Last updated: 2025-12-04
This Data Processing Addendum (“DPA”) forms an integral part of the Terms of Service (“Agreement”) concluded between:
GBD Software as a Service Ltd. (registered office: 6065 Lakitelek, Szikra tanya 93., tax number: 27325162-2-03, company registration number: 03-10-042025, representative: Tamás Hám-Szabó, CEO), hereinafter referred to as the “Provider” or “Processor”;
and
The entity or individual agreeing to the Terms of Service, hereinafter referred to as the “Customer” or “Controller”
(hereinafter collectively referred to as the “Parties”).
This DPA sets forth the terms and conditions relating to the privacy, confidentiality, and security of any Personal Data associated with the Services provided by the Processor to the Controller. By accepting the Terms of Service—whether by clicking a box indicating acceptance, executing an order form that references the Terms of Service, or using the Services—the Customer agrees to be bound by this DPA. This DPA shall be effective as of the date the Customer accepts the Terms of Service (the “Effective Date”).
1.1. The Data Processing Agreement (collectively referred to as: „Agreement”) forms part of the Terms of Service (collectively referred to as: „Terms of Service”) by and between the Parties and it’s subject to the Terms of Service. In the event of any discrepancies between Terms of Service and this Agreement, the provision of this Agreement in relation to personal data protection shall prevail.
1.2. The service provided by Processor to the Controller may require Processor to process Personal Data (as defined below),in accordance with the expectations and instructions of the Data Controller, whereby the purpose and conditions of data processing are determined by the Data Controller.
1.3. The Parties agree that they wish to ensure through this Agreement the data processing operations affecting personal data arising during the performance of the tasks and obligations contained in the Terms of Service, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR) and Act CXII of 2011 on the right to informational self-determination and freedom of information (hereinafter: Info Act), the appropriate protection of personal data, information and documents that come to the knowledge of the Data Processor during the performance of the contract, and record the rules of data processing activities performed by the Data Processor based on the Data Controller's mandate.
2.1. The Parties record that in order to avoid unnecessary duplication of the specific normative text, they do not record basic concepts separately. The concepts and designations used in this Agreement correspond to those defined in the GDPR and the Info Act, as well as in the legislation listed in point 3.1 of this Agreement, and to the terminology used in the Terms of Service.
3.1. The Parties establish that during the use of services provided by the Data Processor within the framework of fulfilling the services explicitly defined in the Terms of Service, the Data Controller determines the scope, legal basis and purpose of personal data processed by the Data Processor.
3.2. If the Data Processor deviates from the purpose established by the Data Controller regarding data processing determined by the Data Controller, then with respect to the exact data processing operation, Data Processor becomes an independent data controller and is responsible for all obligations arising therefrom.
3.3. The Parties further record that it is the obligation of the Data Controller - even through the Data Processor - to inform the data subjects specified in point 3.1 of this Agreement about data processing in accordance with Article 13 of the GDPR.
4.1.In accordance with Article 28(3) of the GDPR, by accepting the terms set forth in the Terms of Service and using the services specified therein, the Data Controller instructs the Data Processor to perform the data processing activities required for the fulfillment of the tasks and obligations contained in the Terms of Service, an instruction which the Data Processor accepts.
4.2. The Parties record that the data processing performed under this Agreement qualifies as data transfer under Article 44 of the GDPR, therefore both the Data Controller and the Data Processor shall proceed in accordance with Article 46(3)(a) of the GDPR, as well as in accordance with the Commission's implementing decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Annex II. SCC).
4.3. The purpose of data processing performed by the Data Controller does not change with the data processing operations under this data processing agreement. The Data Processor processes personal data during data processing in the manner specified in the GDPR and exclusively based on the instructions of the Data Controller. The Data Controller is independently entitled to determine the purposes and means of data processing, and may involve the Data Processor in preparatory activities considering the nature of data processing and the information that comes to its knowledge during data processing.
4.4. The Data Processor shall perform data processing tasks not included in this Agreement but related to the Terms of Service —where the Data Controller acts as a controller—only upon the separate written authorization of the Data Controller.
4.5. The Data Controller declares and warrants that it qualifies as the controller of personal data that comes into its possession during the fulfillment of this Agreement, and that it fully complies with the data protection obligations contained in the GDPR and the Info Act.
5.1. The Data Processor declares that it has the appropriate expertise and resources for data processing activities arising from the fulfillment of the services defined in the Terms of Service. It observes the rules regarding data processing specified in legislation and this data processing agreement, implements the necessary measures for their fulfillment, guarantees the security of data processing, and its operation complies with applicable legislation.
5.2. The Data Controller is entitled to monitor the Data Processor for the purpose of ensuring that the Data Processor proceeds in accordance with legislation, in harmony with this data processing agreement and based on the Data Controller's instructions during data processing arising from their contractual relationship governed by the Terms of Service and this data processing agreement.
