Effective Date: 10-April – 2026
Updated on: 10- April – 2026

Data Processing Agreement

  1. This Data Processing Agreement (“DPA”) regarding Processing of Personal Data forms part of Mainlink Service Agreement (https://mainlink.net/contract-mainlink-service-agreement/) (“MSA”). The provisions of this DPA shall apply to the extent Mainlink, in providing the Services, specifically the functionalities and operation of the Platform, Processes Personal Data on behalf of the Client. With respect to the Processing of such Personal Data, the Client acts as the Data Controller, as it determines the purposes and means of such Processing.


Definitions.
Data Controller means the entity that determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, the Client is the Data Controller.
Data Processor means the entity which Processes Personal Data on behalf of the Data Controller. For purposes of this DPA, Mainlink is the Data Processor.
Data Protection Laws means all applicable mandatory laws and regulations relating to the processing of Personal Data, as may be in force from time to time in the relevant jurisdiction, e.g. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”).
Data Subject means a natural person to whom Personal Data relates.
Personal Data means any information about, or related to, an identifiable individual. It includes any information that can be linked to an individual or used to directly or indirectly identify an individual, natural person. In this DPA, “Personal Data” shall mean Personal Data controlled by the Data Controller.
Personal Data Breach means any breach of Personal Data security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data transmitted, stored or otherwise processed.
Platform means a cloud-based Mainlink system, including its software, interfaces, databases, data processing tools, smart technologies, aimed at data collection and structuring, analysis, integration, monitoring, visualization and identifying of alerts, preparation of reports.
Process or Processing means, with respect to Personal Data, any operation or set of operations performed upon Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Product means hardware devices or other tangible goods supplied by Mainlink under the Sale-Purchase Agreement, which may operate independently of the Platform. For the avoidance of doubt, Product does not constitute Personal Data Processing under this DPA unless explicitly integrated with the Platform.
Sale-Purchase Agreement means general terms governing the sale of the Products.
Services mean all services provided or made available to the Data Controller under MSA, including access to and operation of the Platform, as further described in the applicable Service Order.
Service Order means a document executed under MSA specifying the scope of Services and, where applicable, Products.
Sub-processor means any third party data processor engaged by Data Processor who receives Personal Data from Data Processor for Processing on behalf of Data Controller and in accordance with Data Controller’s instructions (as communicated by Data Processor) and the terms of its written subcontract.

    All capitalized terms not defined herein shall have the meanings given in the General Terms of Use.

    1. Responsibilities.
      2.1. Data Processor’s responsibilities:
      2.1.1. to Process the Personal Data for the purposes and in the scope determined in Annex 1 to this DPA or Data Controller instructions provided by virtue of using the settings and other functionalities of the Platform only as necessary to perform the Data Processor’s obligations under the MSA , in compliance with all applicable Data Protection Laws. Data Processor shall not accumulate nor make copies of the Data Controller’s Personal Data, unless it is necessary for the purposes discussed in this DPA and/ or in the MSA or unless such data is anonymized or aggregated as per clause 8.3 of this DPA.
      2.1.2. to promptly notify the Data Controller if the Data Processor reasonably believes that the Data Controller’s instructions are inconsistent with Data Protection Laws and in such event, the Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation;
      2.1.3. to implement and maintain appropriate technical and organizational measures to protect Personal Data against a Personal Data Breach, provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected;
      2.1.4. to notify Data Controller without undue delay, but no later than within 24 (twenty-four) hours, after becoming aware of Personal Data Breach affecting Data Controller’s Personal Data and indicate (if allowed) the nature of the Personal Data Breach, the categories and approximate number of the Personal Data records affected by the Personal Data Breach, a name, surname and contact details of the person who is able to provide additional information. Also, Data Processor shall cooperate with Data Controller by taking such commercially reasonable steps as are directed by Data Controller to assist in the investigation, mitigation and remediation of any such Personal Data Breach under the applicable Data Protection Laws;
      2.1.5. to assist Data Controller as reasonably needed to respond to requests from supervisory authorities, Data Subjects or others by providing information related to Data Processor’s Processing of Personal Data. In the event Data Processor receives such requests directly, it shall inform the Data Controller in a timely manner;
      2.1.6. if required by Data Protection Laws, court order, subpoena, or other legal or judicial process to Process Personal Data other than in accordance with the Data Controller’s instructions, to notify the Data Controller of any such requirement before Processing the Personal Data (if possible);
      2.1.7. to not lease, sell, distribute, or otherwise encumber Personal Data unless mutually agreed to by separate written agreement;
      2.1.8. to provide such information and any other assistance within its powers as the Data Controller reasonably requests (taking into account the nature of Processing and the information reasonably available to the Data Processor) in relation to compliance by the Data Controller with its obligations under Data Protection Laws;
      2.1.9. to take reasonable steps to ensure that access to the Personal Data by its employees and any Sub-processor is strictly limited to those individuals who need to know / access the relevant Personal Data, ensuring that all such individuals are subject to contractual confidentiality obligations.

