Hrvatskiflag Hrvatski Ikona za promjenu jezika – odaberite jezičnu verziju stranice

Terms and conditions of service provided by Glasson International Sp. z o. o.

Definitions

  1. Agreement – a contract for the provision of Services concluded between the Operator and the Contractor on the terms and conditions set out in the Terms and Conditions.
  2. Terms and Conditions – this document together with its appendices.
  3. Party – Operator or Contractor.
  4. Operator – Glasson International Spółka z Ograniczoną Odpowiedzialnością with its registered office at: ul. 3-go Maja 17 lok. 3, 40-095 Katowice, NIP: 5771983931, REGON: 368530968.
  5. Services – tools supporting the Contractor’s optical business, made available on the Website by the Operator under the terms of these Terms and Conditions.
  6. Website – a SaaS (software as a service) tool made available by the Operator at: www.glasson.app.
  7. Contractor – a natural person conducting business activity, a legal person or an organizational unit without legal personality, to which the law grants legal capacity, being an optician or conducting optical business, commissioning the Operator to provide Services.
  8. Contractor’s Account (hereinafter also referred to as the “Account”) – a separate part of the Website containing a set of information about the Contractor, enabling the Contractor to use the Services.
  9. Customer – an entity using the Contractor’s services.
  10. Registration – completion by the Contractor of an electronic form available on the Website by providing the data indicated in the form, submitting statements regarding the business activity conducted, and sending them to the Operator using the option available in the form. Registration requires activating the link sent to the email address provided in the registration form. Registration results in the creation of a Contractor Account and the start of the Trial Period.
  11. Fee – remuneration for the use of a given Subscription Plan and additional functionalities enabled by the Contractor, available through the Website. The Fee is paid by bank transfer or through an electronic payment system after the Operator issues an accounting document. The Fee is payable in advance, unless the Fee Schedule provides otherwise.
  12. Billing Period – the period from the first to the last day of a calendar month.
  13. Incomplete Billing Period – the period from a day other than the first day of the calendar month to the last day of the calendar month.
  14. Trial Period – seven calendar days from the date of obtaining full functionality of the Contractor’s Account, during which the Contractor may use the Services without having to pay Fees.
  15. Subscription Plan (hereinafter also referred to as the “Plan”) – the scope of Services provided by the Operator (depending on the type of Plan selected by the Counterparty, in accordance with the Fee Table).
  16. Fee Table – an integral part of the Terms and Conditions, constituting Appendix I, containing information on the amount of Fees and the date of their payment.
  17. Terms and Conditions of Personal Data Processing / Terms and Conditions of Processing – an integral part of the Terms and Conditions, constituting Appendix II, which is a personal data processing agreement within the meaning of Article 28 of the GDPR.
  18. Blocking of the Account (hereinafter also referred to as “Account Blocking”) – preventing the Contractor from using the Account for reasons specified in the Terms and Conditions.
  19. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016.
  20. Technical Support – support for the Contractor in the use of the Contractor’s Account.
  21. Force Majeure – events caused by reasons that could not have been foreseen and over which the Operator had no control, in particular: natural disasters, wars, riots.
  22. Business Day – days from Monday to Friday, excluding Saturdays, Sundays, and public holidays.

§ 1. General provisions

  1. The Agreement is concluded by completing the Registration and accepting these Terms and Conditions.
  2. The Terms and Conditions define the rules for the use of the Website by Contractors.
  3. The full functionality of the Contractor’s Account is activated after verification of the correctness of the data provided by the Contractor during Registration, which will take place within 2 Business Days of Registration.

§ 2. Rights and obligations of the Contractor

  1. The Contractor is the administrator of the data entered in the Account.
  2. The Contractor is entitled to free Technical Support by calling the telephone number provided on the Website during the hours indicated there.
  3. The Contractor is obliged to:
    a) provide true and complete data during Registration and when ordering Services,
    b) pay Fees on time,
    c) immediately update the Contractor’s data in the event of any changes.
  4. The Contractor declares that the data provided in the Account is true and accurate.
  5. The Contractor may not provide any illegal content within the scope of the Website and the Contractor’s Account.

