these restrictions set out in this section and will comply with them.


11. Obligations Post-Termination

Termination or expiration of this DPA shall not discharge the Parties from their obligations that by their nature may reasonably be deemed to survive the termination or expiration of this DPA


12. Liability and Indemnity

Any claims brought under this DPA will be subject to the same terms and conditions, including the exclusions and limitations of liability, as are set out in the Services Agreement.

13. Severability

Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or enforceability without invaliding the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. The Parties will attempt in good faith to agree upon a valid and enforceable provision that is a

reasonable substitute and shall incorporate such substitute provision into this Agreement.

Knowledge Base and Video Built-In

Email Support

support@enstaweb.com

Video Tutorials

(Coming Soon)

EnstaWeb Youtube Channel

Made With EnstaWeb