5.3. The Data Controller is entitled to instruct the Data Processor regarding data processing activities arising from their contractual relationship related to MillionVerifier. The Data Controller is responsible for the lawfulness of such instructions; however, the Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes the GDPR or other data protection provisions.
5.4. The Data Controller is obligated to plan data processing operations in such a way that during data processing it ensures the protection of data subjects' privacy, enforces the relevant principles formulated in Article 5 of the GDPR for the protection of personal data.
5.5. The Data Processor may not make substantive decisions regarding data processing arising from the fulfillment of the services defined in the Terms of Service. Personal data that comes to its knowledge may only be processed according to the Data Controller's instructions, with appropriate legal basis, for specific purposes, to the extent necessary for achieving the purpose, in an up-to-date manner, ensuring appropriate data security in accordance with the provisions of this data processing agreement. It may not perform additional data processing operations for its own purposes on data processed under this data processing agreement. It shall store and preserve personal data in accordance with the Data Controller's instructions during the term of this Agreement. It may not transfer personal data to third parties (including the transfer of personal data to another third country or international organization) except when the Data Controller gives specific instructions to do so. Data processors engaged by the Data Processor are contained in Annex III.
5.6. The Data Processor is obligated to ensure data security within the scope of data processing operations covered by this data processing agreement, including the physical security of the device(s) storing the data, and is further obligated to implement technical and organizational measures and establish procedural rules necessary for enforcing data protection and confidentiality regulations.
5.7. The Data Processor undertakes to implement the data security measures set forth in Article 32 of the GDPR. Furthermore, during data processing, it guarantees the implementation of appropriate technical and organizational measures, including in particular:
5.8. The Data Controller and Data Processor are obligated to protect data with appropriate measures, particularly but not exclusively against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage, and inaccessibility resulting from changes in the technology used.
5.9. During the processing of personal data, the Data Processor ensures prevention of unauthorized data entry and prevention of unauthorized use of automated data processing systems by unauthorized persons using data transmission equipment.
5.10. The Data Processor ensures regular maintenance and updating of the devices and software it uses to achieve greater data security.
5.11. The Data Processor undertakes to prepare a report on every data protection incident occurring during data processing operations covered by this data processing agreement and send it to the Data Controller's contact person and, if applicable, to the data protection officer operating at the Data Controller's organization, within 36 hours at the latest from becoming aware of the incident. The notification shall cover the following: the scope of personal data affected, the scope and number of those affected by the data protection incident, the time and circumstances of the data protection incident, and measures taken for remediation. The Data Controller shall notify the supervisory authority defined in the Information Act in accordance with Article 33 of the GDPR.
5.12. The Data Processor ensures that its employees - if any and if it does not perform its tasks alone - as well as all those who may have access to personal data in connection with the performance of this data processing agreement, comply with the requirements of the GDPR and the Information Act. The Data Processor further ensures that only those who absolutely need to know and use the data for fulfilling the provisions of this Agreement have access to such data. The Data Processor warrants that all its employees and collaborators, regardless of their employment relationship - all those whose job-related or other obligation requires them to access or otherwise have access to data, information, or documents during the fulfillment of the Data Processor's obligations set forth in this data processing agreement or the Terms of Service - make appropriate confidentiality declarations before beginning activities related to this data processing agreement and appropriately ensure data protection, implementing the protective and security measures necessary for data protection.
5.13. Upon the Data Controller's request, the Data Processor is obligated to prove that the confidentiality obligation set forth in Section 5.13 of this Agreement extends to persons under the Data Processor's control or under the control of additional data processors engaged by it, by presenting such declarations.
5.14. For the enforcement of data subjects' rights, the Data Processor shall cooperate with the Data Controller in fulfilling the exercise of data subject rights as set forth in Chapter III of the GDPR as follows:
5.15. Following data processing operations performed based on the Data Controller's instructions, the Data Processor shall ensure the deletion of personal data that have become unnecessary.
5.16. Regarding data processing operations performed based on the Data Controller's instructions, the Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the Data Controller's legally prescribed obligations.
5.17. The Data Processor assists the Data Controller in fulfilling obligations under Articles 32-34 of the GDPR, taking into account the nature of processing and the information available to the Data Processor.
6.1. The Parties declare that regarding data processing operations covered by this data processing agreement, they fulfill their service obligations in the generally expected manner and take all measures immediately in the interest of fulfilling data processing, maintaining data processing security requirements, and respecting data subjects' rights. They make the necessary information and data available to each other for the above purposes and facilitate the lawful implementation of data processing covered by this data processing agreement with all available means.