§ 3. Blocking the Contractor’s Account

  1. The Operator reserves the right to Block the Contractor’s Account in the event of:
    a) violation of these Terms and Conditions by the Contractor,
    b) use of the Account in a manner inconsistent with applicable law or in a manner that violates good manners,
    c) the Operator having reasonable doubts as to the accuracy of the data provided during Registration,
    d) other circumstances specified directly in the Terms and Conditions.
  2. The Contractor shall be informed of the Account Block immediately after it has been made:
    – by means of a message in the Contractor’s Account and
    – by e-mail to the address provided during Registration.

§ 4. Ordering and providing Services

  1. During the Registration process, the Contractor is required to read and accept the Terms and Conditions.
  2. During the Trial Period and after its completion, the Contractor may place an order for the provision of Services. To place an order, the order form available in the Account must be completed.
  3. After the Trial Period, the Contractor’s Account will be Blocked until an order for the provision of Services is placed.
  4. If the Contractor fails to pay for the order or fails to settle the Fees within the time limit specified in the accounting document, despite being requested by the Operator (by email and a message in the Account) to make the payment within an additional 7-day period, the Contractor’s Account will be blocked until the order is paid for or the Fees are settled.
  5. The Fee shall be paid within 7 (seven) days from the date of issue of the accounting document.
  6. The Contractor agrees to the issuance and sending of invoices electronically to the email address provided during Registration.
  7. During the term of the Agreement, the Counterparty may change the Subscription Plan, provided that the selection of a lower-priced Plan does not result in the Operator’s obligation to refund the Fees already paid. The change of Plan shall take effect upon its implementation by the Counterparty in the Account.
  8. Settlement of amounts due for changing the Plan in the event of selecting a higher-priced Plan shall be made in accordance with the Fee Table, in proportion to the period during which the Contractor used the respective Plans.
  9. The Operator reserves that the time of updating the Website (in particular with regard to changes in the offer of manufacturers and distributors of eyeglass lenses) is 7 business days from the date of publication of a new offer by them.

§ 5. Termination of the Agreement

  1. The Contractor is entitled to terminate the Agreement at any time. Termination may be effected:
    a) in writing to the Operator’s address,
    b) by e-mail,
    c) using the functionality available in the Contractor’s Account.
  2. Termination of the Agreement does not result in the Operator being required to refund any Fees already paid.
  3. In the event of termination of the Agreement by the Contractor, at their request submitted by email or via the contact form available in the Account, the Contractor’s Account is converted to a demo version Account for a period of 24 months. After this time, if the Account is not reactivated, it shall be deleted. Until the Account is deleted, the data related to the Account shall be retained by the Operator. The Account may also be deleted at the express request of the Contractor (submitted together with the termination, during the notice period or after its expiry).
  4. Failure to terminate the Agreement results in the automatic extension of the Account’s validity (conclusion of a new Agreement) in accordance with the Subscription Plan. If the current Plan is not available, the Contractor will be assigned the most similar Plan (according to the cost criterion), to which the Contractor agrees.
  5. The Operator may terminate the Agreement without giving any reason, subject to a 30-day notice period at the end of the calendar month.
  6. The Operator may terminate the Agreement without notice if the reasons for the Block referred to in § 4(1) do not cease within 30 days of its implementation.
  7. If the amendments to the Terms and Conditions are not accepted, the Agreement shall expire after the expiry of the 14 days provided for acceptance.

§ 6. Contractor’s data

  1. The administrator of the Contractors’ personal data is the Operator: Glasson International Sp. z o.o., ul. 3-go Maja 17 lok. 3, 40-095 Katowice, NIP: 5771983931, REGON: 368530968. The Operator may process the following personal data of the Contractor: name and surname, address, telephone number, e-mail address.
  2. Personal data is processed for the purpose of performing the Agreement and direct marketing of the Operator’s own products or services, in accordance with the law.
  3. The Contractor has the right to access and correct their personal data.
  4. Providing personal data is voluntary, but may be necessary for the provision of Services.
  5. The Operator is not the controller of personal data entered by the Counterparty in the Counterparty’s Account.
  6. The Counterparty is the controller of Customer data entered in the Counterparty’s Account and declares that it processes such data in accordance with the law (including having the consent of Customers or other legal basis). Detailed rules for data processing are set out in Appendix II.

