Updated: 2026-06-19
This data processing agreement (the DPA) forms an integral part of the Terms of Use and is concluded pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 (GDPR). It sets out how MB „Didysis Uvis" (the Processor) processes personal data on behalf of the Client (the Controller) when the Client enters third parties' personal data into the UVIS system (the System).
With respect to personal data that the Client enters into the System about its clients, partners or employees, the Client is the data controller and the Processor is the data processor. The Processor processes such data only on the Controller's documented instructions, which consist of the Terms of Use, this DPA and the use of the System's functionality.
The Processor applies measures consistent with GDPR Article 32, including: isolation of each client's data in a separate database schema (multi-tenant isolation), encryption of sensitive keys, storage of passwords only as cryptographic hashes, HTTPS connection, access control and backups.
The Controller grants a general authorisation to engage sub-processors. The following are currently engaged:
The Processor ensures that sub-processors are subject to no less protective data protection obligations. The Processor will give prior notice of any intended change or addition of sub-processors, giving the Controller the opportunity to reasonably object.
Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organisational measures in fulfilling its obligation to respond to requests by data subjects exercising their rights (access, rectification, erasure, restriction, portability, objection). Most of these actions can be performed by the Controller itself through the System's functions and data export.
On becoming aware of a personal data breach, the Processor notifies the Controller without undue delay and provides the available information so that the Controller can meet its notification obligations under GDPR Articles 33–34.
Upon termination, the Controller may, for a reasonable transition period, download (export) its data. After this period, the Processor will, at the Controller's choice, delete or return the personal data and destroy existing copies, except where retention is required by law.
The Processor makes available to the Controller the information necessary to demonstrate compliance with GDPR Article 28 obligations and allows for reasonable inspections (audits), carried out at a time and scope agreed in advance, without disclosing other clients' data or trade secrets.
Where personal data is transferred outside the EEA (e.g. via Anthropic or, in certain cases, Stripe / Google), the transfer is based on appropriate safeguards – the European Commission's Standard Contractual Clauses (SCC) or adequacy decisions.
The liability limitations of the Terms of Use apply to the parties' liability. This DPA is governed by the law of the Republic of Lithuania and the GDPR. In the event of a conflict between this DPA and the Terms of Use regarding the processing of personal data, this DPA prevails.
Email: info@uvis.pro
Website: www.uvis.pro