Data Processing Addendum

This Data Processing Addendum ("DPA"), Version 1.0, forms part of the Terms and Conditions ("Agreement") between CodeCat s. r. o. (trading as Mangools, "Mangools", "we", "us", "our"), located at Obchodna 2, 811 06 Bratislava, Slovakia (Company ID: 44550804), and the customer accepting the Agreement ("Customer"). This DPA governs the processing of personal data by Mangools on behalf of the Customer in connection with the provision of Mangools' SEO tools and services (KWFinder, SERPWatcher, SERPChecker, LinkMiner, SiteProfiler, AI Watcher, Mangools API, and related services, collectively referred to as the "IP").

This DPA is effective as of the date the Customer accepts the Agreement and supersedes any prior data processing agreement between the parties regarding the subject matter hereof.

0. Contents

1. Definitions and Interpretation

In this DPA, the following terms have the meanings set out below. Capitalised terms not defined here have the meaning given in the Agreement.

"Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Customer Personal Data, including but not limited to: (a) Regulation (EU) 2016/679 of the European Parliament and of the Council ("GDPR"); (b) the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, as amended ("UK GDPR"); (c) the Swiss Federal Act on Data Protection ("FADP"); (d) Directive 2002/58/EC (ePrivacy Directive) and any national implementing legislation; and (e) any other applicable national data protection legislation in force from time to time.

"Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, as defined in Article 4(7) GDPR.

"Customer Personal Data" means any Personal Data that Mangools processes on behalf of the Customer as a Processor under this DPA and the Agreement, including data described in Annex 1.

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise processed by Mangools.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

"EEA" means the European Economic Area.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.

"Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller, as defined in Article 4(8) GDPR.

"Processing" means any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, as defined in Article 4(2) GDPR.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679, as adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced from time to time.

"Sub-processor" means any Processor engaged by Mangools to carry out processing activities on Customer Personal Data on behalf of the Customer.

"Supervisory Authority" means (a) for EEA data subjects, the competent supervisory authority under GDPR; (b) for Slovak data subjects, the Úrad na ochranu osobných údajov Slovenskej republiky (Office for Personal Data Protection of the Slovak Republic, dataprotection.gov.sk); (c) for UK data subjects, the Information Commissioner's Office ("ICO"); and (d) for Swiss data subjects, the Federal Data Protection and Information Commissioner ("FDPIC").

"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the ICO under Section 119A(1) of the Data Protection Act 2018.

In this DPA, references to "including" mean "including without limitation". Section headings do not affect interpretation. References to statutes or regulations include all amendments and successor legislation.

2. Scope and Application

2.1 This DPA applies to all processing of Customer Personal Data by Mangools on behalf of the Customer in connection with the provision of IP under the Agreement.

2.2 This DPA is incorporated into and forms part of the Agreement. In the event of any conflict between this DPA and the Agreement with respect to the processing of Customer Personal Data, this DPA shall prevail.

2.3 This DPA is binding upon the parties from the date the Customer accepts the Agreement. No separate signature is required. Upon Customer's written request, Mangools will provide a countersigned copy of this DPA for the Customer's records.

2.4 The term of this DPA corresponds to the term of the Agreement, subject to the survival provisions set out in Section 15.

3. Roles and Responsibilities

3.1 Customer as Controller. Where the Customer collects or otherwise processes Personal Data of its own customers, employees, end-users, or other Data Subjects and uses IP to process such Personal Data, the Customer acts as Controller and Mangools acts as Processor within the meaning of Article 28 GDPR.

3.2 Customer as Processor. Where the Customer itself acts as a processor on behalf of a third-party controller, Mangools acts as sub-processor. In such cases, the Customer represents and warrants that the relevant controller has authorised the engagement of Mangools as sub-processor and that this DPA satisfies the requirements of Article 28(4) GDPR.

3.3 Customer obligations. The Customer shall:

  • comply with all Applicable Data Protection Laws in connection with its processing of Customer Personal Data;
  • ensure that all instructions given to Mangools are lawful and comply with Applicable Data Protection Laws;
  • hold a valid and documented legal basis for any transfer of Customer Personal Data to Mangools;
  • be solely responsible for the accuracy, quality, legality, and lawfulness of the Customer Personal Data and the means by which it was collected;
  • notify Mangools promptly if any instruction given to Mangools would, in the Customer's reasonable opinion, violate Applicable Data Protection Laws.

