Mezantic

Data Processing Agreement

Standard data processing terms for customer-controlled form and response data.

PL

Mezantic Data Processing Agreement

Version: 1.0
Effective date: 2026-05-15
Processor: SONATE sp. z o.o., ul. Gospodarcza 26, 20-213 Lublin, KRS 0001162191, NIP 9462751627, REGON 541212186
Contact: hello@mezantic.com

This Data Processing Agreement (the "DPA") is entered into pursuant to Article 28 of Regulation (EU) 2016/679 (the "GDPR").

1. Parties And Scope

1.1. This DPA applies when a Mezantic customer uses the service to process personal data for which the customer is controller (the "Controller") and Mezantic acts as processor (the "Processor").

1.2. The Controller is the data controller within the meaning of Article 4(7) GDPR. Mezantic is the processor within the meaning of Article 4(8) GDPR for personal data processed in connection with Mezantic's form-builder service and related content-sharing, publishing, and management functions provided under the Terms of Service. Data categories and data subjects are specified in § 2.

1.3. Mezantic remains an independent controller for account, billing, security, abuse-prevention, support, legal acceptance, consent, product operation, and platform-safety data as described in the Privacy Policy. Mezantic may also use anonymised data derived from customer-controlled personal data — in a form that does not allow identification of the natural person concerned, consistent with Recital 26 GDPR — for the purposes of Service improvement and product analytics, including analysis of aggregated cross-customer usage patterns, on the basis of Article 6(1)(f) GDPR. The cross-customer analytics described above operate on aggregated usage metadata only and do not derive from the content of Responses. This DPA does not cover those operations.

1.4. This DPA supplements the Terms of Service. If there is a conflict about processor obligations, this DPA controls for the processing covered by it.

1.5. Mapping to Article 28(3) GDPR. This DPA is intended to satisfy the requirements of Article 28(3) GDPR. The mandatory elements of Article 28(3) are addressed as follows:

(a) Article 28(3)(a) — processing only on documented instructions of the controller, including transfers: § 3 (Customer Instructions) and § 6 (International Transfers);

(b) Article 28(3)(b) — confidentiality of authorised persons: § 4.1;

(c) Article 28(3)(c) — security of processing under Article 32: § 4.2;

(d) Article 28(3)(d) — engagement of sub-processors under Article 28(2) and (4): § 5;

(e) Article 28(3)(e) — assistance with data-subject rights under Chapter III GDPR: § 7;

(f) Article 28(3)(f) — assistance with Articles 32–36 GDPR (security, breach, DPIA, prior consultation): § 7 and § 8;

(g) Article 28(3)(g) — deletion or return of personal data at the end of provision: § 9;

(h) Article 28(3)(h) — making available information and allowing for and contributing to audits: § 10.

1.6. This DPA is entered into in electronic form within the meaning of Article 28(9) GDPR by acceptance through the account creation flow or another durable electronic form agreed by the parties.

2. Processing Details

2.1. Subject matter: provision of Mezantic's form builder, public form hosting, response collection, response export, AI-assisted drafting, storage, support, and related service operations.

2.2. Duration: for the term of the customer's use of Mezantic and any post-termination period needed for deletion, export, backup expiry, legal retention, or support reconciliation.

2.3. Nature and purpose: hosting, storing, transmitting, displaying, validating, exporting, deleting, securing, and supporting customer forms, respondent submissions, uploads, and related metadata.

2.4. Data subjects: customer users, respondents, customer contacts, and any other people whose personal data the customer chooses to process through forms.

2.5. Data categories: form content, respondent answers, contact details, uploaded files, prompts, generated drafts, form metadata, response metadata, optional technical metadata, and support data supplied by the customer.

3. Customer Instructions (Article 28(3)(a) GDPR)

3.1. Mezantic processes customer-controlled personal data only on the documented instructions of the Controller — including with regard to transfers of personal data to a third country or international organisation — unless required to do so by Union or Member State law to which Mezantic is subject; in such a case, Mezantic informs the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3.2. The Controller's documented instructions under Article 28(3)(a) GDPR include: (i) the Terms of Service; (ii) this DPA; (iii) product configuration set by the Controller; (iv) support requests; (v) other lawful written instructions transmitted to Mezantic.

3.3. Mezantic immediately informs the Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. Mezantic may refuse instructions that appear unlawful, unsafe, technically infeasible, outside the service scope, or inconsistent with the Terms.

3.4. The Controller represents that, when issuing instructions, designing forms, drafting privacy notices, obtaining consents, and further processing exported data, it ensures a lawful basis for processing and compliance with the GDPR.