§ 7. Rights to intangible assets

  1. All materials made available on the Website and the manner of their presentation (layout) are protected by copyright and related rights (i.e., Journal of Laws of 2025, item 24) or industrial property rights (i.e., Journal of Laws of 2023, item 1170) and are vested in the Operator, unless otherwise expressly stated in their content.
  2. The Contractor is entitled to use the Services for the duration of the Agreement only to the extent of the functionality made available by the Operator, in accordance with the order placed. The Contractor shall not obtain any rights (including intellectual property rights) beyond those expressly specified in the Agreement; in particular, the Contractor shall not be entitled to obtain source files.
  3. The Operator shall have the right to publish the Contractor’s website address and logo/trademark on the reference list on the Website. The Contractor grants free permission to use these markings in this regard for an indefinite period and declares that it is entitled to grant such authorization. The Contractor may revoke its consent by sending an email from the address provided during Registration.

§ 8. Liability

  1. The Operator shall be liable for damages only in cases of intentional fault and gross negligence. The Operator’s liability is limited to three times the monthly Subscription Fee.
  2. The Operator’s liability for interruptions or difficulties in using the Service is excluded if:
    a) there is a need to repair/modify/maintain equipment or software, provided that the total interruption does not exceed 48 hours in the Billing Period,
    b) circumstances beyond the Operator’s control (e.g., force majeure, actions of a third party, actions of the Contractor),
    c) an error or delay in transmission, unless they occurred due to the Operator’s fault.
  3. The Contractor undertakes to cover any damages resulting from the Contractor’s actions or omissions that are contrary to the law, the Terms and Conditions, or custom (losses and lost profits).
  4. Liability related to the processing of personal data is regulated in Appendix II.

§ 9. Technical conditions

  1. In order to use the Website and Services properly, the following is required:
    a) a computer with Internet access, equipped with an up-to-date web browser, or
    b) a mobile device (smartphone/tablet or other) with Internet access, equipped with an up-to-date web browser.
  2. The Operator reserves the right to perform maintenance and update work on the Website. The Operator will make every effort to ensure that the work is carried out as quickly as possible.

§ 10. Complaints

  1. The Contractor has the right to submit a complaint regarding the use of the Website at any time.
  2. Complaints should be submitted:
    a) by email: office@glasson.app, or
    b) via the contact form available in the Account.
  3. The complaint should include: the name of the Contractor, an email address for a response, and a description of the subject of the complaint.
  4. The Operator shall consider the complaint within 10 business days, unless the Contractor has not described the complaint in a manner that allows it to be considered or has not provided identification data. In such a case, the period shall run from the date of delivery of the missing information.
  5. The Operator shall send the response to the complaint to the e-mail address provided by the Contractor.

§ 11. Final provisions

  1. The Operator reserves the right to make changes to the Terms and Conditions. The Operator shall inform the Contractor by email and in the Account at least 14 days before the changes come into force. Use of the Website after the date of the changes coming into force requires acceptance of the new terms and conditions.
  2. Changes to the Fee Schedule shall not affect the prices of Services already paid for.
  3. The invalidity or ineffectiveness of individual provisions shall not affect the validity of the remaining provisions of the Agreement.
  4. Information concerning the Agreement constitutes the Operator’s trade secret within the meaning of the Act on Combating Unfair Competition (i.e. Journal of Laws of 2022, item 1233).
  5. Disputes arising from the Terms and Conditions shall be settled by a common court competent for the Operator’s registered office.
  6. The Agreement shall be governed by Polish law.
  7. The appendices form an integral part of the Agreement.

APPENDIX NO. I — TABLE OF FEES

  1. Link to the Table of Fees
    Table of Fees
  2. The fees are net amounts to which VAT at the current rate shall be added.
  3. Depending on the selected Subscription Plan, the Contractor is entitled to use the following number of devices previously authorized by the Operator:
    – office – 1 device,
    – salon+ – 2 devices,
    – network – 2 devices per salon.

APPENDIX II — TERMS AND CONDITIONS FOR ENTRUSTING THE PROCESSING OF PERSONAL DATA

I. General provisions and roles of the parties

  1. These Terms and Conditions for the processing of personal data (Terms and Conditions) constitute a processing agreement within the meaning of Article 28 of the GDPR, concluded between:
    a) the Contractor – as the data controller (Controller), and
    b) Glasson International sp. z o.o. – as the data processor (Processor).
  2. The parties confirm that:
    a) the Controller independently determines the purposes and means of personal data processing and is responsible for the compliance of the processing with the GDPR and national regulations,
    b) the Processor processes personal data only on the documented instructions of the Controller, under the terms and conditions set out in these Terms and Conditions.

