Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") governs the processing of personal data that Ruum carries out on behalf of the professional user when providing the Service, in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR). It forms part of the Terms and Conditions of Use and applies when the professional user enters into Ruum personal data of third parties (for example, their clients, collaborators or quote recipients).

Note: This DPA is a reasonable basis for the current phase. Before it is used with clients who formally require it, a legal review and express signature or acceptance are advisable.

1. Parties and roles

Controller: the professional user / company that uses the Service (hereinafter, "the Client").
Processor: Daniel Gil Alegre (Ruum), NIF/NIE 71364447R, Calle Ramón Menéndez Pidal 7, 09002 Burgos, privacy@ruum.es.

The Client determines the purposes and means of processing the data it enters; Ruum processes them only following its documented instructions (including those arising from use of the Service).

2. Subject matter, duration, nature and purpose

Subject matter: the provision of the Ruum Service (management of projects, quotes, clients, collaboration and associated features).
Duration: as long as the Client uses the Service, plus the subsequent retention or return/deletion periods.
Nature and purpose: hosting, storage, organisation, consultation, communication and other operations necessary to provide the Service.

3. Categories of data subjects and data

Data subjects: the Client's clients, collaborators, quote recipients, team members and other third parties whose data the Client enters.
Categories of data: identification and contact data, professional and company data, project and quote data, and any other data the Client decides to enter. The Client shall refrain from entering special categories of data (Art. 9 GDPR) unless there is a legitimate basis and Ruum is informed.

4. Ruum's obligations (processor)

Ruum undertakes to:

Process the data only following the documented instructions of the Client, unless required by law (in which case it will inform the Client, if permitted).
Ensure that the persons authorised to process the data have committed to confidentiality.
Apply appropriate technical and organisational security measures (see Security Policy).
Respect the conditions for engaging subprocessors (clause 5).
Assist the Client, as far as possible, in responding to data subjects' requests to exercise their rights.
Assist the Client in complying with its obligations regarding security, breach notification and impact assessments (Arts. 32 to 36 GDPR).
At the Client's choice, delete or return the data at the end of the provision, except where retention is required by law.
Make available to the Client the information necessary to demonstrate compliance and allow reasonable audits.
Inform the Client if, in its opinion, an instruction infringes data protection regulations.

5. Subprocessors

The Client generally authorises Ruum to engage the subprocessors listed in the Subprocessors Annex. Ruum will:

Impose on each subprocessor, by contract, protection obligations equivalent to those of this DPA.
Inform of material changes to subprocessors with reasonable advance notice, allowing the Client to object on reasonable grounds.
Be liable to the Client for the compliance of its subprocessors.

6. International transfers

When a subprocessor processes data outside the EEA, Ruum will ensure that the transfer is covered by a valid mechanism (adequacy decision, Data Privacy Framework or standard contractual clauses). See the Subprocessors Annex.

7. Security

Ruum will apply appropriate technical and organisational measures in accordance with Art. 32 of the GDPR, described in the Security Policy, including hashing of credentials, encryption in transit, access control and audit logs.

8. Notification of security breaches

Ruum will notify the Client, without undue delay, of any breach of the security of personal data processed on behalf of the Client of which it becomes aware, providing the information reasonably available so that the Client can comply with its notification obligations.

9. Return or deletion of data

At the end of the provision of the Service, and at the Client's choice, Ruum will delete or return the personal data, and delete existing copies, unless regulations require their retention. Backups will be deleted in accordance with their rotation cycle.

10. Liability

The liability of the parties arising from this DPA shall be governed by the provisions of the Terms and Conditions of Use and by applicable regulations.

11. Applicable law

This DPA is governed by Spanish law and by the GDPR. In the event of a conflict between this DPA and the Terms regarding the processing of data on behalf of the Client, this DPA shall prevail.

1. Parties and roles

Controller: the professional user / company that uses the Service (hereinafter, "the Client").

Processor: Daniel Gil Alegre (Ruum), NIF/NIE 71364447R, Calle Ramón Menéndez Pidal 7, 09002 Burgos, privacy@ruum.es.

The Client determines the purposes and means of processing the data it enters; Ruum processes them only following its documented instructions (including those arising from use of the Service).

2. Subject matter, duration, nature and purpose

Subject matter: the provision of the Ruum Service (management of projects, quotes, clients, collaboration and associated features).

Duration: as long as the Client uses the Service, plus the subsequent retention or return/deletion periods.

Nature and purpose: hosting, storage, organisation, consultation, communication and other operations necessary to provide the Service.

3. Categories of data subjects and data

Data subjects: the Client's clients, collaborators, quote recipients, team members and other third parties whose data the Client enters.

Categories of data: identification and contact data, professional and company data, project and quote data, and any other data the Client decides to enter. The Client shall refrain from entering special categories of data (Art. 9 GDPR) unless there is a legitimate basis and Ruum is informed.

4. Ruum's obligations (processor)

Ruum undertakes to:

Process the data only following the documented instructions of the Client, unless required by law (in which case it will inform the Client, if permitted).

Ensure that the persons authorised to process the data have committed to confidentiality.

Apply appropriate technical and organisational security measures (see Security Policy).

Respect the conditions for engaging subprocessors (clause 5).

Assist the Client, as far as possible, in responding to data subjects' requests to exercise their rights.

Assist the Client in complying with its obligations regarding security, breach notification and impact assessments (Arts. 32 to 36 GDPR).

At the Client's choice, delete or return the data at the end of the provision, except where retention is required by law.

Make available to the Client the information necessary to demonstrate compliance and allow reasonable audits.

Inform the Client if, in its opinion, an instruction infringes data protection regulations.

5. Subprocessors

The Client generally authorises Ruum to engage the subprocessors listed in the Subprocessors Annex. Ruum will:

Impose on each subprocessor, by contract, protection obligations equivalent to those of this DPA.

Inform of material changes to subprocessors with reasonable advance notice, allowing the Client to object on reasonable grounds.

Be liable to the Client for the compliance of its subprocessors.