4. Confidentiality And Security

4.1. Confidentiality (Article 28(3)(b) GDPR). Mezantic ensures that persons authorised to process customer-controlled personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Personal data are made available only to persons for whom processing is necessary to perform tasks in providing the service.

4.2. Security of processing (Article 28(3)(c) and Article 32 GDPR). Mezantic implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risk to the rights and freedoms of natural persons. Such measures include in particular: (i) access controls and authentication; (ii) encryption of data in transit and at rest; (iii) tenant data segregation; (iv) secure configuration of production environments; (v) logging and review; (vi) backup and disaster-recovery processes; (vii) vulnerability and incident management; (viii) safeguards provided by sub-processors.

4.3. The Controller remains responsible for account access control, safe respondent notices, appropriate form design, and secure handling of exported data.

5. Subprocessors (Article 28(2) and (4) GDPR)

5.1. The Controller gives Mezantic general written authorisation to use sub-processors needed to provide the service.

5.2. The current Service Providers page at mezantic.com/en/legal/service-providers identifies providers, legal entities and addresses, processing purpose, region, and the applicable mechanism for transfers outside the EEA where relevant. The page further distinguishes sub-processors that may handle respondent data from service providers supporting only Mezantic operations and from consent-activated providers.

5.3. Mezantic enters into a written agreement with each sub-processor imposing data-protection obligations that are materially equivalent to those in this DPA for the relevant processing (Article 28(4) GDPR). Mezantic remains fully liable to the Controller for the performance of any sub-processor's data-protection obligations to the same extent as for its own performance, in accordance with Article 28(4) second sentence GDPR.

5.4. Mezantic gives notice of any intended addition or replacement of a sub-processor that may process customer-controlled form or response data at least 14 days before the change takes effect. Notice is given by updating the Service Providers page and, where a notification email address is on file, by email to that address. Where the change is required urgently for security, legal-compliance, or provider-availability reasons, Mezantic may give shorter notice and will explain the reason.

5.5. The Controller may, within 14 days of the notice referred to in § 5.4, object in writing on reasonable data-protection grounds to the engagement of the new sub-processor. The Controller and Mezantic will discuss the objection in good faith. If no reasonable solution is found, the Controller may terminate the affected part of the service for cause without penalty and request return or deletion of the relevant customer personal data under § 9.

6. International Transfers (Articles 44–49 GDPR)

6.1. Mezantic aims to keep core customer form and response data in EEA-hosted infrastructure where supported by the selected providers, in line with the regions stated on the Service Providers page.

6.2. Where processing of customer-controlled personal data involves a transfer outside the EEA, Mezantic relies, in the following order of preference, on:

(a) an adequacy decision of the European Commission under Article 45 GDPR, including Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 on the EU-U.S. Data Privacy Framework, for transfers to recipients certified under that framework as listed at https://www.dataprivacyframework.gov/list;

(b) the 2021 standard contractual clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 under Article 46(2)(c) GDPR, with the controller-to-processor (Module 2) or processor-to-processor (Module 3) module as appropriate, supplemented by additional safeguards where Mezantic's transfer impact assessment so requires;

(c) other lawful transfer tools under Article 46 GDPR or, in narrowly limited situations, the derogations of Article 49 GDPR.

6.3. For each sub-processor that may receive personal data outside the EEA, the Service Providers page indicates the applicable transfer mechanism. By accepting this DPA the Controller authorises the use of those mechanisms and, where the 2021 SCCs apply, instructs Mezantic to enter into them with the relevant sub-processor on the Controller's behalf (back-to-back), as data exporter for transfers under Module 3 (processor to processor) where Mezantic onward-transfers data received from the Controller.

7. Assistance

7.1. Assistance with data-subject rights (Article 28(3)(e) GDPR)

7.1.1. Taking into account the nature of processing, Mezantic — insofar as possible and through appropriate technical and organisational measures — assists the Controller in fulfilling the obligation to respond to requests from data subjects for the exercise of their rights under Chapter III GDPR (Articles 12–22), including the rights of access, rectification, erasure, restriction of processing, data portability, and objection.

7.1.2. Assistance is delivered primarily through product features (export, edit, delete responses), documentation, and, where needed, reasonable manual support.

7.2. Assistance under Articles 32–36 GDPR (Article 28(3)(f) GDPR)

7.2.1. Mezantic assists the Controller in ensuring compliance with the obligations set out in Articles 32–36 GDPR, including:

(a) security of processing (Article 32 GDPR);

(b) notification of a personal data breach to the supervisory authority (Article 33 GDPR);

(c) communication of a personal data breach to the data subject (Article 34 GDPR);

(d) data protection impact assessment (Article 35 GDPR);

(e) prior consultation with the supervisory authority (Article 36 GDPR);

taking into account the nature of processing and the information available to Mezantic.