II. Subject matter, nature, purpose, scope, and duration of processing

  1. The subject matter of the entrustment is the processing of personal data in connection with the provision by the Processor of SaaS services described in the Terms and Conditions (Services).
  2. The nature of the processing includes, in particular: collection, recording, organization, storage, viewing, use, disclosure at the request of the Controller, restriction, erasure, and destruction – to the extent necessary to provide the Services.
  3. The purpose of the processing is to enable the Administrator to use the Services, including managing the Administrator’s customer relations, scheduling appointments, handling orders, settlements, and analytical and archiving functions, if available as part of the Services.
  4. Categories of data subjects: the Administrator’s customers (including patients/customers of optical stores), the Administrator’s employees and associates, other persons whose data the Administrator enters into the System.
  5. Types of data: identification and contact details (e.g., first name, last name, address, email, phone number, date of birth), appointment details (date, type of appointment, description of appointment), information about frame models, lens power and type, employee data necessary to manage accounts and permissions in the System; to the extent dependent on the Administrator’s instructions and the functions used. Special category data (Article 9 of the GDPR), in particular concerning health, may be processed if the Administrator so decides and provides a basis under Article 9(2) of the GDPR.
  6. Duration of processing: for the duration of the Agreement and additionally for the period necessary to fulfill obligations under the law or agreed final activities (return/deletion of data).

III. Administrator’s instructions and compliance with the law

  1. The Processor shall process data only on documented instructions from the Controller, including with regard to the transfer of data to third countries or international organizations, unless such an obligation is imposed by Union law or the law of a Member State – in which case the Processor shall inform the Controller of this legal obligation before processing begins, unless such information is prohibited by law.
  2. If the Administrator’s instructions violate the GDPR or other data protection regulations, the Processor shall immediately inform the Administrator thereof before carrying out the instructions, indicating the scope and nature of the objections.

IV. Confidentiality and staff authorizations

  1. Only persons who have been duly authorized and are bound by confidentiality obligations (contractually or by law
    law), trained in data protection and bound to comply with internal security policies.
  2. The obligation of confidentiality shall remain in force even after the termination of these Terms and Conditions.

V. Technical and organizational measures (TOM)

  1. Taking into account the state of technical knowledge, implementation costs, nature, scope, context and purposes of processing, as well as the risk of infringement of the rights or freedoms of natural persons, the Processor has implemented and maintains appropriate technical and organizational measures ensuring a level of security appropriate to the risk referred to in Article 32 of the GDPR.
  2. The minimum catalog of TOMs includes: encryption of data in transit and, where possible, at rest; role-based access control (RBAC) and the need-to-know principle; multi-factor authentication for administrative access;
    data segmentation and logical separation; event logging and monitoring; vulnerability management and updates; SSDLC, including static and dynamic testing; backup/DR with testing; retention and secure deletion procedures; incident management; regular staff training. For special categories of data, the Processor shall apply enhanced measures, in particular granular access rights and extended logging.
  3. The TOM description constitutes a Security Annex to these Terms and Conditions and may be updated by the Processor in order to maintain at least an equivalent level of protection.

VI. Sub-processors

  1. The Controller grants general authorization for the Processor to use sub-processors to the extent necessary to provide the Services. The current list of sub-processors and their functions is made available to the Controller in the Panel/on the information page indicated in the Terms and Conditions.
  2. The Processor shall inform the Administrator of any planned changes regarding the addition or replacement of sub-processors, allowing for an objection to be raised within a reasonable time. Failure to raise an objection within the time limit shall constitute consent. In the event of an objection, the Parties shall take steps in good faith to work out a solution; if this is not possible, the Administrator may terminate the Agreement with immediate effect in whole or in part with regard to data processing, without additional fees.

