Last updated: April 2026
This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service and is effective from the date the organization first uses the Birenko platform.
For the purposes of this DPA:
The Organization's use of the platform (including configuration of features, creation of user accounts, and entry of data) constitutes its complete documented instructions to Birenko for the processing of personal data. Birenko will process personal data only in accordance with these instructions, unless required by applicable law to do otherwise, in which case Birenko will inform the Organization of such legal requirement before processing (unless prohibited from doing so by law). Additional processing instructions beyond normal platform use require prior written agreement and may incur additional fees.
Birenko implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. Birenko shall determine the specific security measures at its reasonable discretion. Current measures include, but are not limited to: encryption of data in transit (TLS), encrypted password storage (bcrypt), role-based access controls, multi-tenant data isolation, audit logging, and regular security reviews.
The Organization grants Birenko general written authorization to engage sub-processors for the provision of the platform services. A current list of sub-processors is maintained in our Privacy Policy.
Birenko will provide at least 30 days' advance notice of the addition or replacement of sub-processors by updating the Privacy Policy. The Organization has the right to object to any sub-processor change within the notice period. If the Organization objects and Birenko cannot reasonably accommodate the objection, the Organization may terminate its use of the platform and request deletion of its data. Continued use of the platform after the notice period constitutes acceptance of the sub-processor change.
Where Birenko engages a sub-processor, it shall impose equivalent data protection obligations on the sub-processor by way of contract. Birenko remains liable for the acts and omissions of its sub-processors to the same extent as for its own acts and omissions.
Birenko shall assist the Organization in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) to the extent commercially reasonable and technically feasible, taking into account the nature of the processing. The Organization is primarily responsible for responding to data subject requests. Where a data subject contacts Birenko directly, Birenko will promptly redirect the request to the Organization where possible.
Birenko will notify the Organization of any personal data breach without undue delay after becoming aware of the breach. The notification will include, to the extent available: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach. Birenko will cooperate with the Organization in meeting its own notification obligations under GDPR Articles 33 and 34.
Birenko will make available to the Organization all information reasonably necessary to demonstrate compliance with this DPA. The Organization (or an independent third-party auditor appointed by the Organization) may conduct an audit of Birenko's processing activities, subject to the following conditions: (a) the Organization provides at least 30 days' written notice; (b) audits are limited to once per calendar year; (c) audits are conducted during normal business hours and in a manner that minimizes disruption; (d) the Organization bears all costs of the audit; (e) audit findings are treated as confidential.
Upon termination of the Organization's use of the platform, Birenko will, at the Organization's choice, return or delete all personal data processed on behalf of the Organization, within 30 days and to the extent technically feasible. Birenko may retain copies of data to the extent required by applicable law or regulation, and may retain anonymized or aggregated data that cannot reasonably be linked to any individual.
Birenko's total aggregate liability arising out of or in connection with this DPA shall not exceed the total fees actually paid by the Organization to Birenko in the 12 months preceding the event giving rise to the claim. This limitation applies to the fullest extent permitted by applicable law and does not apply to liability arising from willful misconduct or gross negligence.
To the extent that Birenko processes personal data outside the European Economic Area (EEA), it will ensure appropriate safeguards are in place, as described in the Privacy Policy (currently: EU-US Data Privacy Framework and/or Standard Contractual Clauses).
This DPA is governed by the laws of the Republic of Serbia. For Organizations and data subjects located in the European Union, mandatory local data protection provisions shall remain applicable.
By using the Birenko platform as an Organization, the Organization acknowledges and agrees to this Data Processing Agreement. This DPA is effective from the date the Organization first accesses the platform.