3.4 Mangools as Processor. Mangools shall process Customer Personal Data only in accordance with the Customer's documented instructions, unless processing is required by applicable law, in which case Mangools shall, to the extent permitted by law, notify the Customer prior to such processing.

3.5 If Mangools believes that any instruction from the Customer infringes Applicable Data Protection Laws, Mangools shall promptly inform the Customer.

4. Details of Processing

The subject matter, nature, purpose, and duration of the processing, as well as the types of Customer Personal Data processed and the categories of Data Subjects, are set out in Annex 1 to this DPA.

5. Mangools Obligations as Processor

5.1 Processing in accordance with instructions. Mangools shall process Customer Personal Data only on documented instructions from the Customer, including with regard to transfers of Customer Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which Mangools is subject. In such a case, Mangools shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

5.2 Confidentiality. Mangools shall ensure that persons authorised to process Customer Personal Data are subject to appropriate obligations of confidentiality (whether under a contractual obligation, statutory obligation, or professional duty of confidentiality), and that access is restricted on a need-to-know basis.

5.3 Security. Mangools shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures are described in Annex 2. Mangools may update security measures from time to time, provided that the overall level of protection is not materially reduced.

5.4 Compliance and records. Mangools shall maintain records of processing activities in accordance with Article 30(2) GDPR and shall cooperate with Supervisory Authorities as required.

5.5 Assistance to the Customer. Taking into account the nature of the processing and the information available to Mangools, Mangools shall assist the Customer:

  • in fulfilling its obligations to respond to requests for exercising Data Subjects' rights under Chapter III of GDPR (Articles 15–22);
  • in ensuring compliance with the obligations pursuant to Articles 32–36 GDPR regarding security, breach notification, data protection impact assessments, and prior consultation;
  • in providing information necessary to demonstrate compliance with this DPA.

Such assistance shall be at the Customer's reasonable cost where it requires significant effort or resources from Mangools.

5.6 No unauthorised processing. Mangools shall not sell, rent, lease, or otherwise transfer Customer Personal Data to third parties; shall not process Customer Personal Data outside the scope of this DPA; and shall not use Customer Personal Data for its own purposes other than as necessary to provide IP as contemplated by the Agreement.

6. Security Measures

6.1 Mangools implements the technical and organisational security measures described in Annex 2 to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, such data.

6.2 The Customer is responsible for independently assessing the adequacy of the security measures for its own legal obligations and for securing its own systems, credentials, and configurations used to access IP.

6.3 Upon the Customer's written request, Mangools will make available information reasonably necessary to demonstrate the adequacy of its security measures, subject to appropriate confidentiality restrictions. This may include security questionnaire responses or summaries of applicable third-party certifications held by Mangools' hosting providers.

7. Data Breach Notification

7.1 In the event of a Data Breach affecting Customer Personal Data, Mangools shall notify the Customer without undue delay and in any event within 72 hours of becoming aware of the Data Breach, to the extent permitted by applicable law.

7.2 The notification shall, to the extent information is available, include:

  • a description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and personal data records concerned;
  • the name and contact details of the data protection contact at Mangools;
  • the likely consequences of the Data Breach;
  • the measures taken or proposed to be taken by Mangools to address the Data Breach, including measures to mitigate its possible adverse effects.

7.3 Where it is not possible to provide all required information at the time of notification, Mangools shall provide the available information initially and supplement the notification with further information as soon as it becomes available.

7.4 Mangools shall cooperate with the Customer and provide reasonable assistance as necessary for the Customer to fulfil its notification obligations to Supervisory Authorities and affected Data Subjects under Applicable Data Protection Laws.

7.5 Mangools' notification of a Data Breach shall not be construed as an acknowledgement by Mangools of any fault or liability with respect to the Data Breach.

7.6 Mangools shall maintain records of all Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken.

8. Sub-processors

8.1 General authorisation. The Customer hereby grants Mangools a general authorisation to engage Sub-processors for the processing of Customer Personal Data, subject to the requirements of this Section 8. The current list of Sub-processors is set out in Annex 3 and is available at mangools.com/privacy.

8.2 Notice of changes. Mangools shall give the Customer at least 30 days' prior written notice (by email to the Customer's registered email address or via an in-app notification) before adding or replacing any Sub-processor. The Customer may subscribe to Sub-processor change notifications by contacting info@mangools.com.

