Resources
Data Processing Agreement
DPA — MYSO ESG HOLDING OÜ
MYSO ESG HOLDING OÜ
This Data Processing Agreement ("DPA") forms part of the agreement between:
MYSO ESG HOLDING OÜ — Registered in Estonia ("Processor")
and
[Client Legal Name] ("Controller")
Effective as of: [Insert Date]
1. Purpose
This DPA governs the processing of Personal Data by Processor on behalf of Controller in connection with the provision of:
- MYSO ESG learning platform access
- ESG, sustainability, and climate competence programs
- LMS hosting or LMS content migration
- Reporting and dashboard services
This DPA ensures compliance with:
- EU General Data Protection Regulation (GDPR) (EU) 2016/679
2. Roles of the Parties
Controller
- Determines the purposes and means of processing Personal Data.
- Is responsible for obtaining lawful basis for processing.
Processor
- Processes Personal Data only on documented instructions from Controller.
- Does not determine purposes independently.
3. Categories of Data Subjects
Personal Data may relate to:
- Employees
- Contractors
- Board members
- Managers
- Authorized users of the platform
4. Types of Personal Data
Depending on implementation, the data may include:
- Name
- Work email address
- Job title
- Department
- Company name
- User ID
- Course enrollment data
- Course completion status
- Assessment results
- Learning analytics
- Login timestamps
- IP address (technical logs)
MYSO ESG™ does not intentionally collect special category data unless provided by Controller.
5. Purpose of Processing
Processing is limited to:
- Providing access to learning programs
- User authentication
- Progress tracking
- Reporting and dashboards
- Technical support
- Platform security
- License compliance
Personal Data shall not be used for marketing unless separately agreed.
6. Processor Obligations
Processor shall:
- Process data only on documented instructions.
- Ensure personnel are bound by confidentiality.
- Implement appropriate technical and organizational measures.
- Not sell personal data.
- Not use data for independent commercial purposes.
7. Security Measures
Processor shall implement appropriate safeguards including:
- Encrypted connections (HTTPS / TLS)
- Access controls and authentication
- Role-based access restrictions
- Secure hosting environment
- Regular system monitoring
- Logical data separation
- Backup and recovery procedures
Technical protections may include embedded JavaScript and license controls for IP protection. These mechanisms do not process personal data beyond security purposes.
8. Sub-Processors
Processor may engage sub-processors for:
- Cloud hosting
- Infrastructure services
- Analytics tools
- Email service providers
Processor shall:
- Use GDPR-compliant providers
- Maintain written agreements
- Ensure equivalent data protection obligations
A list of sub-processors shall be available upon request.
9. International Transfers
Personal Data shall primarily be processed within:
- The European Economic Area (EEA)
If data is transferred outside the EEA, Processor shall ensure:
- EU Standard Contractual Clauses (SCCs), or
- Adequacy decision mechanisms.
10. Data Subject Rights
Processor shall assist Controller in responding to:
- Access requests
- Rectification requests
- Erasure requests
- Restriction requests
- Data portability
- Objection requests
Controller remains responsible for responding to data subjects.
11. Data Breach
Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach.
Notification shall include:
- Nature of breach
- Categories of data affected
- Likely consequences
- Mitigation steps taken
Processor will cooperate with Controller in fulfilling GDPR breach reporting obligations.
12. Data Retention & Deletion
Upon termination of services:
Processor shall, at Controller's choice:
- Delete Personal Data, or
- Return Personal Data
Unless retention is required by law.
Where content is migrated to Client's LMS, Client becomes responsible for further processing within its own system.
13. Audit Rights
Controller may request information demonstrating compliance with this DPA.
Reasonable documentation may include:
- Security policy summary
- Data handling procedures
- Sub-processor overview
On-site audits require reasonable notice and may be subject to confidentiality agreements.
14. Liability
Liability under this DPA follows the liability limitations set forth in the Master Agreement or Terms & Conditions.
15. Governing Law
This DPA shall be governed by:
- The laws of the Republic of Estonia
Disputes shall be subject to Estonian courts unless otherwise agreed.
16. Contact Information
For data protection inquiries:
MYSO ESG HOLDING OÜ
Email: [Insert privacy email]
Address: [Insert registered address]
Schedule 1 – Processing Summary
| Item | Details |
|---|---|
| Nature of Processing | Provision of enterprise ESG learning platform services. |
| Duration | For the term of the service agreement. |
| Purpose | Delivery of learning programs and reporting. |
| Categories of Data Subjects | Employees and authorized users. |
| Types of Personal Data | Basic business contact and learning progress data. |