7.2.2. Mezantic may satisfy assistance obligations through product features, support processes, security documentation, summaries of technical and organisational measures, and written responses.

7.2.3. Mezantic may charge reasonable fees for assistance that is complex, repetitive, outside ordinary product functionality, or caused by Controller misuse — without prejudice to obligations of free assistance that follow directly from the GDPR or other mandatory law.

8. Personal Data Breach (Article 28(3)(f) and Article 33(2) GDPR)

8.1. After becoming aware of a personal data breach affecting customer-controlled personal data processed by Mezantic, Mezantic notifies the Controller without undue delay, where possible within a timeframe that allows the Controller to meet its own 72-hour notification deadline under Article 33(1) GDPR.

8.2. The notice will include, to the extent known at the time: (i) the nature of the breach; (ii) the categories and approximate number of data subjects concerned; (iii) the categories and approximate number of personal data records concerned; (iv) the likely consequences; (v) the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects; (vi) the contact point.

8.3. Mezantic may provide information in phases as investigation progresses, without undue delay.

8.4. The obligation to notify the breach to the supervisory authority (in Poland, the President of the Personal Data Protection Office) and, where required, to communicate it to the data subjects, rests with the Controller.

9. Deletion And Return (Article 28(3)(g) GDPR)

9.1. On termination of the provision of services covered by this DPA, or earlier on the Controller's written request, the Controller chooses, in accordance with Article 28(3)(g) GDPR, whether Mezantic shall:

(a) return all customer-controlled personal data to the Controller in a structured, commonly used and machine-readable format through the available export feature or, where that is not technically practicable, through reasonable manual support; or

(b) delete all customer-controlled personal data and certify the deletion in writing.

If the Controller makes no choice within 30 days of termination, Mezantic deletes customer-controlled personal data under option (b). Mezantic may retain customer personal data only to the extent and for as long as required by Union or Member State law applicable to Mezantic, and only for that purpose, in accordance with Article 28(3)(g) in fine GDPR.

9.2. Active product data is deleted from the live service through the deletion process. Backup remnants expire according to configured backup or disaster-recovery windows. Storage objects require separate cleanup and may follow provider timing.

9.3. Mezantic may retain limited records where required for legal, tax/accounting, security, abuse-prevention, support, or evidence purposes, provided retained records avoid raw product content unless legally required or under legal hold.

10. Audits (Article 28(3)(h) GDPR)

10.1. Mezantic makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

10.2. The obligations in § 10.1 are met, in the first instance, by: (i) making documentation of technical and organisational measures available; (ii) security summaries; (iii) sub-processor attestations, certifications, and reports (e.g. SOC 2, ISO 27001, where available); (iv) written responses to reasonable Controller questions.

10.3. On-site or intrusive audits require reasonable prior written notice (no less than 30 days, except in urgent cases), are conducted during Mezantic's business hours, are limited to information necessary to verify compliance, and do not compromise the security or confidentiality of other Mezantic customers' data. Audits under this section are conducted no more than once per twelve-month period, except where required by mandatory law or in direct response to a documented security incident affecting customer-controlled personal data.

10.4. The auditor is bound by confidentiality. The parties may sign a separate non-disclosure agreement (NDA) as a precondition for an audit. The auditor selected by the Controller may not be a direct competitor of Mezantic or a party in an active commercial dispute with Mezantic.

10.5. Mezantic may charge the Controller reasonable, documented costs of personnel assistance provided during an audit that goes beyond standard reports and documentation. Mezantic does not charge fixed up-front fees merely for the fact of an audit.

10.6. Mezantic promptly informs the Controller if the scope or method of an audit, in its view, infringes the GDPR, other data protection law, or legitimate confidentiality and security interests of other customers.

11. Liability And Term

11.1. This DPA remains in effect while Mezantic processes customer-controlled personal data on behalf of the Controller, irrespective of termination of the Terms of Service, until completion of the operations described in § 9.

11.2. Liability under this DPA is governed by the Terms of Service, subject to mandatory law including Article 82 GDPR and Article 28(10) GDPR (the situation where a processor infringes the GDPR by determining the purposes and means of processing and is to be considered controller).

11.3. This DPA is governed by Polish law. Disputes are resolved in accordance with the Terms of Service.

11.4. Current DPA: mezantic.com/en/legal/dpa. Polish version: mezantic.com/pl/legal/dpa. The Controller is bound by the language version of the DPA accepted at conclusion. The parallel version in the other language exists for reference.