8.3 Objection right. The Customer may object to a new or replacement Sub-processor on reasonable data protection grounds by notifying Mangools in writing within 30 days of Mangools' notice. In such event, Mangools and the Customer will attempt in good faith to resolve the objection (including by implementing additional safeguards or by disabling the relevant feature). If the parties cannot agree, either party may terminate the affected portion of the IP without penalty (but without refund of any prepaid fees).

8.4 Sub-processor obligations. Mangools shall impose data protection obligations on each Sub-processor that are equivalent to those imposed on Mangools under this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. Mangools remains fully liable to the Customer for the performance of the Sub-processor's obligations to the extent that the Sub-processor fails to fulfil its obligations.

8.5 Upon written request, Mangools shall provide the Customer with evidence of the contractual data protection obligations imposed on its Sub-processors.

9. Data Subject Rights

9.1 Mangools shall, taking into account the nature of the processing, assist the Customer in fulfilling its obligations under Applicable Data Protection Laws to respond to requests from Data Subjects exercising their rights under Articles 15–22 GDPR, including the rights of access, rectification, erasure, restriction of processing, data portability, objection, and rights related to automated decision-making.

9.2 The Customer is responsible for receiving and responding to Data Subject requests. Where Mangools receives a Data Subject request relating to Customer Personal Data and is legally permitted to do so, Mangools shall promptly forward the request to the Customer without responding to it directly.

9.3 IP provides built-in functionality that allows the Customer to access, correct, export, restrict, and delete Customer Personal Data directly within the account settings and dashboard. Where the Customer cannot satisfy a Data Subject request using IP's built-in functionality, Mangools shall provide additional reasonable assistance upon written request at commercially reasonable cost.

10. Data Protection Impact Assessments and Consultations

10.1 To the extent required by Applicable Data Protection Laws, Mangools shall provide reasonable assistance to the Customer in conducting Data Protection Impact Assessments (DPIAs) pursuant to Article 35 GDPR, where such DPIAs relate to the processing of Customer Personal Data by Mangools. Such assistance shall be at the Customer's reasonable cost.

10.2 Mangools shall provide reasonable assistance to the Customer in respect of any prior consultation with a Supervisory Authority required under Article 36 GDPR, to the extent such consultation relates to processing activities carried out by Mangools on behalf of the Customer. Such assistance shall be at the Customer's reasonable cost.

11. International Data Transfers

11.1 Customer Personal Data may be transferred to and processed in countries outside the EEA, the UK, or Switzerland, including the United States, as described in Annex 3 (Sub-processor locations).

11.2 EEA transfers. Transfers of Customer Personal Data from the EEA to countries not ensuring an adequate level of data protection under GDPR are governed by the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, incorporated by reference in Annex 4.

11.3 UK transfers. Transfers of Customer Personal Data from the UK are governed by the UK Addendum to the SCCs, incorporated by reference in Annex 5.

11.4 Swiss transfers. Transfers of Customer Personal Data from Switzerland are governed by the SCCs incorporated in Annex 4 with the following Swiss-specific modifications: all references to "GDPR" shall be construed as references to the Swiss FADP; "Member State" shall be construed as "Switzerland"; all references to the supervisory authority shall refer to the FDPIC; and the governing law and jurisdiction for SCCs purposes shall be Switzerland.

11.5 Module selection. Where the Customer acts as Controller, Module Two (Controller-to-Processor) of the SCCs applies. Where the Customer acts as a Processor on behalf of another Controller, Module Three (Processor-to-Processor) applies.

11.6 SCC completions. For the purposes of the SCCs: Clause 7 (docking clause) applies; Clause 9 selects Option 2 (general written authorisation, with a minimum 30-day notice period); Clause 11 (optional redress mechanism) does not apply; Clause 17 selects the law of the Slovak Republic; Clause 18 selects the courts of the Slovak Republic (District Court Bratislava I).

11.7 Supplementary measures. In addition to the SCCs, Mangools implements supplementary measures including: encryption in transit (TLS/HTTPS) and at rest; strict access controls and authentication; Sub-processor contractual commitments; and regular security assessments. Mangools shall notify the Customer if Mangools has reason to believe that the applicable international transfer mechanism has become or is likely to become ineffective.

