Data processing agreement
| Controller | Customer of Objectis, UAB using the services of CookieScript. |
| Processor | Objectis, UAB, company registration number 304037472, Laisvės st. 60, LT-05120 Vilnius, Lithuania. Support: support@cookie-script.com. Privacy / DPO contact: dpo@cookie-script.com. |
| Service | CookieScript consent management and related website compliance services made available by the Processor. |
1. PARTIES AND PURPOSE
This Data Processing Agreement (the Agreement) forms part of and supplements the applicable Terms of Service, order form, subscription or other agreement governing the Controller's use of the Service. It applies only where, and to the extent that, Objectis, UAB processes personal data on behalf of the Controller as a processor within the meaning of the GDPR or UK GDPR.
This Agreement does not apply to processing for which the Processor acts as an independent controller, including its own billing, tax, accounting, fraud prevention, security, legal compliance and claims-handling activities. It also does not apply where payment providers, including PayPal or Stripe, act as independent controllers for certain payment-related processing operations.
By signing this Agreement, the parties confirm that the Processor may process personal data solely for the purpose of providing, operating, maintaining and supporting the Service in accordance with the Controller's documented instructions, this Agreement and the Main Agreement.
2. DEFINITIONS
For the purposes of this Agreement, the following terms have the meanings set out below:
- a) “Controller” means the customer that determines the purposes and means of the processing of personal data and that enters into this Agreement with the Processor.
- b) “Processor” means Objectis, UAB, acting through the CookieScript service.
- c) “Data Protection Laws” means Regulation (EU) 2016/679 (GDPR), the UK GDPR, the UK Data Protection Act 2018 and other data protection laws applicable to the processing covered by this Agreement.
- d) “Controller Personal Data” means personal data processed by the Processor on behalf of the Controller in connection with the Service.
- e) “Sub-processor” means any third party engaged by the Processor to process Controller Personal Data on behalf of the Controller.
- f) “Main Agreement” means the applicable Terms of Service, order, subscription or other service agreement governing the Controller's use of the Service.
- 3. SUBJECT MATTER, NATURE, PURPOSE AND DURATION OF PROCESSING
The subject matter of this Agreement is the processing of Controller Personal Data in connection with the provision of the Service. The processing covered by this Agreement continues for as long as the Processor provides the Service to the Controller and thereafter for any period during which the Processor continues to process Controller Personal Data on behalf of the Controller.
The processing covered by this Agreement is described below:
| Processing activity | Data subjects | Categories of personal data | Purpose / duration |
| Cookie Banner and service configuration | Controller users / administrators | Website domain name, banner content, pop-up settings, consent configuration and other information entered by the Controller into the Service. | To provide and operate the configured CookieScript item. Certain configuration data is retained for up to 30 days after account closure, unless longer retention is required by law or for dispute resolution. |
| End-user consent logging where enabled by the Controller | Website visitors / end users | The Service may record consent-log elements such as a random key, the end user's consent choice, truncated or anonymized IP information, date and time, the page where consent was given or revoked, and browser-agent information. | To remember, document and demonstrate the end user's choice where the Controller enables this functionality. Such processing depends on the Controller's configuration and continues until deleted by the Controller or the Service relationship ends, subject to backup retention and lawful retention obligations. |
4. DOCUMENTED INSTRUCTIONS AND CONTROLLER RESPONSIBILITIES
The Processor processes Controller Personal Data only on the Controller's documented instructions, including as set out in this Agreement, the Main Agreement and the Controller's configuration and use of the Service.
The Controller is responsible for:
- a) determining whether the Service is appropriate for the Controller's intended use;
- b) ensuring that the processing has an appropriate legal basis and that any required notices and consents are provided or obtained;
- c) correctly configuring the Service, including cookie categories, banner settings, consent storage and related deployment choices;
- d) ensuring that the Controller is entitled to provide the relevant personal data to the Processor and to instruct the Processor to process it under this Agreement;
- e) responding to data subject requests and making decisions concerning deletion, restriction, disclosure and other rights-related measures, except to the extent that the Processor is required to assist under Section 9.
If the Processor believes that an instruction infringes Data Protection Laws, it shall inform the Controller without undue delay and may suspend the affected processing until the instruction is clarified, amended or withdrawn.
5. CONFIDENTIALITY
The Processor ensures that persons authorized to process Controller Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory. Access to Controller Personal Data is limited to personnel who need such access for the provision, security, maintenance or support of the Service.
6. SECURITY OF PROCESSING
Taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of the processing, the Processor implements and maintains appropriate technical and organizational measures designed to protect Controller Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access.
