Data Processing Agreement

DATA PROCESSING AGREEMENT

Data Processing Agreement (DPA) — ei-apps Platform

Preamble

This Data Processing Agreement (hereinafter: DPA or Addendum) forms an integral part of the Terms of Service of the ei-apps platform (hereinafter: Main Agreement) and governs the processing of personal data entered by the Controller into the applications of the ei-apps Platform, which are processed by the Processor on behalf of the Controller.

This Addendum is aligned and complies with:

• The Law on Personal Data Protection of Bosnia and Herzegovina (Official Gazette of BiH No. 49/06, 76/11, 89/11)
• The EU General Data Protection Regulation (GDPR — Regulation EU 2016/679), specifically Article 28
• The EU Commission's Standard Contractual Clauses (SCC) where applicable

In the event of any conflict between the provisions of this Addendum and the Main Agreement, the provisions of this Addendum shall prevail in all matters relating to the processing of personal data.

1. Definitions

For the purposes of this Addendum, the following definitions shall apply:

• Personal Data — any information relating to an identified or identifiable natural person (data subject).
• Processing — any operation or set of operations performed on personal data (collection, storage, use, disclosure, deletion, etc.).
• Controller — the user of the ei-apps platform who determines the purposes and means of the processing of personal data of third parties entered into the applications.
• Processor — O.D. “Ei-APPS” vl. Ibrahimović Emir, which processes personal data on behalf of the Controller through the infrastructure of the ei-apps platform.
• Subprocessor — a third party engaged by the Processor to process personal data with the prior consent of the Controller.
• Data Breach — a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
• Platform — ei-apps and all its web applications, services, and infrastructure.
• GDPR — the EU General Data Protection Regulation No. 2016/679.

2. Subject Matter, Nature, and Purpose of Processing

2.1 Subject Matter of Processing

The Processor processes personal data entered by the Controller into the Platform applications solely for the purpose of providing the services set out in the Main Agreement — technical delivery of application functionalities, storage, backups, and display of data to the Controller and authorized users.

2.2 Categories of Data

The Processor may process the following categories of personal data entered by the Controller:

• Identification data: first and last name of third parties (clients, customers, patients, etc.)
• Contact data: phone number, email address
• Business data: appointment, type of service, notes about the service, visit history
• Other data entered voluntarily by the Controller into the application fields

The Processor does not request the Controller to enter special categories of personal data (health data, biometric data, etc.). If the Controller enters such data, they do so solely at their own risk and under the obligation to possess an appropriate legal basis.

2.3 Categories of Data Subjects

The data may concern the following categories of natural persons:

• Clients, customers, patients, or other business contacts of the Controller
• Employees or associates of the Controller (to the extent that the Controller enters their data)

2.4 Duration of Processing

The Processor processes personal data for the Controller's needs as long as the Controller's account is active on the Platform. Upon termination of the Agreement or deletion of the account, the Processor deletes all data within 30 days, unless longer retention is required due to legal obligations.

3. Obligations of the Processor

3.1 Processing Solely on Instructions

The Processor processes personal data solely in accordance with the documented instructions of the Controller, unless processing is necessary to comply with a legal obligation to which the Processor is subject — in which case the Processor shall inform the Controller before processing, unless that law prohibits such information.

3.2 Confidentiality

The Processor ensures that all authorized persons who have access to personal data are bound by an obligation of confidentiality or a statutory obligation of secrecy. Access to data is limited strictly to personnel who need it to perform their work (need-to-know principle).

3.3 Technical and Organisational Measures

The Processor implements the following technical and organizational protection measures (in accordance with Art. 32 GDPR):

• Authentication and access control via Firebase Authentication
• Firestore Security Rules — data isolation per user/account
• Access control at the collection level in MongoDB Atlas
• Encryption of data in transit (HTTPS/TLS 1.2+)
• Encryption of data at rest at the infrastructure level (Google Cloud and MongoDB Atlas)
• Regular security reviews and monitoring of access anomalies
• Incident and data breach response plan

3.4 Subprocessors

The Controller hereby grants a general written authorization for the engagement of the following subprocessors:

The Processor shall inform the Controller of any intended changes (addition or replacement of subprocessors) within a reasonable time in advance, giving the Controller the opportunity to object. The Processor ensures that each subprocessor provides the same data protection guarantees as provided in this Addendum.

3.5 Assistance to the Controller

The Processor provides technical and organizational assistance to the Controller in fulfilling the following data subject rights:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure / to be forgotten (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)

The Processor endeavors to fulfill the Controller's requests regarding the above within 30 days of receiving the request.