12. Deletion and Return of Data

12.1 Upon termination or expiry of the Agreement, at the Customer's election, Mangools shall either: (a) securely delete all Customer Personal Data in Mangools' possession or control; or (b) return Customer Personal Data to the Customer in a commonly used electronic format, and thereafter delete all existing copies.

12.2 The Customer may export Customer Personal Data from IP at any time before termination using IP's data export functionality.

12.3 Mangools shall complete the deletion or return of Customer Personal Data within 90 days of the effective date of termination or expiry, unless applicable law requires Mangools to retain certain data for a longer period. Any data retained solely for legal compliance purposes shall be isolated from further processing and deleted as soon as legally permitted.

12.4 Backup copies of Customer Personal Data held on archived systems shall be securely isolated and deleted in accordance with Mangools' backup retention schedule, and in any event no later than 180 days after the effective date of termination or expiry.

12.5 Upon written request, Mangools shall provide the Customer with a written confirmation of deletion of Customer Personal Data in accordance with this Section 12.

13. Audit and Compliance

13.1 Mangools shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

13.2 Audit conditions. Any audit shall be subject to the following conditions:

  • the Customer shall provide Mangools with at least 30 days' prior written notice;
  • audits shall be conducted no more than once per calendar year, unless the Customer has reasonable grounds to believe that Mangools is not complying with this DPA;
  • audits shall be conducted during Mangools' regular business hours and in a manner that minimises disruption to Mangools' operations;
  • the Customer shall bear all costs and expenses of the audit, including Mangools' reasonable costs of facilitating the audit;
  • any auditor appointed by the Customer must be bound by appropriate confidentiality obligations and must comply with Mangools' reasonable security requirements.

13.3 Alternative audit methods. In lieu of or in addition to an on-site audit, Mangools may satisfy audit requirements by making available: security questionnaire responses; penetration test executive summaries; third-party security assessment reports; or applicable certifications held by Mangools' infrastructure Sub-processors (including AWS and Google Cloud), subject to appropriate confidentiality restrictions.

13.4 Mangools shall cooperate with Supervisory Authorities and shall provide reasonable assistance to the Customer in relation to any audit or investigation by a Supervisory Authority.

14. Liability and Indemnification

14.1 Each party's liability under this DPA shall be subject to the limitations and exclusions set out in the Agreement, except to the extent that Applicable Data Protection Laws prohibit such limitations.

14.2 Mangools shall be liable under Applicable Data Protection Laws for damages caused by processing of Customer Personal Data only where Mangools has not complied with obligations of this DPA specifically directed to Processors, or where Mangools has acted outside or contrary to the Customer's lawful instructions. Mangools shall not be liable for any damage caused by processing if Mangools proves that it is not in any way responsible for the event giving rise to the damage.

14.3 Mangools remains fully liable for the performance of the Sub-processors it engages in accordance with Section 8.

14.4 Customer indemnification. The Customer shall indemnify, defend, and hold harmless Mangools from and against any claims, losses, damages, fines, penalties, costs, and expenses (including reasonable legal fees) arising from or relating to: (a) any breach of this DPA by the Customer; (b) any processing of Customer Personal Data by the Customer that violates Applicable Data Protection Laws; or (c) any instructions from the Customer that cause Mangools to violate Applicable Data Protection Laws.

14.5 Notwithstanding anything to the contrary in the Agreement, no limitation of liability shall apply to: (a) claims for death or personal injury arising from gross negligence or wilful misconduct; (b) any liability that cannot be limited by applicable law.

15. Duration and Termination

15.1 This DPA commences on the effective date of the Agreement and continues until the termination or expiry of the Agreement.

15.2 Upon termination or expiry of the Agreement: Mangools shall cease all processing of Customer Personal Data; and Mangools shall delete or return Customer Personal Data in accordance with Section 12.

15.3 The following provisions shall survive termination or expiry of this DPA: Section 12 (Deletion and Return of Data), Section 13 (Audit and Compliance) to the extent necessary to verify deletion, Section 14 (Liability and Indemnification), and Section 16 (General Provisions).

15.4 The Customer may suspend the transfer of Customer Personal Data to Mangools if: (a) a Supervisory Authority determines that Mangools has violated applicable SCCs or is unable to comply with them; or (b) the applicable international data transfer mechanism becomes invalid or is found insufficient. The Customer shall provide prior written notice and a reasonable opportunity to remedy the deficiency before suspension.