VII. Support, rights of individuals, breaches

  1. Taking into account the nature of the processing, the Processor shall, to the extent possible, assist the Controller in fulfilling its obligation to respond to requests from data subjects regarding the exercise of their rights under Chapter III of the GDPR.
  2. The Processor shall assist the Controller in complying with its obligations under Articles 32-36 of the GDPR, including in the data protection impact assessment (DPIA) and any prior consultation with the supervisory authority, by providing information on the security measures and risks known to the Processor.
  3. The Processor shall, without undue delay, immediately after becoming aware of a personal data breach, notify the Controller of the breach, providing, to the extent available, at least: the nature of the breach, the categories and approximate number of individuals and data records affected, the possible consequences, measures taken or proposed to address the breach and minimize its effects, and the contact details of the contact point. The information may be provided in stages.

VIII. Termination of processing: return and deletion of data

  1. Upon termination of the provision of data processing services, the Processor shall, in accordance with the documented decision of the Controller:
    a) return the complete data set to the Controller in a structured, commonly used, machine-readable format and then delete the data, or
    b) delete the data without returning it.
  2. Unless required by law to retain the data, the Processor shall delete all existing copies, including backups, within a reasonable technical timeframe not exceeding 30 days from the return/deletion of the data. Upon request by the Controller, the Processor shall confirm (in writing or electronically) that the deletion has been carried out.
  3. If the law requires longer storage, the Processor shall ensure the confidentiality and integrity of the data and shall limit the processing to the purpose and period required by law.

IX. Audits and compliance information

  1. The Processor shall provide the Controller with the information necessary to demonstrate compliance with the obligations under these Terms and Conditions and Article 28 of the GDPR, including current reports from independent audits/certifications (if available).
  2. The Controller shall be entitled to conduct an audit no more than once per calendar year or more frequently in justified cases (e.g., a serious incident). The parties shall agree in advance on a reasonable date, scope, and duration of the audit. The audit shall be conducted in a manner that does not compromise the security of information and the rights of third parties, during business hours, at the expense of the Controller, and in confidence.

X. Records, Data Protection Officer, contact

  1. The Processor shall keep a record of the categories of processing activities referred to in Article 30(2) of the GDPR, within the scope of the operations entrusted.
  2. If a Data Protection Officer has been appointed on the part of the Processor, their contact details shall be made available to the Controller; otherwise, the Processor shall designate a data protection contact point for operational communication.

XI. Transfers to third countries and transfer measures

  1. The Processor shall process data exclusively within the EEA, unless the Controller gives separate consent or processing outside the EEA is necessary for the provision of Services by approved sub-processors.
  2. Any transfer of data to a third country shall only take place if: (a) that country is covered by an adequacy decision, or (b) appropriate safeguards have been implemented in accordance with Chapter V of the GDPR, in particular SCCs, supplemented, where necessary, by additional measures. Information about the transfer mechanism shall be made available to the Controller.

XII. Special categories of data

  1. If the Controller entrusts the processing of special categories of data (including health data), it declares that it provides a basis under Article 9(2) of the GDPR and provides appropriate instructions. Upon request of the Processor, the Controller shall provide information confirming the legal basis.
  2. The Processor shall apply enhanced protection measures appropriate to the risk to special categories of data, including access restriction and control, extended logging, and encryption.

XIII. Liability and damage minimization

  1. The Administrator shall be liable for compliance with the law on the processing and protection of personal data in accordance with the GDPR.
  2. Subject to mandatory provisions of law, the total liability of the Processor to the Controller for damages shall be limited to an amount equal to 100% of the total net fees paid and due to the Processor under the Agreement during the 12 months immediately preceding the event giving rise to liability.
  3. The Processor shall not be liable for indirect damages (lost profits, revenues, loss of reputation, contractual penalties), unless they are a normal, direct consequence of a breach of fundamental obligations.
  4. The limitations do not apply to the Processor’s liability for:
    a) damage caused intentionally,
    b) intentional breach of confidentiality by disclosing personal data to unauthorized persons,
    c) personal injury (if applicable).
  5. The Processor shall be liable to the Controller only to the extent that the damage arose in connection with the non-performance or improper performance of obligations under the GDPR or the Terms and Conditions. The Processor shall not be liable for damage resulting from: a) incorrect instructions from the Controller or processing in accordance with documented instructions, b) breaches of GDPR obligations by the Controller (including information, legality of grounds, retention), c) force majeure.
  6. To the extent that an administrative fine or compensation is imposed/paid by the Controller as a result of an exclusive breach by the Processor, the Processor shall reimburse the Controller for reasonable and documented costs in this regard, subject to the limit in paragraph 2.
  7. The Processor undertakes to immediately (no later than within 7 days) notify the Administrator of any third party claim or circumstances that may lead to damage and to cooperate in order to limit the damage. Failure to notify immediately shall not deprive the Administrator of its rights, but the Processor’s liability shall be reduced accordingly to the extent that the delay increased the damage or hindered the defense.
  8. Claims arising from the same event or series of related events shall be treated as a single event.
  9. With regard to further processors, the Processor shall be liable as for its own acts or omissions, subject to the limits and exclusions of liability.
  10. The provisions of this paragraph shall not limit the rights of data subjects to seek compensation under Article 82 of the GDPR or the powers of the supervisory authority to impose penalties. The limitations apply only to settlements between the Parties.
  11. Each Party shall take reasonable measures to limit and prevent damage (duty to minimize damage).
  12. Each Party shall be liable to the extent that it breaches its obligations under the GDPR or the Terms and Conditions; contractual limitations shall not affect the rights of individuals under Article 82 of the GDPR or the powers of the supervisory authority.

