Download Critter
Signing up takes two minutes. Scan this QR code to send the app to your phone or tap the button below.
Head to the app store:
Data Processing Agreement
This Data Processing Agreement (“DPA”) is entered into between:
1. Controller: the veterinary clinic, veterinary professional or other legal entity that has subscribed to the Platform and acts as a controller of personal data (“Controller” or “Customer”); and
2. Processor:
Patrik Linek
Jakubovská ulica 130/22, 90062 Kostolište, Slovakia
IČO: 46530126
Phone: +421 0904073676
Email: [email protected]
(“Processor”, “we”, “us” or “our”),
each a “Party” and together the “Parties”.
This DPA forms part of and is subject to the main agreement or Terms of Service between the Parties governing the use of the Critter SaaS platform for veterinarians (the “Agreement”).
1. Subject matter and duration
1.1. Subject matter. This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the online software-as-a-service platform for veterinarians and veterinary clinics (the “Platform” or “Services”).
1.2. Duration. This DPA shall apply for as long as the Processor processes personal data on behalf of the Controller under the Agreement and shall remain in force until all such personal data have been deleted or returned to the Controller in accordance with Section 14.
2. Definitions
Unless otherwise defined in this DPA, terms shall have the meaning given to them in the Agreement or, where applicable, in Regulation (EU) 2016/679 (the “GDPR”).
“Personal Data”, “Data Subject”, “Processing”, “Controller”, “Processor”, “Supervisory Authority”, “Personal Data Breach” and other capitalised terms shall have the meanings set out in the GDPR.
3. Roles of the Parties
3.1. Controller. The Controller determines the purposes and means of the processing of personal data stored or otherwise processed in the Platform.
3.2. Processor. The Processor processes personal data on behalf of the Controller and only in accordance with the Controller’s documented instructions, this DPA and applicable data protection laws.
4. Nature, purpose, type of personal data and categories of data subjects
4.1. Nature and purpose of processing. The Processor processes personal data for the purpose of providing, maintaining and supporting the Platform and related Services to the Controller, including storage, hosting, backup, display, analysis and other operations reasonably necessary to deliver the functionality of the Platform.
4.2. Types of personal data. The personal data processed may include, in particular:
- data of animal owners (clients): name, contact details (address, email, phone), communication history, appointment history, billing and payment information, notes related to visits;
- data about animals (patients): name, species, breed, age, identification numbers, medical history, diagnoses, treatments, prescriptions, vaccination records and other health-related data;
- data about users of the Platform (staff of the Controller): name, contact details, login details, role and access rights, activity logs within the Platform;
- other personal data that the Controller chooses to upload or process via the Platform.
4.3. Categories of data subjects. Data subjects may include:
- animal owners / clients of the Controller;
- employees, contractors or other staff of the Controller;
- other persons whose personal data are entered into the Platform by or on behalf of the Controller.
5. Controller’s instructions
5.1. The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by EU or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement unless the law prohibits such information.
5.2. The Agreement and this DPA constitute the Controller’s complete and final instructions to the Processor. Any additional or alternative instructions must be agreed in writing.
5.3. If the Processor considers that an instruction infringes the GDPR or other applicable data protection law, the Processor shall promptly inform the Controller.
6. Confidentiality
6.1. The Processor shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.2. The Processor shall ensure that such persons only process personal data in accordance with the Controller’s instructions.
7. Security of processing
7.1. The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR, taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of processing.
Such measures may include, as appropriate:
- use of secure connections (HTTPS/TLS) for data in transit;
- logical access controls and authentication mechanisms;
- role-based access permissions and the principle of least privilege;
- regular security patching and system updates;
- encrypted backups and secure storage;
- logging and monitoring of relevant system events;
- procedures for testing, assessing and evaluating the effectiveness of security measures.
7.3. The Controller is responsible for using the Platform in a secure manner, including management of its users and access rights, use of strong passwords and appropriate internal policies.