16. General Provisions

16.1 Amendments. Mangools may amend this DPA from time to time to reflect changes in Applicable Data Protection Laws, regulatory guidance, or Mangools' business practices. Mangools shall provide at least 30 days' notice of material amendments. The Customer's continued use of IP after the effective date of any amendment constitutes acceptance of the amended DPA. If the Customer does not accept a material amendment, the Customer may terminate the Agreement in accordance with its terms.

16.2 Severability. If any provision of this DPA is held invalid, illegal, or unenforceable, that provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable while preserving its original intent and economic effect. The remaining provisions of this DPA shall remain in full force and effect.

16.3 Governing law. This DPA is governed by the laws of the Slovak Republic, without regard to its conflict of law provisions, subject to the direct application of relevant EU regulations. The SCCs and the UK Addendum are governed by their own applicable law as set out therein.

16.4 Dispute resolution. Any dispute arising out of or in connection with this DPA, including any question regarding its existence, validity, or termination, shall be subject to the exclusive jurisdiction of the District Court Bratislava I, Slovak Republic, in accordance with EU Regulation No 1215/2012. Notwithstanding the foregoing, either party may seek interim or injunctive relief in any court of competent jurisdiction.

16.5 Third-party rights. This DPA does not create any third-party beneficiary rights, except for Data Subject rights arising under the SCCs or the UK Addendum.

16.6 Entire agreement. This DPA, together with the Agreement and all annexes and documents incorporated by reference, constitutes the entire agreement between the parties with respect to the processing of Customer Personal Data and supersedes all prior and contemporaneous understandings.

16.7 Language. This DPA is executed in the English language. Any translation provided by Mangools is for convenience only; the English version shall prevail in the event of any inconsistency.

16.8 Assignment. Mangools may assign this DPA and its rights and obligations hereunder to any successor entity in connection with a merger, acquisition, reorganisation, or sale of all or substantially all of its assets. The Customer's rights under this DPA shall continue with any such successor. The Customer may not assign this DPA without Mangools' prior written consent.

17. Contact Information

For all matters relating to this DPA, data protection, or the exercise of data subject rights, please contact:

CodeCat s. r. o. (Mangools)
Obchodna 2
81106 Bratislava
Slovakia

info@mangools.com

For requests regarding a countersigned copy of this DPA, please contact us at info@mangools.com with subject line "DPA Request".

Annex 1 – Details of Processing

A. List of Parties

Data Exporter (Controller or Processor):
Name: The Customer, as identified in the Agreement.
Role: Controller (or Processor acting on behalf of a Controller).
Contact: As provided in the Customer's account registration details.

Data Importer (Processor):
Name: CodeCat s. r. o. (Mangools)
Address: Obchodna 2, 811 06 Bratislava, Slovakia
Company ID: 44550804
Contact: info@mangools.com
Role: Processor

B. Description of Transfer

1. Subject Matter

The provision of SEO tools and related services under the Agreement, including: keyword research (KWFinder), rank tracking (SERPWatcher), SERP analysis (SERPChecker), backlink analysis (LinkMiner), website analysis (SiteProfiler), AI search visibility tracking (AI Watcher), and the Mangools API.

2. Duration

Processing continues for the duration of the Agreement and for any applicable data retention period following termination, in accordance with Section 12.

3. Nature and Purpose of Processing

Mangools processes Customer Personal Data for the following purposes:

  • Service Provision: operating and delivering IP features; processing keyword searches and tracked domains; generating and delivering alerts, reports, and analytics; managing user accounts and project data; processing customer support inquiries.
  • Billing and Account Management: processing subscription payments; managing invoices; handling plan upgrades and downgrades; managing trial accounts.
  • Security and Compliance: detecting and preventing fraud, abuse, and unauthorised access; enforcing the Agreement and Applicable Data Protection Laws; responding to legal obligations.
  • Service Improvement: analysing usage patterns to improve and develop IP, aggregating and anonymising usage data for product analytics.