XIV. Final provisions

  1. The Terms and Conditions supersede all previous agreements between the Parties regarding the entrusting of personal data processing related to the Services.
  2. In the event of a conflict between the Terms and Conditions and other provisions of the Regulations, these Terms and Conditions shall prevail with regard to the processing of personal data.

SECURITY ANNEX TO THE PROCESSING TERMS AND CONDITIONS TECHNICAL AND ORGANIZATIONAL MEASURES (TOM)

This Annex describes the technical and organizational measures applied by the Processor within the meaning of Articles 28 and 32 of the GDPR. The measures have been designed to be adequate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of the processing, as well as the potential impact of a breach on the rights and freedoms of natural persons.

With regard to special categories of data (including health data) the Processor shall apply the enhanced measures indicated below. The Processor may update the Annex with regard to technical details, provided that this does not lead to a reduction in the overall level of protection.

  1. Information security governance and risk management
    1. The Processor shall maintain an information security management system based on recognized standards.
    2. Roles and responsibilities are defined, including system and data owners, and a data protection contact point.
    3. Risk assessments for information assets are conducted regularly, with plans for dealing with risks.
    4. The principle of minimizing privileges and the “need-to-know” principle are applied.
    5. A formal change management process with an assessment of the impact on security and privacy is in place for changes.
  2. Organizational security measures and training
    1. Personnel are subject to confidentiality obligations.
    2. Initial and periodic training on data protection and information security is provided.
    3. Policies and procedures are in place, including: information classification, clean desk/screen, secure remote working, acceptable use, incident response, and subcontractor management.
  3. Access and identity control (IAM)
    1. Access is based on centralized IAM and RBAC.
    2. The following are used, among others:
    a) MFA for administration and privileged accounts,
    b) strong password and secret rotation policies,
    c) periodic review of permissions and their immediate revocation,
    d) automatic session termination after inactivity.
    3. For special categories of data: granular roles, MFA for users with access to health data, “four-eyes” model where justified.
  4. Data segmentation and separation (multi-tenancy)
    1. Counterparty data is logically separated in the application and/or database layer.
    2. Containerization and network segmentation are used to limit the propagation of breaches.
    3. Special categories of data are additionally marked and protected (e.g., separate storage spaces, separate access profiles).
  5. Encryption and key management
    1. Encryption:
    a) in transit – TLS in current, secure versions, without weak ciphers,
    b) at rest – encryption of production data and backups with strong algorithms.
    2. Keys are managed in KMS/HSM services, with limited access and rotation.
    3. Separate keys/key spaces and extended operation logging may be used for special categories of data.
  6. Network and perimeter security
    1. Firewalls, ACLs, and security groups are used.
    2. Traffic is filtered according to the “default deny” principle.
    3. The following are used, among others: WAF, DDoS protection, secure administrative connectivity (VPN/PAM).
    4. Dev/test/prod environments are separated.
  7. Application security and SSDLC
    1. SSDLC includes, among others: code reviews (“four-eyes”), SAST/DAST, SCA, security testing (including pentests for significant releases), release control, and rollback.
    2. Secrets are stored in secret managers; placing secrets in repositories is prohibited.
  8. Logging, monitoring, and accountability
    1. Systems generate logs: logins, data modifications, privileged operations, errors, and anomalies.
    2. Logs are centralized, protected against modification, retained, and monitored (SIEM).
    3. For special categories of data – extended logging and access path auditing.
  9. Vulnerability and patch management
    1. The process includes: scanning, risk assessment (e.g., CVSS + context), patch implementation, bulletin monitoring.
    2. For critical vulnerabilities – accelerated remediation.
  10. Incident response and breach reporting