8. Use of sub-processors
8.1. The Controller hereby gives general authorisation for the Processor to engage sub-processors for the performance of the Services (for example, hosting providers, email delivery services, analytics tools).
8.2. The Processor shall:
- ensure that each sub-processor is bound by a written contract imposing data protection obligations which are no less protective than those set out in this DPA; and
- remain fully liable to the Controller for the performance of the sub-processor’s obligations.
8.3. The Processor shall, upon request, provide the Controller with a list of current sub-processors involved in the processing of personal data. The Processor will notify the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object on reasonable grounds. If the Controller reasonably objects and no alternative solution can be found, the Controller may terminate the portion of the Services affected by such change.
9. International transfers
9.1. The Processor is established in Slovakia and primarily processes personal data within the European Economic Area (EEA).
9.2. If the Processor or its sub-processors transfer personal data outside the EEA, the Processor shall ensure that such transfer complies with Chapter V GDPR, for example by:
- relying on an adequacy decision of the European Commission; or
- entering into Standard Contractual Clauses or using other appropriate safeguards.
10. Assistance to the Controller
10.1. Taking into account the nature of the processing and the information available, the Processor shall assist the Controller in ensuring compliance with its obligations under Articles 32–36 GDPR, including:
- security of processing;
- notification of personal data breaches to supervisory authorities and data subjects;
- data protection impact assessments (DPIAs);
- prior consultations with supervisory authorities, where required.
10.2. To the extent legally permitted, the Processor may charge the Controller for reasonable costs incurred in providing such assistance, especially where requests are excessive or complex.
11. Personal data breach
11.1. The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting personal data processed on behalf of the Controller.
11.2. Such notification shall include, where possible:
- a description of the nature of the breach;
- categories and approximate number of data subjects and records concerned;
- the likely consequences of the breach;
- measures taken or proposed to address the breach and mitigate possible adverse effects.
11.3. The Controller is responsible for assessing whether to notify the supervisory authority and/or affected data subjects in accordance with Articles 33 and 34 GDPR.
12. Data subject requests
12.1. If the Processor receives a request from a data subject relating to personal data processed on behalf of the Controller (for example, access, rectification or erasure), the Processor shall:
- promptly inform the Controller; and
- not respond to the request except on documented instructions from the Controller, unless required by law.
12.2. Taking into account the nature of the processing, the Processor shall assist the Controller in fulfilling its obligations to respond to such requests, where reasonably possible.
13. Audits
13.1. The Controller has the right, at its own cost, to verify the Processor’s compliance with this DPA, including by reviewing documentation or, if necessary, by on-site audits.
13.2. Any audit shall:
- be carried out upon reasonable prior written notice;
- occur during normal business hours;
- not unreasonably interfere with the Processor’s business operations;
- be limited to information strictly necessary to verify compliance.
13.3. The Processor may provide third-party audit reports or certifications (if available) as an alternative to on-site audits.
14. Return and deletion of personal data
14.1. Upon termination or expiry of the Agreement, or upon written request of the Controller, the Processor shall, at the choice of the Controller:
- return to the Controller all personal data processed on its behalf; or
- delete such personal data,
unless applicable law requires storage of the personal data.
14.2. The Processor may retain copies of personal data in backup systems for a limited period, provided such data remain subject to appropriate protections and are deleted in accordance with the Processor’s retention schedules.
15. Liability
15.1. The Parties’ respective liability under or in connection with this DPA shall be governed by the liability provisions in the Agreement.
15.2. Nothing in this DPA shall limit either Party’s liability where such limitation is not permitted under applicable law, including the GDPR.
16. Governing law and jurisdiction
16.1. This DPA shall be governed by the laws of the Slovak Republic, without regard to conflict of law rules.
16.2. Any disputes arising out of or in connection with this DPA shall be subject to the jurisdiction agreed in the Agreement (typically the courts of the Slovak Republic).
End of Data Processing Agreement