Dorik Data Processing Addendum

Effective date: June 2, 2023
Last modified date: June 2, 2023

Introduction and Scope

This Data Processing Addendum ("DPA") forms part of the Agreement between Dorik and Customer. When Customer is subject to applicable Data Protection Laws, this DPA governs the processing of personal data.

To execute a signed version of this Data Processing Addendum, please contact support@dorik.com to receive our pre-signed DPA document.

1. Definitions

Terms used but not defined in this DPA have the meanings given in the Agreement:

"Affiliate" refers to an entity that controls, is controlled by, or shares common control with a party, where "control" means majority ownership or management authority.

"Agreement" refers to the service contract governing Customer's access to and use of the Platform, which may include Dorik's Terms of Service, a Master Subscription Agreement, or another Platform subscription agreement between Dorik and Customer.

"Authorized Affiliate" means Customer Affiliates that are subject to Data Protection Laws, permitted to use the Platform under the Agreement, and have not entered separate Agreements with Dorik.

"Controller" means the entity determining the purposes and means for Processing Personal Information.

"Customer" refers to the entity and its Authorized Affiliates bound by the Agreement and this DPA.

"Customer Personal Information" encompasses all Personal Information, excluding Customer Relationship Data, provided to Dorik by or on behalf of Customer.

"Customer Relationship Data" means Personal Information related to Customer's business relationship with Dorik, including contact information, billing details, and customer relationship management information.

"Customer Workforce" refers to individuals engaged by Customer with Platform access via user accounts.

"Data Breach" means a security incident resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Customer Personal Information.

"Data Protection Laws" encompasses all laws and regulations applicable to Dorik's Processing of Personal Information under the Agreement.

"**Data Subject**" refers to an individual whose Personal Information is subject to Data Protection Laws.

"**EEA**" means the European Economic Area.

"**End User**" refers to individuals accessing or using Website Content.

"EU Standard Contractual Clauses" or "**EU SCCs**" means the standard contractual clauses adopted by the European Commission for international data transfers under GDPR.

"**GDPR**" refers to Regulation (EU) 2016/679 of the European Parliament and Council concerning personal data protection.

"Personal Information" means any information relating to an identified or identifiable individual.

"Platform" refers to Dorik's software-as-a-service platform and related web design technology products and services subscribed to by Customer.

"Processing" means any operation performed on Personal Information, whether by automated means or otherwise.

"**Processor**" means an entity Processing Personal Information on behalf of a Controller.

"Regulator" means any supervisory authority with jurisdiction under Data Protection Laws.

"**Subprocessor**" means any Processor engaged by Dorik to Process Customer Personal Information.

"**UK International Data Transfer Agreement**" refers to the international data transfer addendum issued by the UK Information Commissioner's Office.

"Website Content" refers to content that Customer makes available via the Platform.

2. Roles and Responsibilities

2.1 Dorik as Processor

For Customer Personal Information, Customer may act as either Controller or Processor, while Dorik acts as a Processor. Dorik will process this information according to Customer's instructions as outlined in Section 3.1.

2.2 Dorik as Controller

For Customer Relationship Data, Dorik functions as an independent Controller. Dorik processes this data to:

Manage the Customer relationship
Conduct core business operations (accounting, taxes, etc.)
Detect, prevent, or investigate security issues or platform misuse
Comply with applicable laws
As otherwise permitted under Data Protection Laws and in accordance with this DPA, the Agreement, and Dorik's Privacy Policy

3. Instruction Framework and Compliance

3.1 Customer Instructions

Customer directs Dorik to Process Customer Personal Information as necessary to provide the Platform. Customer warrants that its instructions comply with Data Protection Laws.

3.2 Data Subject Request Management

Customer bears primary responsibility for addressing requests from Data Subjects and communications from Regulators. When assistance is required, Customer shall promptly notify Dorik in writing.

3.3 Legal Compliance for Data Collection

Customer affirms that all Personal Information collection will comply with Data Protection Laws, including necessary consents, valid processing bases, and required authorizations. Upon request, Customer shall provide compliance documentation.

4. Dorik's Processing Obligations

4.1 Processing Boundaries

Dorik will Process Personal Information solely according to Customer's documented instructions as necessary for Platform provision, except when otherwise required by law.

4.2 Instruction Assessment

If Dorik determines that a Customer instruction might violate Data Protection Laws, Dorik shall promptly inform Customer. When legal requirements necessitate modified Processing, Dorik shall inform Customer before implementation unless prohibited by law.

4.3 Personnel Management

Dorik will restrict Personal Information access to personnel with legitimate business needs. All authorized personnel are bound by appropriate confidentiality commitments.

4.4 Security Implementation

Dorik shall implement appropriate technical and organizational security measures as detailed in Appendix B: Security Measures.

4.5 Breach Response

In the event of a confirmed Data Breach, Dorik shall notify Customer without undue delay.

4.6 Compliance Support

Taking into account the nature of Processing, Dorik will provide reasonable assistance to Customer in meeting its obligations under GDPR and other Data Protection Laws.