    1. There is an incident response plan: detection, classification, notification, triage, RCA, corrective actions.
    2. The processor reports breaches in accordance with the entrustment agreement.
    3. An incident log and improvement actions are maintained.
  11. Backups, DR, and BCM
    1. The backup policy includes: regular backups, encryption, location separation, recovery testing, RPO/RTO targets.
    2. DR/BCM plans and switchover procedures are maintained.
    3. For special categories of data – at least equivalent or higher standards.
  12. Data retention and secure deletion
    1. Data retention and minimization are carried out in accordance with the Administrator’s instructions.
    2. Deletion prevents data recovery and includes secondary media and backups within a reasonable technical timeframe.
    3. Upon request – confirmation of deletion.
  13. Physical and environmental security
    1. Processing is carried out in data centers that meet physical security and business continuity standards.
    2. The following are provided, among others: access control, monitoring, multi-zone security, power and cooling redundancy, fire protection systems, flood detection.
    3. Suppliers have adequate certifications (e.g., ISO 27001 / PCI-DSS, where applicable).
  14. Management of suppliers and sub-processors
    1. Before selecting a sub-processor, the Processor assesses security and compliance with the GDPR.
    2. Contracts contain obligations equivalent to TOM (confidentiality, audits, incidents, retention, deletion).
    3. An inventory of sub-processors and monitoring is maintained.
  15. Data transfers and supplementary measures
    1. For transfers outside the EEA, mechanisms (e.g., SCC) and supplementary measures resulting from TIA (encryption, key control, access restrictions, data minimization) are used.
    2. Information about the mechanisms is available to the Controller.
  16. Privacy by design and privacy by default
    1. Privacy by design/default principles are applied: data minimization, limiting default visibility, pseudonymization/anonymization where possible.
    2. Where the risk is high, DPIA is taken into account.
  17. Handling the rights of data subjects
    1. The system supports the exercise of rights: access, rectification, erasure, restriction, portability, objection.
    2. Data search by attributes and export in structured formats are provided.
  18. Change control and separation of environments
    1. Separation of dev/test/prod environments.
    2. No use of production data in tests (unless anonymized/masked).
    3. CI/CD with artifact integrity control and image signing.
  19. Configuration and hardening of systems
    1. Baseline hardening for OS, databases, containers, and networks.
    2. Versioned and approved configurations.
    3. Removal of default accounts/ports/services that are not used.
    4. Compliance verification (compliance as code).
  20. Key, secret, and certificate management
    1. Secrets in dedicated repositories (access control, rotation, usage logging).
    2. Centrally managed certificates (automatic renewals, expiration monitoring).
    3. Access to cryptographic operations restricted to authorized roles.
  21. Anti-malware mechanisms and integrity
    1. EDR/anti-malware, integrity monitoring, and exploit protection commensurate with risk.
    2. Container images from trusted registries, scanned for vulnerabilities.
  22. Access to health data – logging and masking
    1. Access to health data is additionally monitored and tagged.
    2. The UI may use field masking when full visibility is not required.
  23. Security testing and external audits
    1. Regular penetration testing of critical components performed by external entities.
    2. Schedule of audits/certifications of infrastructure providers.
    3. Requests categorized and closed according to remediation policy.
  24. Metrics and continuous improvement
    1. Security metrics: e.g., detection/response time, configuration compliance, remediation rate.
    2. Security reviews at least annually or after significant changes.
    3. Results influence the improvement plan.
  25. Documentation and compliance
    1. Up-to-date technical and procedural documentation is maintained.
    2. Upon request by the Administrator, information/reports confirming the application of TOMs are made available – to the extent that does not violate trade secrets or sensitive security information.
    3. The Appendix applies in conjunction with the Terms and Conditions; in case of discrepancies, the requirements of the GDPR and the entrustment agreement take precedence.