    2.2. Data Controller’s responsibilities:
    The Data Controller shall ensure that its activities performed by using the Platform and/or the Services are in compliance with the Data Protection Laws applicable to the Data Controller. Without limiting the generality of the foregoing, the Data Controller shall:
    2.2.1. use the Services, including Platform settings and other functionalities for determination of Personal Data Processing purposes and means, in compliance with the Data Protection Laws;
    2.2.2. ensure all instructions given to the Data Processor directly or by usage of the settings and other functionalities of the Platform in respect of the Processing of Personal Data are at all times in accordance with the Data Protection Laws;
    2.2.3. ensure all Personal Data provided to Data Processor has been collected in accordance with the Data Protection Laws and that Data Controller has all the rights and legitimate grounds to provide such Personal Data to Data Processor. For the avoidance of doubt, the Data Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Data Controller acquired Personal Data;
    2.2.4. keep the amount of Personal Data provided to Data Processor while using Services to the minimum necessary in relation to the Services and in line with the Data Protection Laws;
    2.2.5. ensure that Personal Data retention terms that the Data Controller determines by means of settings and other functionalities of the Platform are in compliance with the Data Protection Laws applicable to Data Controller.

    1. Rights of Data Subjects.
      3.1. The Data Processor shall, to the extent legally permitted, promptly notify the Data Controller if it receives a request from Data Subject for access to, rectification, portability, objection, restriction or erasure of such Data Subject’s Personal Data. Unless required by Data Protection Laws, the Data Processor shall not respond to any such Data Subject request without Data Controller’s prior written consent except to confirm that the request has been received. The Data Processor shall provide such information and cooperation and take such action within its powers as the Data Controller reasonably requests in relation to Data Subject request.
    2. Sub-processing of Personal Data.
      4.1. The Data Controller hereby grants its general authorization for Data Processor to engage Sub-processors to assist Data Processor in providing the Services and Processing Personal Data. The list of Sub-processors engaged by the Data Processor is attached for information purposes to this DPA as Annex 2. The Data Processor shall take reasonable steps to ensure that the Sub-processors agree to act only on the Data Processor’s instructions when Processing the Personal Data (which instructions shall be consistent with Data Controller’s Processing instructions to Data Processor), and agree to protect the Personal Data to a standard consistent with the requirements of this DPA. The Data Processor is entitled to unilaterally update the list of Sub-processors by including Sub-processors to be appointed at least thirty (30) days prior to the date on which the Sub-processor shall commence Processing Personal Data, and shall inform of such updated list of Sub-processors the Data Controller.
      4.2. The Data Processor shall remain liable to the Data Controller for the subcontracted Processing services of any of its Sub-processors.
    3. Transfer of Personal Data.
      5.1. The Data Processor may not transfer or authorize the transfer of Personal Data to countries outside the European Union (“EU”) and/or the European Economic Area (“EEA”) without the prior written consent of the Data Controller. If Personal Data Processed under this DPA is transferred from a country within the EEA to a country outside the EEA, the parties shall ensure that the Personal Data is adequately protected. To achieve this, the parties shall, unless agreed otherwise, rely on EU adequacy decision or EU approved standard contractual clauses for the transfer of Personal Data.
    4. Security.
      6.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security providing confidentiality, integrity and availability of the Personal Data appropriate to that risk.
      6.2. The Data Processor shall have the right to modify technical and organizational measures during the term of this DPA, as long as they continue to comply with the Data Protection Laws, supervisory authorities’ guidelines, recommendations or approved standards/ certificates.
    5. Audit.
      7.1. The Data Controller shall be entitled to audit (including inspections) the Data Processor with regard to compliance with the provisions of this DPA, in particular the implementation of the technical and organisational measures.
      7.2. In order to carry out inspections in accordance with section above, the Data Controller is entitled to request that the Data Processor provides all records and information in relation to the Processing of Personal Data after timely advance notification in accordance with clause 7.4, at the expense of the Data Controller, without disruption of the course of business and under strict secrecy of the Data Processor’s business and trade secrets.
      7.3. The Data Processor is entitled, at its own discretion and taking into account the Data Controller’s legal obligations, not to disclose information which is sensitive with regard to the Data Processor’s business or if the Data Processor would be in breach of statutory or other contractual provisions as a result of its disclosure. The Data Controller is not entitled to get access to data or information about the Data Processor’s other clients, cost information, quality control and contract management reports, or any other confidential information of the Data Processor.
      7.4. The Data Controller shall inform the Data Processor in good time (usually at least two weeks in advance) of all circumstances in relation to the performance of the audit. The Data Controller may carry out not more than one audit per calendar year.
    6. Retention and destruction of Personal Data.
      8.1. The Data Controller determines the retention terms by means of settings and other functionalities of the Platform. The Data Processor shall not retain the Personal Data longer than determined so by the Data Controller, except for retention of Personal Data in order to ensure compliance of the Data Processor’s Processing activities with legal and regulatory obligations (e.g. audit, accounting and statutory retention terms), handling disputes, and for the establishment, exercise or defence of legal claims in the countries where Data Processor does business.
      8.2. The Data Processor and Sub-processors, if any, shall, at the choice of the Data Controller delete or return all Personal Data (including copies thereof) Processed pursuant to this DPA, upon termination of Data Controller’s access to and use of the Platform in accordance with the procedures and timeframes set out in this DPA. This requirement shall not apply to the extent Data Processor is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems. In that case, Data Processor warrants that it will guarantee the confidentiality of the Personal Data and will not process the Personal Data anymore unless it is required to do so by applicable laws or to ensure functioning of the Platform.
      8.3. The Data Processor reserves the right to anonymize or aggregate the Personal Data in such a way that it is no longer possible to identify individual Data Subjects, and to use them in this form for the purpose of needs-based designing, machine-learning, developing and optimizing as well as rendering of the Services agreed as per the MSA. It is agreed that anonymized and according to the above requirement aggregated Personal Data is not considered Personal Data for the purposes of this DPA.
    7. Term and termination.
      9.1. The term and termination of this DPA shall be governed by the term and termination provisions of the MSA. Termination of the MSA automatically results in termination of this DPA.
    8. Liability.
      10.1. The Data Processor’s liability under this DPA shall be governed by the disclaimers and limitations of liability provided for in MSA.
      10.2. The Data Controller shall defend any action or proceeding against, as well as indemnify and hold the Data Processor, its affiliates, officers, directors, employees, agents, legal representatives, licensors, subsidiaries, joint ventures and suppliers harmless against any third party claims, liabilities, costs, expenses, damages and losses (including any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal and other professional costs and expenses), including reasonable attorneys’ fees in relation to Data Controller’s Personal Data, arising due to breach of this DPA or Data Protection Laws by the Data Controller.
      10.3. The Data Controller undertakes to indemnify the Data Processor upon first request against any damages, including all possible fines imposed on the Data Processor or legal fees or other expenses suffered by the Data Processor, if such damage has been suffered due to the Data Controller’s breach of this DPA or Data Protection Laws.
    9. Final provisions.
      11.1. In case individual provisions of this DPA are ineffective or become ineffective or contain a gap, the remaining provisions shall remain unaffected. The parties undertake to replace the ineffective provision by a legally permissible provision which comes closest to the purpose of the ineffective provision and that thereby satisfies the requirements of Data Protection Laws.
      11.2. Any disputes arising out of this DPA shall be settled in accordance with MSA.