3.6 Security of Processing & Breach Assistance

Taking into account the nature of processing and the information available to the Processors, the Processor assists the Controller in ensuring compliance with the obligations under Art. 32–36 GDPR, including:

• Security of processing operations
• Notifying the supervisory authority of a data breach
• Informing the data subject of a breach
• Data protection impact assessment (DPIA) where necessary

3.7 Deletion or Return of Data

Upon termination of the provision of services, the Processor shall, at the choice of the Controller:

• Delete all personal data and confirm deletion to the Controller, OR
• Return the data to the Controller in a machine-readable format (JSON or CSV) — upon written request within 30 days of termination of the agreement

The Processor has the right to retain data longer solely if it is necessary to fulfill a legal obligation applicable to the Processor.

3.8 Audit Rights

The Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations under this Addendum and the GDPR. The Controller or an authorized auditor may conduct an inspection or audit upon at least 30 days' prior written notice, within a reasonable scope and respecting the confidentiality of third-party information.

4. Obligations of the Controller

The Controller undertakes to:

• Process third-party personal data in accordance with applicable data protection laws.
• Possess an appropriate legal basis for each entry and processing of third-party personal data via the Platform.
• Inform data subjects about the processing in accordance with Art. 13 and 14 GDPR (transparency).
• Enter only data that is necessary for lawful business purposes (data minimization principle).
• Not enter special categories of personal data (health, biometric, genetic data, data on criminal liability, etc.) without a separate written agreement with the Processor.
• Timely inform the Processor of changes that could affect the processing.

5. Data Breach — Notification Procedure

In the event of becoming aware of a security breach of personal data processed by the Processor on behalf of the Controller, the Processor shall:

• Notify the Controller without undue delay, and in any case within 72 hours of becoming aware of the breach.
• Provide the Controller with at least the following information:
• Description of the nature of the breach, including categories and approximate number of data subjects and records affected.
• Contact details of the data protection officer or other contact point.
• Likely consequences of the breach.
• Measures taken or proposed to address the breach and mitigate its possible adverse effects.

The Controller is responsible for the decision to notify the supervisory authority (Personal Data Protection Agency of BiH — azlp.ba) and/or the affected data subjects, within the statutory timeframes.

6. International Data Transfers

All personal data processed under this Addendum is stored and processed within the European Economic Area (EEA), on Google Cloud servers (europe-west1, Belgium) and MongoDB Atlas (EU region).

In the event that a subprocessor must transfer data outside the EEA, such transfer shall be carried out solely with the application of appropriate safeguards in accordance with Chapter V of the GDPR:

• Standard Contractual Clauses of the EU Commission (SCC)
• Certification under the EU-US Data Privacy Framework (where applicable)
• Other transfer mechanisms provided for in Article 46 GDPR

7. Duration and Termination of the Addendum

This Addendum remains in force for as long as the Controller uses the services of the ei-apps Platform. The Addendum terminates automatically upon termination of the Main Agreement (Terms of Service), provided that obligations under Section 3.7 (deletion/return of data) and Section 5 (breach notification) shall survive termination.

8. Liability

The Processor shall be liable to the Controller for damages caused by a breach of this DPA or the GDPR that is directly attributable to the Processor, to the extent that the Processor cannot avail itself of the exemption in Art. 82(3) GDPR. The Processor's total liability is limited to the amount provided for in the Main Agreement.

The Controller remains liable to third parties for the lawfulness of data processing as controller, including ensuring an appropriate legal basis for processing.

9. Amendments to the Addendum

The Processor may amend this DPA to reflect new legal requirements or changes to infrastructure, with at least 30 days' prior notice to the Controller. A Controller who does not accept the amendments has the right to terminate the Agreement in accordance with the Terms of Service.

10. Governing Law

This Addendum is governed by the laws of Bosnia and Herzegovina / Federation of Bosnia and Herzegovina. In the event of a dispute, the Općinski sud in Sarajevo shall have jurisdiction. EU consumers may use the ODR platform: ec.europa.eu/consumers/odr

11. Signatories

This Addendum becomes binding upon the Controller's acceptance of the Terms of Service of the ei-apps platform, whereby the Controller is deemed to have carefully read and accepted all provisions of this Addendum. For a written or signed copy, please contact: info@ei-apps.com

© 2026 ei-apps. All rights reserved. | Version 1.0 | https://ei-apps.com/dpa