This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", "Controller") and Sinfin s.r.o. ("Scorika", "Processor") for the use of the Scorika API.

1. Definitions

"Personal Data": Any data relating to an identified or identifiable natural person submitted via the API.
"Processing": Any operation performed on Personal Data (collection, storage, analysis, deletion).
"Controller": The Customer who determines the purposes and means of Processing.
"Processor": Scorika, who processes Personal Data on behalf of the Controller.

2. Scope of Processing

Subject Matter	Fraud detection and risk scoring services
Duration	Term of the Service Agreement
Nature & Purpose	Analysis of data to generate risk scores
Data Categories	Email addresses, IP addresses, phone numbers, domain names, order data
Data Subjects	End users of Controller's services

3. Processor Obligations

Scorika shall:

Process Personal Data only on documented instructions from the Controller
Ensure personnel are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Assist the Controller in responding to data subject requests
Delete or return Personal Data upon termination (at Controller's choice)
Make available information necessary to demonstrate compliance
Allow and contribute to audits conducted by the Controller

4. Subprocessors

The Controller authorizes Scorika to engage the subprocessors listed at scorika.com/subprocessors.

Scorika will notify the Controller of any intended changes to subprocessors at least 30 days in advance. The Controller may object to such changes.

5. Security Measures

Scorika implements the following Technical and Organizational Measures (TOMs):

🔐 Encryption

TLS 1.3 in transit
AES-256 at rest
Encrypted backups

🔑 Access Control

Role-based access (RBAC)
API key authentication
MFA for employees

🏢 Infrastructure

AWS EU (Frankfurt)
SOC 2 certified infrastructure
Regular security audits

📋 Organizational

Security policies
Incident response plan
Employee training

6. Data Breach Notification

Scorika will notify the Controller of any Personal Data breach without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:

Nature of the breach
Categories and approximate number of data subjects affected
Likely consequences
Measures taken or proposed to address the breach

7. International Transfers

Personal Data is processed primarily in the EU (AWS eu-central-1, Frankfurt).

For any transfers outside the EU/EEA, Scorika relies on Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914).

8. Data Deletion on Termination

Upon termination of the Service Agreement, Scorika will:

Provide a 30-day export window for Controller to download their data
Delete all Personal Data within 90 days of termination
Provide written confirmation of deletion upon request

Note: Aggregated, anonymized data may be retained for analytics purposes.

9. Audit Rights

Upon reasonable notice, the Controller may audit Scorika's compliance with this DPA. Audits are limited to once per year unless a data breach has occurred. Controller bears the cost of audits unless non-compliance is found.

10. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service.