6.2. All declarations and notifications required under this data processing agreement shall be made by the Parties as specified in the Terms of Service. Written declarations related to this data processing agreement shall be considered properly communicated even if the addressee refused to accept delivery or did not collect the shipment. In such cases, the time of delivery is the date of refusal to accept. Electronic declarations become effective when they become accessible to the other party.
6.3. The Parties are obligated to immediately notify each other in writing of any circumstances that delay or hinder the effectiveness of data processing covered by this data processing agreement or the performance of this data processing agreement. The contracting party that fails to provide notice is responsible for the consequences of such failure.
On behalf of the Data Processor:
Name: Gergely Hajnal, dr.
Email: [email protected]
6.5. The Data Processor is obligated to inform the Data Controller's data protection officer about its activities upon request or when necessary.
6.6. The Data Controller's representative is entitled to audit data processing performed by the Data Processor under this Agreement at a pre-arranged time, and the Data Processor is obligated to provide explanations and answers to questions that arise.
6.7. The Parties record that they shall immediately inform each other of any changes in the person(s) designated as contact persons or in their data. Changes in contact persons' data shall not constitute a modification of the Agreement.
7.1. This Data Processing Agreement shall remain in effect for as long as the Data Controller maintains an active Account or utilizes the Services defined in the Terms of Service.
7.2.Consequently, the Parties exclude the right to terminate this Data Processing Agreement separately from the Terms of Service. However, if the legal relationship established by the Terms of Service is terminated for any reason, this Data Processing Agreement shall automatically terminate, save for the confidentiality provisions which shall survive such termination.
7.3. When the Data Processor ceases data processing performed in the Data Controller's interest, the Data Processor is obligated to return all personal data of the Data Controller to the Data Controller in accordance with the Data Controller's written instructions and delete existing copies or destroy all personal data related to this Agreement.
8.1. The Parties agree that regarding the transfer or disclosure of confidential information in the context of the conclusion and performance of this Agreement, the confidentiality provisions of the Terms of Service and the provisions contained in the confidentiality declaration made by the Data Processor shall be governing.
9.1. Declarations under this Agreement can only be made effectively in writing. Amendment of this data processing agreement requires a document signed by the Parties in corporate form. Any modification of this data processing agreement is valid only in writing.
9.2. If any provision of this data processing agreement is invalid or becomes invalid in the future, it shall not affect the validity of the data processing agreement or the Terms of Service or their other provisions.
9.3. For matters not regulated in this Agreement, the Parties consider the relevant provisions of the Terms of Service, the GDPR, and other applicable laws relating to personal data processing to be governing.
9.4. In the event of any dispute, claim, question, or disagreement arising from or relating to this Agreement, whether arising in contract, tort or otherwise, the parties shall first use their best efforts to resolve the Dispute. If a Dispute arises, the complaining party shall provide written notice to the other party in a document, specifically setting forth the precise nature of the dispute. If a notice is being sent to Provider it must be emailed to [email protected] and sent via mail to: GBD Software as a Service Private limited company at: Hungary, seated: Hungary 6065 Lakitelek, Szikra tanya 93.
9.5. In the event that a dispute between the parties cannot be settled, the parties agree to submit the dispute to binding arbitration accordance with Hungarian law and the Hungarian Courts, the language to be used in the arbitral proceedings shall be English.
9.6. This Agreement is concluded electronically an the Parties agree that this Data Processing Agreement is valid and legally binding without a handwritten signature. The Data Controller’s acceptance of the Terms of Service constitutes the execution of this Agreement. The Agreement becomes effective on the date the Data Controller accepts the Terms of Service and shall remain in force as defined in the 'Term and Termination' section above. The Parties acknowledge that valid acceptance of the Terms of Service constitutes binding acceptance of this Data Processing Agreement.
Annex I
Categories of Data Subjects:
Individuals who directly interact with the "MillionVerifier" website or services.
Individuals whose email addresses are uploaded by the Customer to be verified.
Annex II.