4.7 Data Return or Deletion

Upon Agreement termination, Dorik shall, at Customer's election, delete or return all Customer Personal Information unless retention is legally required.

4.8 Third-Party Disclosure Limitations

Dorik will not disclose Customer Personal Information to third parties without Customer's consent, except as permitted in this DPA. For government authority requests, Dorik will provide advance notice when legally permissible.

5. Data Subject Request Handling

5.1 Request Notification

Dorik shall promptly notify Customer upon receiving any Data Subject request and shall not respond without Customer authorization.

5.2 Request Support

Dorik shall provide reasonable assistance to help Customer fulfill its obligations to respond to Data Subject rights requests under Data Protection Laws.

6. Subprocessor Management

6.1 Authorization Framework

Customer hereby authorizes Dorik to engage Subprocessors for Customer Personal Information Processing. Current Subprocessors are listed at Dorik Subprocessors

6.2 Notification System

Customer must register at the URL provided in 6.1 to receive notifications about new Subprocessors. Customer may object to any new Subprocessor within fifteen (15) calendar days of notification.

6.3 Objection Process

Upon receiving an objection, Dorik will make reasonable efforts to modify the Platform or recommend alternative approaches to avoid Processing by the contested Subprocessor.

6.4 Termination Option

If Dorik cannot provide a viable alternative, Customer may terminate its Platform subscription with payment of outstanding fees for services rendered.

6.5 Subprocessor Oversight

Dorik shall impose data protection obligations on all Subprocessors that are at least as protective as those in this DPA. Dorik remains fully liable for Subprocessor compliance failures.

7. Verification and Audit Provisions

7.1 Compliance Documentation

Dorik will maintain Processing records and provide Customer with information necessary to verify DPA compliance.

7.2 Information Scope

Dorik may limit information disclosure to competitors, provided such limitation doesn't violate Data Protection Laws. Customer's inspection rights exclude employee records, personnel files, and third-party information.

7.3 Audit Execution

Subject to thirty (30) days' notice and at Customer's expense, the parties shall mutually select a non-competitor third-party auditor to verify Dorik's compliance.

7.4 Audit Frequency

Customer may exercise this audit right once per twelve-month period. On-site audits require Regulator mandate.

7.5 Confidentiality Requirements

All audit information shall be treated as Dorik's Confidential Information. The third-party auditor may only disclose specific violations and their factual basis.

8. Cross-Border Data Transfers

8.1 Transfer Framework

For transfers from the EEA, UK, or Switzerland to countries without adequate protection recognition, Customer acknowledges and instructs Dorik to transfer Personal Information as detailed in Appendix C: Cross-Border Transfer Mechanisms.

8.2 Standard Contractual Clauses

By entering this DPA, the parties execute applicable Standard Contractual Clauses and/or UK International Data Transfer Agreement as appropriate.

9. Jurisdiction-Specific Requirements

To the extent Dorik processes Customer Personal Information from jurisdictions with specific requirements (detailed in Appendix D: Jurisdiction-Specific Terms), those additional terms shall apply.

10. General Legal Provisions

10.1 Post-Termination Obligations

Obligations that should reasonably survive shall continue beyond DPA termination or expiration.

10.2 Liability Limitations

This DPA is subject to the liability limitations in the Agreement, applied in aggregate for all claims.

10.3 Severability

Any unenforceable provision shall be ineffective only in the relevant jurisdiction without invalidating remaining provisions. The parties shall cooperate to find enforceable substitutes.

10.4 Updates Process

Dorik may update this DPA periodically. Material changes will be communicated with reasonable advance notice before taking effect. Customer's continued Platform use after the effective date constitutes acceptance of updated terms.

11. Governing Framework and Priority

This DPA, including all appendices, constitutes the complete agreement regarding Personal Information Processing. In case of conflict between this DPA and the Agreement, this DPA prevails regarding Personal Information Processing.

Appendix A: Processing Details

A.1 Parties Information

Data exporter (Controller/Customer):

Name: Customer, Platform user
Contact Details: As specified in the Agreement
Activities: Platform utilization
Role: Controller or Processor depending on the context

Data importer (Processor/Dorik):

Name: Dorik, Inc.
Address: 44-45 Bashundhara, Roynagar Rajbari, Sylhet 3100, Bangladesh
Mailing Address: 600 North Broad Street Ste 5 PMB 2145, MIDDLETOWN, DE 19709, United States
Contact: Mizanur Rahman, CEO, mizan@dorik.com
Activities: Platform provision
Role: Processor or Controller depending on the context

A.2 Processing Categories

Data Subjects:

Dorik Users/Customers
Visitors to Dorik's website
Registered users on customers' websites
Visitors to customers' websites

Personal Data Types:

For Dorik Users/Customers: name, email address, password, country (optional)
For Visitors to Dorik's website: device information, country, browser type, referrer website information
For Registered users on customers' websites (where membership features are used): name, email address
For Visitors to customers' websites: device information, country, browser type, referrer website information
Usage data including interface interactions, browser details, system information, and IP addresses

