This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Main Agreement") between:
SIA Pinflorist, registration no. 40 103 996 785, Siguldas prospekts 4, Rīga, LV-1014, Latvia ("Processor" or "Company").
The entity or individual using the Inwine Multiverse platform ("Controller" or "Client").

1. DEFINITIONS
"Personal Data" means any information relating to an identified or identifiable natural person (End-User) processed by the Company on behalf of the Client.
"GDPR" means the General Data Protection Regulation (EU) 2016/679.
"Sub-processor" means any third party appointed by the Processor to process Personal Data (e.g., hosting providers, payment gateways).

2. SUBJECT MATTER AND ROLES
Scope: The Processor provides a SaaS platform (Inwine Multiverse) for the Client to manage an online wine store.
Roles: The Client is the Data Controller (determines why and how data is collected); the Company is the Data Processor (processes data according to the Client’s instructions).
Duration: This DPA remains in effect as long as the Main Agreement is active.

3. OBLIGATIONS OF THE PROCESSOR
The Processor agrees to:
Processing Instructions: Process Personal Data only on documented instructions from the Client, including transfers of data to third countries.
Confidentiality: Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality.
Security Measures: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (e.g., encryption, firewalls).
Assistance: Assist the Client in responding to requests from End-Users exercising their rights (access, erasure, etc.) and in ensuring compliance with GDPR obligations regarding security and data breaches.

4. SUB-PROCESSING
The Client grants a general authorization to the Processor to engage Sub-processors (e.g., cloud infrastructure, email services).
The Processor shall remain fully liable to the Client for the performance of the Sub-processor's obligations.

5. DATA BREACH NOTIFICATION
In the event of a Personal Data breach, the Processor shall notify the Client without undue delay (typically within 48−72 hours) after becoming aware of the breach, providing sufficient information to allow the Client to meet its notification obligations under the GDPR.

6. AUDIT RIGHTS
The Processor shall make available to the Client all information necessary to demonstrate compliance with Article 28 of the GDPR and allow for and contribute to audits or inspections conducted by the Client or an auditor mandated by the Client.

7. RETURN OR DELETION OF DATA

Upon termination of the Main Agreement, the Processor shall, at the choice of the Client, delete or return all Personal Data to the Client, unless European Union or Member State law requires storage of the Personal Data.

8. ANNEX: DETAILS OF PROCESSING
Subject Matter: E-commerce services for wine retail via the Inwine Multiverse CMS.
Categories of Data Subjects: End-Users (customers) of the Client’s online store.
Types of Personal Data: Name, email, shipping address, phone number, purchase history, and age verification status.

Last Updated: March 16, 2026