Data Processing Agreement (DPA)

Last updated: December 18, 2025

This Data Processing Agreement ("DPA") is entered into between:

  • The "Customer" (acting as Data Controller), who has subscribed to the Pinitto services.
  • And Mnemoly Community S.R.L. (acting as Data Processor), the provider of the Pinitto platform.

This DPA is incorporated into our Terms of Service and applies to the processing of personal data on behalf of the Customer.

1. Definitions

Terms such as "Personal Data," "Data Controller," "Data Processor," and "Processing" shall have the meanings given to them in the EU General Data Protection Regulation (GDPR).

2. Subject Matter and Scope

  • Subject Matter: The provision of the Pinitto platform and services as described in the Terms of Service
  • Duration: This DPA is effective for the duration of the Customer's subscription to the Service
  • Purpose: The purpose of the processing is to enable the Customer to create and manage their private community space, including communication, resource sharing, and organization among its members
  • Categories of Data Subjects: The members and users of the Customer's community invited to use the Service
  • Types of Personal Data: Email addresses, names, user-generated content (posts, comments, wiki entries, carpool details, item listings), and technical data (IP addresses)

3. Obligations of the Processor (Pinitto)

Pinitto, as the Data Processor, agrees to:

  • Process Personal Data only on the documented instructions of the Customer (Controller)
  • Ensure that all personnel authorized to process Personal Data are bound by a duty of confidentiality
  • Implement and maintain appropriate technical and organizational measures to ensure the security of the Personal Data. These measures include end-to-end encryption for sensitive features like carpooling and discussions, and storing all Customer data at rest on servers located within the Federal Republic of Germany
  • Notify the Customer of any requests from data subjects to exercise their rights under GDPR and provide assistance to the Customer in fulfilling these requests
  • Notify the Customer without undue delay upon becoming aware of a personal data breach
  • Upon termination of the service, all Personal Data will be instantly and permanently deleted. No data export will be available post-termination
  • Make available to the Customer all information necessary to demonstrate compliance with GDPR and allow for and contribute to audits conducted by the Customer

4. Sub-processing

The Customer agrees that Pinitto may engage third-party sub-processors to provide the Service. Pinitto will maintain a list of its sub-processors and will inform the Customer of any intended changes concerning the addition or replacement of sub-processors. Pinitto confirms that all sub-processors are bound by data protection obligations equivalent to those in this DPA.

Our current sub-processors are:

  • Amazon Web Services (AWS): For hosting infrastructure and email services in Frankfurt, Germany
  • Paddle.com: As our Merchant of Record for payment and subscription processing
  • Cloudflare, Inc.: For spam and bot protection on registration pages
  • Google LLC: For AI-based spam and content moderation on contact form submissions

5. Governing Law

This DPA shall be governed by the laws of Romania and the European Union.