4. Types of Personal Data Processed

  • Account Information: name, email address, company name, billing address, VAT ID, password (stored in hashed form), account settings and preferences.
  • Payment Information: cardholder name, billing address, payment history. Full payment card numbers are not stored by Mangools; payment processing is handled by certified payment Sub-processors.
  • Project and Usage Data: keywords and search queries submitted by the Customer; domain names and URLs tracked in projects; SERP data and rankings associated with tracked keywords; backlink data associated with tracked domains; historical analysis data stored within the Customer's account.
  • Usage and Log Data: IP addresses; browser type and version; device information; dates and times of access; features used; clickstream data; error logs.
  • Communications Data: content of customer support communications; feedback and survey responses.
  • Sub-user Data: name and email addresses of authorised sub-users added to the Customer's account.

5. Categories of Data Subjects

  • Account holders (Customer's registered users).
  • Authorised sub-users added to the Customer's account (e.g., team members, employees, contractors).
  • Customer support contacts.
  • Any natural persons whose data is incidentally included in project data submitted by the Customer (e.g., domain owners, website administrators).

6. Sensitive Data

Mangools does not intentionally collect or process special categories of personal data within the meaning of Article 9 GDPR (sensitive data). The Customer must not submit special category data through IP. If the Customer inadvertently includes sensitive data, the Customer must ensure a valid legal basis and appropriate safeguards are in place.

7. Frequency and Nature of Transfer

Processing is continuous throughout the Agreement term, including real-time processing of search queries and tracked data, immediate alerting, and ongoing account management.

8. Processing Locations

Primary: European Union (AWS data centres). Secondary: United States (AWS, and other Sub-processors listed in Annex 3). Other locations as necessary for service delivery through the Sub-processors listed in Annex 3.

Annex 2 – Technical and Organisational Security Measures (TOMS)

Mangools implements the following technical and organisational security measures to protect Customer Personal Data:

1. Encryption and Data Protection

  • In transit: All data transmitted between Customer and Mangools, and between Mangools' systems and Sub-processors, is encrypted using industry-standard encryption protocols (HTTPS/TLS).
  • At rest: Customer Personal Data stored on Mangools' infrastructure (hosted on Amazon Web Services) benefits from server-side encryption at rest as provided by AWS infrastructure. Passwords are stored using strong, industry-standard one-way hashing.
  • Payment data: Full payment card data is not stored by Mangools. Payment processing is delegated to PCI-DSS certified Sub-processors (Stripe, PayPal, Paddle).

2. Access Control

  • Authentication: Access to Mangools systems requires authentication with strong passwords. Two-factor authentication (2FA) is available for Customer accounts and is required for privileged administrative access to Mangools' systems.
  • Authorisation: Role-based access control (RBAC) is applied. Personnel access to Customer Personal Data is restricted on a need-to-know basis. Access rights are reviewed periodically and revoked upon termination of employment or change of role.
  • Customer Data Access: Access to Customer Personal Data by Mangools personnel is limited to authorised personnel for the purposes of service provision, support, and security operations, and is logged.
  • Physical Security: Mangools' infrastructure is hosted in Amazon Web Services data centres, which are ISO 27001 certified and SOC 2 Type II audited, and implement comprehensive physical security controls including 24/7 monitoring, biometric access, and environmental controls.

3. Network and System Security

  • Network segmentation and firewall protection are implemented.
  • Web Application Firewall (WAF) and DDoS protection are in place.
  • Regular malware scanning and vulnerability scanning of systems are conducted.
  • Operating systems and software are regularly patched and updated to address security vulnerabilities.
  • Secure coding practices are followed in the development of IP.

4. Incident Management

  • Mangools maintains an incident response procedure covering detection, classification, escalation, notification, and post-incident review.
  • In the event of a Data Breach affecting Customer Personal Data, Mangools follows the notification procedure set out in Section 7 of this DPA.
  • System activity logs are maintained and monitored to detect and investigate security incidents.

5. Availability and Business Continuity

  • IP is hosted on Amazon Web Services with geographic redundancy and high-availability configurations.
  • Regular automated backups of Customer data are performed.
  • Recovery procedures are in place to restore data and services following a security incident or infrastructure failure.

6. Personnel Security

  • All Mangools employees and contractors with access to Customer Personal Data are bound by confidentiality obligations.
  • Personnel receive appropriate data protection and security awareness training.
  • Access is revoked promptly upon termination of employment or engagement.