    Annex 1 to the DPA

    INSTRUCTIONS FOR THE PROCESSING OF PERSONAL DATA

    1. General Notes
      The Data Processor hereby undertakes to process Personal Data according to the processing instructions documented by the Data Controller and set out in this Annex and the DPA. In case the Data Processor has not received the instructions for Processing required for the fulfilment of its obligations under the DPA and further Processing, the Data Processor shall promptly notify the Data Controller of the same and may cease the Processing until the instructions are provided.
    2. The Purpose of Personal Data Processing:
      2.1. Collection of Personal Data from devices
      2.2. Analysis (preparation of report and/or comparison) of Personal Data
      2.3. Alerts management
      2.4. Administration of Data Controller Account
      2.5. Provision of technical support
    3. Categories of data subjects:
      3.1. Primary Users
      3.2. Users
      3.3. Data Controller customers
    4. Types of Personal Data: Primary User’s name, surname, email, phone number, role and language; Users name, surname, email, phone number, language; Data Controller customer’s device ID, address (location), consumption metrics, time stamps, error codes;
    5. Nature of Processing of the Personal Data: collection, recording, adaptation, alteration, storage, erasure.
    6. Place of Processing of the Personal Data: Data Processor servers located in European Union.
    7. Processing/storage period of the Personal Data: the Data Controller determines the retention terms by means of settings and other functionalities of the Platform.
      All Personal Data shall be kept for one month after termination of the Services (except log files and data backup as described below) and shall be erased or anonymized on the first business day of a succeeding month:

    • LOG FILES.
    The Data Processor maintains a log file of all actions that are initiated or facilitated using the Services to capture, record and store data concerning the transaction. Such files will be deleted or anonymized once it is no longer necessary to fulfill the purposes for which it was collected and processed, but not longer than one year after termination of the Services.

    • DATA BACKUP.
    The Data Processor copies or archives the data used within the Services for the purpose of being able to restore them in case of original data is lost or corrupted. The Data Backup is kept for 3 months from the date of collection and will then be automatically deleted.

    Access to Log Files and Data Backup is restricted to those who administer the Platform (authorized personnel and subcontractors), except that the Data Processor may use and disclose this information to third parties in response to legal process or law enforcement inquiries, abuse of the Platform, or violation of any General Terms of Use or contractual provision the Data Controller may have with the Data Processor.

    Annex 2 to the DPA

    List of approved Sub-Processors
    Pursuant to the DPA, the Data Controller approves the following Sub- Processors used by the Data Processor:

    1. Amazon Web Services