Data Processing Agreement

Section 1. Subject Matter and Duration

This Data Processing Agreement (hereinafter: the "Agreement" or "DPA") is entered into between the User of the foxsnest.com service (hereinafter: the "Controller") and CALMFOX Sp. z o.o., a company incorporated under the laws of Poland, operator of the foxsnest.com service (hereinafter: the "Processor"), pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: the "GDPR"). This Agreement governs the terms under which the Controller entrusts the Processor with the processing of personal data of visitors to the Controller's websites in connection with the provision of cookie consent management and WCAG accessibility audit services.

This Agreement shall remain in force for the entire duration of the Controller's use of the foxsnest.com service. Upon termination of the service, the Processor shall delete or return all personal data within 30 days, unless European Union or Member State law requires continued storage of such personal data.

Section 2. Nature and Purpose of Processing

The Processor shall process personal data solely for the purpose of providing services to the Controller through the foxsnest.com platform. Processing operations include, in particular:

• Collection and recording of cookie consent choices made by visitors to the Controller's websites
• Storage and archival of consent records as evidence demonstrating the obtaining of valid consent in accordance with the requirements of the GDPR
• Aggregation and creation of anonymized statistics regarding consent preferences
• Deletion of data upon the Controller's request or upon termination of the service
• dpa.s2op5
• dpa.s2op6
• dpa.s2op7

Section 3. Types of Personal Data Processed

Under this Agreement, the Processor processes the following categories of personal data relating to visitors to the Controller's websites:

• Session Identifier (Visitor ID) – A pseudonymized identifier generated client-side (in the visitor's browser), 64 characters in length. It does not enable direct identification of a natural person without the use of additional information.
• IP Address – Collection is optional, depending on the configuration selected by the Controller. Maximum length: 45 characters (IPv6 compatible). When collected, the IP address is used solely for the purposes of geographic location determination and abuse detection.
• User Agent (browser identifier) – A string identifying the visitor's browser and operating system, truncated to a maximum of 500 characters. Used for diagnostic purposes and to ensure widget compatibility.
• Cookie Consent Choices – A record of the visitor's choices with respect to individual cookie categories: necessary, analytics, marketing, and preferences. The data includes the date and time of consent given or refused.
• Page URL – The page path on which consent was given, without query string parameters. Maximum length: 2,048 characters.
• Technical Data – Browser language, screen resolution, and the visitor's timezone. Data used solely for the purposes of ensuring proper widget functionality and generating anonymized statistics.
• dpa.s3data7Label – dpa.s3data7
• dpa.s3data8Label – dpa.s3data8

Section 4. Categories of Data Subjects

The personal data processed under this Agreement relates to visitors of websites operated by the Controller (User) on which CookieFox widget scripts are installed. These are natural persons visiting the Controller's websites, regardless of whether they grant or refuse consent for cookies.

Section 5. Obligations of the Controller (User)

The Controller, as the entity determining the purposes and means of personal data processing, shall be obligated to:

• Ensure an appropriate legal basis for processing the personal data of visitors (in particular, consent pursuant to Article 6(1)(a) of the GDPR or legitimate interest pursuant to Article 6(1)(f) of the GDPR)
• Inform visitors to its websites, through its own privacy policy, about the processing of personal data and about the engagement of CALMFOX Sp. z o.o. as a Processor
• Issue documented processing instructions to the Processor, including with respect to the scope of data collected (e.g., enabling or disabling IP address collection)

Section 6. Obligations of the Processor (CALMFOX Sp. z o.o.)

The Processor undertakes to:

• Process personal data only on the basis of documented instructions from the Controller, including with regard to transfers of personal data to third countries, unless required to do so by European Union or Member State law
• Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Assist the Controller in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (Articles 15 to 22), in particular the right of access, rectification, erasure, and data portability
• Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, in particular with regard to data protection impact assessments (DPIA) and prior consultation with the supervisory authority
• Delete or return all personal data upon termination of the service, at the Controller's choice, and delete existing copies unless European Union or Member State law requires continued storage of the data
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR
• Allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller

The Processor implements the following technical and organizational measures to ensure the security of personal data processing (Article 32 of the GDPR):

• Encryption of data in transit using TLS protocol version 1.2 or higher
• Password hashing using the Argon2id algorithm with appropriate computational cost parameters
• Client data separation through isolation at the site UUID level
• Regular automated data backups
• Role-based access control (RBAC) following the principle of least privilege
• Logging and auditing of personal data access
• Data storage on servers located within the territory of the European Union

Section 7. Sub-processors

The Controller grants the Processor general written authorization to engage further processors (sub-processors). The Processor undertakes to inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 14 days in advance, thereby enabling the Controller to object to such changes.

The Controller may object to a change of sub-processor within 14 days of receiving notification. In the event of a justified objection that the Processor is unable to accommodate, the Controller shall have the right to terminate the service agreement to the extent affected by the change.

Section 8. Transfers Outside the European Economic Area

Transfers of personal data to sub-processors located in the United States are carried out on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021. The Processor ensures that each sub-processor outside the EEA is bound by appropriate safeguards pursuant to Chapter V of the GDPR.

Visitor consent records and data relating to visitors of the Controller's websites are NOT transferred outside the territory of the European Union. The servers on which this data is stored are located within the EU.

Section 9. Data Breach Notification

The Processor undertakes to notify the Controller of a personal data breach without undue delay and no later than 48 hours after becoming aware of the breach.

The breach notification shall contain, at a minimum, the following information:

• The nature of the personal data breach
• The categories and approximate number of data subjects affected by the breach
• The categories and approximate number of personal data records concerned
• The likely consequences of the personal data breach
• The measures taken or proposed to address the breach, including measures to mitigate its adverse effects

Section 10. Right to Audit

The Controller shall have the right to conduct or commission an independent auditor to conduct an audit of the Processor's compliance with this Agreement, upon providing the Processor with at least 30 days' prior notice. Audits shall be carried out during business hours and in a manner that does not disrupt the Processor's normal business operations.

The Processor shall make available to the Controller, upon request, the results of internal security audits and certificates demonstrating compliance with applicable information security standards.

Section 11. Data Retention

The Processor applies the following personal data retention periods:

• Consent records — 24 months from the date of consent. This period arises from the GDPR requirement to demonstrate the obtaining of valid consent (accountability principle, Article 5(2) of the GDPR).
• Page tracking data — 12 months from the date of recording
• WCAG accessibility audit data — 12 months from the date of the audit
• Upon deletion of the Controller's account — automatic permanent deletion of all personal data within 30 days
• dpa.s11ret5
• dpa.s11ret6

Section 12. Final Provisions

This Data Processing Agreement constitutes an integral part of the Terms of Service of the foxsnest.com platform.

In the event of any conflict between the provisions of this Agreement and the Terms of Service, the provisions of this Agreement shall prevail with respect to matters relating to the processing of personal data.

This Agreement shall be governed by the laws of Poland and Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR). This Agreement shall enter into force on February 14, 2026.