7. Vendor and Sub-processor Management

  • Before engaging a Sub-processor, Mangools conducts due diligence on the Sub-processor's data protection and security practices.
  • Mangools enters into written data processing agreements with all Sub-processors, imposing data protection obligations equivalent to those set out in this DPA.
  • Sub-processor compliance with data protection obligations is reviewed on an ongoing basis.

8. Data Minimisation and Retention

  • Mangools processes only the minimum Customer Personal Data necessary to fulfil the purposes described in Annex 1.
  • Customer Personal Data is deleted or anonymised in accordance with Section 12 of this DPA following termination of the Agreement.

Annex 3 – List of Sub-processors

The following Sub-processors are currently authorised by the Customer pursuant to Section 8 of this DPA. This list was last updated on May 25, 2026. The current list is also available at mangools.com/privacy.

Sub-processor Service Provided Processing Location
Amazon Web Services (AWS) Cloud infrastructure, data hosting, storage, and processing EU, US
Google Analytics Website traffic analytics and user behaviour analysis US
Google Ads Targeted pay-per-click advertising campaigns US
Google Workspace (GSuite) Internal email communication and collaboration US
Stripe Payment processing (credit/debit cards) US, EU
PayPal Payment processing and affiliate commission payouts US, EU
Paddle Payment processing UK, EU
Coinbase Commerce Cryptocurrency payment processing US
SendGrid (Twilio) Transactional and marketing email delivery US
User.com Customer support live chat, CRM, and automated behavioural emails US, EU
Intercom Customer support chat and messaging US
Rollbar Application error tracking and monitoring US
Microsoft Clarity Behavioural analytics, heatmaps, and session replay US
Hotjar User behaviour analytics and feedback EU
Facebook (Meta) Targeted pay-per-click advertising campaigns US
Slack Internal team communication US
Gravatar (Automattic) User profile picture identification and display US

Mangools will update this list at least 30 days prior to any addition or replacement of a Sub-processor, in accordance with Section 8 of this DPA.

Annex 4 – Standard Contractual Clauses

This Annex 4 incorporates by reference the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("SCCs"), including all annexes thereto.

The SCCs are available at: eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0914.

The following completions apply:

  • Module: Module Two (Controller-to-Processor) where the Customer is a Controller; Module Three (Processor-to-Processor) where the Customer is a Processor.
  • Clause 7 (Docking clause): Applies.
  • Clause 9 (Use of sub-processors): Option 2 (general written authorisation). Minimum time period for prior notice of Sub-processor changes: 30 days.
  • Clause 11 (Redress): The optional language does not apply.
  • Clause 13 (Supervision): The competent supervisory authority shall be: (a) for data exporters established in an EU Member State, the supervisory authority of that Member State; (b) for data exporters not established in an EU Member State, the Úrad na ochranu osobných údajov Slovenskej republiky (Slovak Data Protection Authority).
  • Clause 17 (Governing law): The law of the Slovak Republic.
  • Clause 18 (Choice of forum and jurisdiction): The courts of the Slovak Republic (District Court Bratislava I).
  • Annex I: As set out in Annex 1 of this DPA.
  • Annex II: As set out in Annex 2 of this DPA.
  • Annex III: As set out in Annex 3 of this DPA.

Annex 5 – UK International Data Transfer Addendum

This Annex 5 incorporates by reference the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office under Section 119A(1) of the Data Protection Act 2018 ("UK Addendum"), Version B1.0, in force as of 21 March 2022.

The UK Addendum is available at: ico.org.uk.

For the purposes of the UK Addendum tables:

  • Table 1 (Parties): As set out in Annex 1, Section A of this DPA.
  • Table 2 (Selected SCCs, Modules, and Selected Clauses): The EU SCCs as set out in Annex 4 of this DPA, adopted pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  • Table 3 (Appendix information): As set out in Annexes 1, 2, and 3 of this DPA.
  • Table 4 (Ending the Addendum when the Approved Addendum changes): Neither the Importer nor the Exporter may end the UK Addendum under this provision. The UK Addendum terminates automatically upon termination of the Agreement.

In the event of any conflict between the UK Addendum and the SCCs for matters relating to UK personal data transfers, the UK Addendum shall prevail.

CodeCat s. r. o. (Mangools)
Obchodna 2
81106 Bratislava
Slovakia

info@mangools.com

Version 1.0 — Last Updated on May 25, 2026