|
Category |
Examples / subitems |
Retention period |
Legal basis (GDPR) |
Primary purpose |
|
Account Data |
name, email, hashed password, phone number |
While account is active; on termination: retain for 12 months unless user requests immediate deletion |
Contract performance (Art.6(1)(b)); legitimate interest (Art.6(1)(f)) for security/account recovery |
Provide and maintain user account, authentication, customer support |
|
Email Marketing Data |
3rd-party API keys, OAuth tokens, connection metadata |
Only while integration/authorization active; on disconnect/delete: delete tokens immediately; backups retained max 30 days |
Contract performance (Art.6(1)(b)); consent (Art.6(1)(a)) if used for marketing actions |
To enable integration and manage mailing lists/reports |
|
Correspondence Data |
SF Card, email exchanges, chat logs |
Default: 24 months; retain up to 5 years only where needed for legal claims or regulatory reasons |
Legitimate interest (Art.6(1)(f)); contract (Art.6(1)(b)) for transactional disputes; legal obligation (Art.6(1)(c)) when applicable |
Customer support, dispute resolution, record-keeping |
|
Notification Data |
push subscription tokens, push preferences |
While subscribed; after unsubscribe: delete tokens immediately; backups max 5 days |
Consent (Art.6(1)(a)) or legitimate interest depending on implementation |
Send push notifications and manage opt-outs |
|
Payment Data |
billing address, VAT ID, invoice metadata (no card numbers) |
Retain for 5 years (or local tax/accounting statute of limitations) |
Legal obligation (Art.6(1)(c)); contract (Art.6(1)(b)) |
Identifying customers and for legal claims |
|
Transaction Data |
purchase timestamps, invoice numbers, service usage charges |
5 years (aligned with accounting/tax obligations) |
Legal obligation (Art.6(1)(c)); contract (Art.6(1)(b)) |
Billing, refunds, audits |
|
Usage Data / Analytics |
IP, device, pages visited, session logs |
Default analytics: 12 months; fraud/security logs: 24 months retain it for 5 years if needed for legal claims; anonymized aggregates: indefinite while useful |
Legitimate interest (Art.6(1)(f)) for analytics and fraud prevention; where profiling leads to automated decisions consider additional safeguards |
Service improvement, fraud detection, analytics |
|
Uploaded Contact Lists (Controller data) |
email lists, CSV uploads (contacts) |
Retain per Controller instruction if there are any; if Controller account terminated: delete on instruction; otherwise default: 30 days after termination then purge |
Processing pursuant to Controller's instructions (Art.28/GDPR) — Processor follows Controller's legal basis |
Provide service (email verification) to Controller |
|
Additional Uploaded Fields |
any other personal fields uploaded by Controller |
Same as 'Uploaded Contact Lists' — per Controller instruction; default 30 days after termination |
As above (Processor acts on Controller instructions) |
Match Controller's processing purpose |
|
Anonymized / Hashed Stats |
SHA-512 hashed outputs, aggregated stats |
Retain while useful and only if truly irreversible; default 24 months |
Legitimate interest (Art.6(1)(f)) for product improvement; if truly anonymized no GDPR personal-data basis required |
Product analytics, aggregated reporting |
|
Backups |
system backups, DB snapshots (may contain personal data) |
Keep backup copies for recovery only; retain max 5 days after deletion event; |
Legitimate interest (Art.6(1)(f)) for service continuity; legal obligation where applicable |
Disaster recovery, business continuity |
|
Security / Audit Logs |
access logs, admin actions, change logs |
Retain 12–24 months (minimum for forensic investigations); longer only if required by law or legal claims |
Legitimate interest (Art.6(1)(f)); legal obligation if sector rules require |
Security monitoring, incident investigation |
|
Personal Data Breach Records |
incident reports, remediation logs |
Retain 3–7 years (to meet regulatory record-keeping and auditability) |
Legal obligation (Art.6(1)(c)) and supervisory authority guidance |
Regulatory reporting, internal review |
|
DPO / Complaints / Data Subject Requests |
complaints, DSAR correspondence, DPO communications |
Retain for 3–6 years after closure (to evidence handling and for statute of limitations) |
Legitimate interest (Art.6(1)(f)); legal obligation for some records |
Prove compliance and respond to follow-ups/appeals |
|
Legal claims / Litigation data |
evidence, correspondence related to disputes |
Keep for duration of claim + statute of limitations (often 6 years) after final resolution |
Legitimate interest (Art.6(1)(f)); legal obligation (Art.6(1)(c)) where applicable |
Defend/bring claims, regulatory inquiries |
|
Sub-processor / Contract Records |
sub-processor agreements, access logs containing PII |
Retain while sub-processor engaged + 6 years after contract termination |
Legal obligation (documentation) and legitimate interest |
Prove contractual compliance, audits |
|
Marketing consent & preference records |
consent timestamps, revocation logs |
Retain consent records while consent valid + 2–5 years after withdrawal to demonstrate compliance |
Consent (Art.6(1)(a)) and ability to demonstrate compliance (Art.7) |
Prove lawful consent and history of preferences |
|
Children / Minors data |
any data indicating <18 years old |
Do not collect; if collected unintentionally: delete immediately and notify Controller / legal authority as required |
If lawful basis applies exceptionally, require parental consent (Art.8) |
Protect minors' privacy |
|
Special categories (sensitive) |
health, racial, biometric, political opinions |
Prohibited for processing by default; if accidentally processed delete immediately unless explicit legal basis exists (Art.9) |
Art.9 conditions (explicit consent or legal exceptions) |
Avoid processing; only process if lawful and documented |
Annex III.
Ask for the complete data processors list: [email protected]