These measures include, as appropriate to the Service and the risk profile, the following:
- a) measures to ensure confidentiality, integrity, availability and resilience of relevant systems and services;
- b) logical access controls, role-based or equivalent restrictions, and processes for granting, reviewing and revoking access rights;
- c) protection of data in transit through industry-standard encryption protocols where applicable;
- d) protection of stored data by encryption, hashing, pseudonymization or comparable safeguards where appropriate to the risk;
- e) logging, monitoring, vulnerability management, security updates and patching processes;
- f) backup, recovery, incident response, internal escalation and business continuity measures appropriate to the service architecture;
- g) vendor onboarding and contractual controls for Sub-processors;
- h) periodic review and improvement of technical and organizational measures.
The Processor may update its technical and organizational measures from time to time, provided that such updates do not materially reduce the overall level of protection for Controller Personal Data.
7. SUB-PROCESSORS
The Controller grants the Processor a general authorization to engage Sub-processors for the performance of the Service.
The Processor shall maintain its current Third-Party Service Providers list on a separate page or comparable online notice made available to the Controller (https://cookie-script.com/legal/third-party-service-provider-list). The Third-Party Service Providers list is incorporated into this Agreement by reference.
The Processor shall impose on each Sub-processor written data protection obligations that are no less protective, in substance, than those imposed on the Processor under this Agreement, insofar as applicable to the services provided by the relevant Sub-processor.
If the Processor intends to add or replace a Sub-processor in a way that materially affects the processing of Controller Personal Data, it shall provide prior notice through the Sub-processor Page or another reasonable written means. The Controller may object on reasonable data protection grounds within 15 days of the notice. The parties shall discuss the objection in good faith. If the objection cannot be resolved, the Controller may terminate the affected Service for the future without penalty.
Where payment providers, including PayPal or Stripe, act as independent controllers for certain processing operations, they do not act as Sub-processors under this Agreement for those operations.
8. INTERNATIONAL TRANSFERS
If the Processor or a Sub-processor transfers Controller Personal Data outside the European Economic Area or the United Kingdom, the Processor shall ensure that the transfer is subject to a lawful transfer mechanism and appropriate safeguards under applicable Data Protection Laws.
Such safeguards may include an adequacy decision, the European Commission's standard contractual clauses, the UK Addendum to the EU standard contractual clauses, the UK International Data Transfer Agreement, or another lawful transfer mechanism recognized under applicable law.
9. ASSISTANCE, DATA SUBJECT REQUESTS AND DPIAS
Taking into account the nature of the processing and the information available to it, the Processor shall provide reasonable assistance to the Controller in fulfilling the Controller's obligations under Articles 32 to 36 GDPR and the corresponding provisions of the UK GDPR, including with respect to security, personal data breach notifications, data protection impact assessments and prior consultation where required.
If the Processor receives a request from a data subject relating to Controller Personal Data, the Processor shall, to the extent legally permitted, promptly forward the request to the Controller and shall not respond to the request except on the Controller's documented instructions or as required by law.
10. PERSONAL DATA BREACHES
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller Personal Data.
The notification shall include, to the extent available at the time, information reasonably required by the Controller to meet its reporting or notification obligations under Data Protection Laws, and the Processor shall provide further relevant information as it becomes available.
11. INFORMATION AND AUDITS
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this Agreement.
To the extent required by Article 28(3)(h) GDPR or the corresponding UK GDPR provision, the Controller may audit the Processor's compliance with this Agreement, subject to reasonable confidentiality, security and business continuity requirements.
Unless required by a competent supervisory authority or prompted by a confirmed personal data breach or credible evidence of material non-compliance, audits shall be limited to once in any 12-month period, conducted during normal business hours, on at least 30 days' prior notice, and carried out in a manner that minimizes disruption to the Processor's operations. The Processor may satisfy audit obligations by providing current third-party certifications, audit reports, security summaries, questionnaire responses or other comparable documentation where appropriate.
12. RETURN, DELETION AND RETENTION
Upon termination or expiry of the Main Agreement, and at the Controller's choice, the Processor shall delete or return Controller Personal Data, unless applicable law requires retention.
The Processor may retain residual copies for a limited period in routine backups and disaster recovery media, provided that such copies remain protected under this Agreement and are deleted or overwritten in accordance with the Processor's normal retention cycle.
Nothing in this Agreement restricts the Processor from retaining data that it must keep as an independent controller for invoicing, tax, legal, security or evidentiary purposes, provided that such processing is carried out separately and in accordance with applicable law.
13. LIABILITY
Each party's liability arising out of or in connection with this Agreement shall be subject to the exclusions and limitations of liability set out in the Main Agreement, except to the extent such exclusions or limitations are prohibited by applicable law.
Nothing in this Agreement excludes or limits either party's liability to data subjects under Article 82 GDPR or the corresponding provisions of the UK GDPR.
14. MISCELLANEOUS
In the event of conflict between this Agreement and the Main Agreement with respect to data protection matters, this Agreement prevails to the extent of that conflict.
This Agreement may be executed electronically and in counterparts. If any provision is held invalid or unenforceable, the remainder shall remain in full force and effect. The governing law and jurisdiction applicable to the Main Agreement shall also apply to this Agreement, unless mandatory data protection law requires otherwise.