Sensitive Data:

None for Dorik direct customers and website visitors
Customer's end users may submit special categories of Personal Information through the Platform as determined by Customer

Processing Frequency:

Continuous

Processing Purpose:

Platform service provision as described in the Agreement
Specific processing activities determined by Customer (typically including collection, storage, retrieval, display, and deletion)

Retention Period:

For Customer Relationship Data: Duration of the Agreement plus retention necessary for legal compliance
For Customer Personal Information: Duration of the Agreement, with deletion upon termination unless legally prohibited

Supervisory Authority:

Ireland's Data Protection Commissioner

Appendix B: Security Measures

Dorik implements the following security measures to protect Personal Information:

Physical Infrastructure Security

AWS ISO 27001 certified data centers across multiple regions
DigitalOcean SOC 2 Type II and SOC 3 Type II certified infrastructure for additional hosting.
Database servers isolated in virtual private networks
Multi-factor authentication for production access
Comprehensive access logging with immediate revocation capabilities

Data Protection Systems

Data mirroring to redundant secondary databases
Daily backups across multiple availability zones
Encryption at rest using AWS EBS encryption

Application Security

Password encryption using secure algorithms
HTTPS implementation with modern security configurations
Brute-force attack prevention
Two-factor authentication for administrative functions
JWT authentication with RSA256 algorithm implementation
Rigorous code review process

Personnel Controls

Mandatory two-factor authentication for all employees
Strict data access limitations based on business need
Background screening for personnel with Personal Data access
Regular security awareness training
Ethical conduct requirements

Technical Infrastructure

Malware detection and remediation processes
End-to-end encryption for data in transit and at rest
Business continuity planning
Change management procedures
Advanced network security
Security event logging
Customer data segregation

Incident Management

Documented response procedures
24-hour controller notification commitment

Customer Assistance

Dedicated privacy team (contact: privacy@dorik.com)
Customer notification systems for disclosure requests

Appendix C: Cross-Border Transfer Mechanisms

C.1 Transfer Mechanism Priority

When multiple mechanisms apply, transfers will follow this precedence:

EU-U.S. and Swiss-U.S. Data Privacy Framework (when Dorik is certified)
EU Standard Contractual Clauses
UK International Data Transfer Agreement
Swiss-specific transfer provisions
Other lawful mechanisms under Data Protection Laws

C.2 EU Standard Contractual Clauses Implementation

For EEA or Swiss transfers to non-adequate countries, the EU SCCs apply as follows:

Module Selection:

Module One (Controller to Controller): For Customer Relationship Data
Module Two (Controller to Processor): When Customer is Controller and Dorik processes Customer Personal Information
Module Three (Processor to Processor): When Customer is Processor and Dorik processes Customer Personal Information

Module Configuration:

Clause 7: Docking clause not applied
Clause 9: Option 2 applies with notification period from Section 6
Clause 11: Optional language not applied
Clause 17: Irish law governs
Clause 18: Irish courts have jurisdiction
Annexes: Appendix A serves as Annex I; Appendix B serves as Annex II

C.3 UK Transfers

For UK transfers to non-adequate countries, the UK International Data Transfer Agreement applies as detailed in Appendix E.

C.4 Swiss Transfers

For Swiss transfers to non-adequate countries, the EU SCCs apply with these modifications:

Swiss Federal Data Protection Commissioner is the competent authority
Swiss law governs the clauses
Swiss courts have jurisdiction
Swiss Data Subjects maintain rights in their place of residence
FADP provisions apply alongside GDPR references

Appendix D: Jurisdiction-Specific Terms

D.1 Switzerland

"Data Protection Law" includes the Swiss Federal Act on Data Protection, as revised.

D.2 United Kingdom

GDPR references include corresponding UK laws (UK GDPR and Data Protection Act 2018).

Appendix E: UK Data Transfer Agreement

If applicable, this UK International Data Transfer Agreement provides Appropriate Safeguards for Restricted Transfers when entered as a legally binding contract.

Parties Information:

Start date: Agreement Effective Date
Exporter: Customer
Importer: Dorik, Inc.
Importer Address: 44-45 Bashundhara, Roynagar Rajbari, Sylhet 3100, Bangladesh
Key contacts: As specified in the Agreement and privacy@dorik.com

Agreement Components:

Appendix Information sources:
Annex 1A (Parties): As specified in the Agreement
Annex 1B (Transfer Description): As specified in Appendix A
Annex II (Security Measures): As specified in Appendix B
Annex III (Subprocessors): Available at Dorik Subprocessors

Termination Rights: Both Importer and Exporter may terminate this Addendum under the conditions specified in Section 19 of the UK International Data Transfer Agreement.

Mandatory Clauses: Part 2 Mandatory Clauses of the Approved Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of the UK IDTA, shall apply.

Updated on: 03/04/2025