Data Processing Agreement
DPA — pursuant to Art. 28 of Regulation (EU) 2016/679 (GDPR)
Controller
Client — the natural or legal person who has entered into a contract for the use of the GemiSys™ system with Xbiz s.r.o. (hereinafter "Controller")
Processor
Xbiz s.r.o., Rosina 541, 013 22 Rosina, Slovak Republic, ID: 51654814 (hereinafter "Processor")
1. Subject and Purpose of Processing
The Processor provides the Controller with the GemiSys™ software system for managing a bakery or pastry shop. In the course of providing this service, the Processor technically processes personal data entered by the Controller — solely for the purpose of providing and operating the agreed service.
Legal basis: Art. 28 GDPR — processing on behalf of the controller.
2. Categories of Data Processed
- Names and contact details of the bakery's customers
- Purchase and order history
- Operational records (production, inventory, recipes)
- Employee login data (name, email)
The Processor does not process special categories of sensitive data.
"All data entered by the Controller into the GemiSys™ system is and remains the exclusive property of the Controller. The Processor does not use it for any purpose other than operating the system for this specific client."
3. Processor's Technical Access
The Processor has technical access to the Controller's database exclusively under the following conditions:
- At the Controller's request — when resolving a reported technical issue
- During a system outage — to restore functionality and data integrity
- Regular backups — automated, without reviewing content
- Security monitoring — availability and performance only, not content
The Processor undertakes not to access the Controller's database without a justified technical reason and will not review, analyse or use business data for its own purposes.
4. Data Isolation
Every GemiSys™ client has their own isolated database, physically and logically separated from all other clients. The Processor does not merge, aggregate or link data from different clients. No other GemiSys™ client has or can have access to the Controller's data — technically or contractually.
5. Sub-processors
- Google LLC (Vertex AI) — AI assistant Linda. Contractually guaranteed: client data is never used to train AI models.
- Cloudflare, Inc. — network layer protection. Data content is not processed.
Physical servers are operated exclusively by the Processor in Rosina, Slovak Republic. Data does not leave the territory of the European Union.
6. Controller's Rights
- Request an export of their data at any time
- Request deletion of data upon contract termination
- Conduct or commission an audit of personal data processing
- Receive information about every access by the Processor to their database
7. Processor's Obligations
- Process data only on documented instructions from the Controller
- Maintain confidentiality regarding processed data
- Notify the Controller immediately of any security incident
- Delete or return all personal data within 30 days of contract termination
8. Governing Law
This agreement is governed by the laws of the Slovak Republic and applicable EU regulations (GDPR). Contact: [email protected]