Documents juridiquesConditions de traitement des données

Conditions de traitement des données

Conditions de traitement des données de l'article 28 du RGPD qui s'appliquent lorsque Konfi Cloud traite des données personnelles pour le compte d'un client professionnel.

Dernière mise à jour: 18 mai 2026

Parties and scope

These data processing terms (the DPA) form Article 28 GDPR commitments between Dawid Sobolewski, operating Konfi Cloud as an individual service provider in Poland (the processor), and the business customer that has accepted the Konfi Cloud terms (the controller).

These terms apply automatically to any personal data the customer or its end users enter, upload, or otherwise process inside a Konfi Cloud workspace. A counter-signed copy is available on request to support@getkonfi.com; the in-product version below is the standard offer that applies until a counter-signed variant is in place.

Subject, duration, and categories

  • Subject matter: provision of the Konfi Cloud SaaS control plane and related operator support.
  • Duration: for as long as the customer has an active Konfi Cloud account or workspace and during any post-termination retention window agreed in writing.
  • Nature and purpose of processing: hosting, storing, organising, retrieving, displaying, transmitting, and otherwise handling customer data so that the customer and its end users can use Konfi Cloud.
  • Categories of data subjects: the customer's employees, contractors, end customers, suppliers, and any other individuals whose personal data the customer chooses to put into the workspace.
  • Categories of personal data: identification and contact data, account credentials and authentication metadata, business and order data, billing and tax data, support communications, and any other personal data the customer chooses to process.

Processing instructions

Konfi Cloud processes personal data only on the controller's documented instructions, as set out in these DPA terms, the main Konfi Cloud terms, the privacy policy, the configuration the customer chooses in the workspace, and any written instructions accepted by the service provider.

If applicable law requires the service provider to process personal data otherwise, the service provider will inform the controller before processing unless that law prohibits such information on important grounds of public interest.

Subprocessors

The controller authorises the service provider to use the subprocessors listed on the Subprocessors page. The service provider will keep that list up to date and will give prior notice of any intended addition or replacement of a subprocessor through the website, in-product notice, or e-mail to the workspace admin contacts.

The controller may object to a new subprocessor on reasonable, GDPR-related grounds within 30 days of notice. If the parties cannot resolve the objection, the controller may terminate the affected services and receive a pro-rated refund of pre-paid, unused fees for those services.

Security measures

  • Encryption of personal data in transit (TLS) and at rest where the underlying providers offer it.
  • Identity and access management with role-based permissions, MFA enforcement for operator and admin roles, and audit logging of privileged actions.
  • Network and application protections including Firebase App Check, rate limiting, signed webhooks, and isolation between control plane and tenant runtime data.
  • Operational measures including least-privilege production access, periodic credential rotation, vulnerability monitoring, backups, and incident response.
  • Personnel acting under the service provider's authority are bound by confidentiality obligations.

Data subject requests

The service provider will assist the controller, taking into account the nature of the processing and the information available, in fulfilling its obligations to respond to data subject requests under Chapter III GDPR.

Where a data subject contacts the service provider directly with a request that concerns data inside a customer workspace, the service provider will, where reasonable, refer the data subject to the relevant controller or forward the request.

Security incidents and assistance

The service provider will assist the controller in ensuring compliance with Articles 32 to 36 GDPR (security of processing, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of the processing and the information available.

The service provider will notify the controller without undue delay after becoming aware of a personal data breach affecting the customer's data and will provide the information needed for the controller to meet its own notification obligations.

Audits

The service provider will make available to the controller information necessary to demonstrate compliance with Article 28 GDPR and will allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller, subject to reasonable confidentiality and security restrictions.

The first level of audit will normally be the documentation and certifications available from the relevant subprocessors. Direct on-site audits can be arranged with reasonable notice and at the controller's expense, unless an audit reveals a material breach by the service provider.

International transfers

Some subprocessors process personal data outside the European Economic Area, mainly in the United States. Transfers rely on European Commission adequacy decisions where they apply (including the EU-US Data Privacy Framework when the provider is certified) and on Standard Contractual Clauses with supplementary measures where they do not.

Details of each subprocessor's processing location and transfer mechanism are listed on the Subprocessors page.

Term, termination, and deletion

On termination of the services, the service provider will, at the controller's choice, delete or return the personal data processed on behalf of the controller, and delete existing copies, unless applicable law requires further storage. Standard retention windows are described in the privacy policy.

These DPA terms remain in force for as long as the service provider processes personal data on behalf of the controller.

Contact

Questions about these DPA terms or to request a counter-signed copy can be sent to support@getkonfi.com.