Registru Companii

HomeSearchRankingsInsolvencyNew companiesPricingBlogAbout
Sign inCreate account
ROEN

Legal

Terms and conditionsPrivacyCookiesDPACompany details

Data Processing Agreement (DPA)

Last updated: 14 July 2026 · Version 3.0

This document describes standard terms for Registru Companii to process personal data on a customer's behalf only where the parties genuinely have the controller and processor roles described by GDPR Article 28.

A paid plan does not automatically turn every processing activity into a controller-processor relationship. The scope, instructions, providers, and method of accepting the DPA must be confirmed in the relevant contract.

1. Parties

  • Controller: the customer that determines the purposes and means of personal-data processing carried out on its behalf.
  • Processor, only for the agreed scope: TMTRG S.R.L., whose registered office is at JUD. TIMIŞ, MUN. TIMIŞOARA, BLD. 3 AUGUST 1919, NR.9, CAMERA 1, AP.2C, România, Trade Register number J2026037309006, CUI 54845632.

2. Scope and duration

The DPA applies only if it is incorporated into the contractual relationship and only to operations where the Platform processes documented personal data on the customer's behalf.

For account administration, billing, its own security, and aggregation of public registers, Registru Companii may act as an independent controller. Those activities do not become processing on the customer's behalf merely because the customer has a subscription.

The duration follows the relevant service and documented instructions, except for duties that continue by law or by their nature.

3. Nature and categories of processing

ElementDescription
NatureHosting, organizing, consulting, transmitting, exporting, and deleting data only as needed for the contracted feature.
PurposeProviding the search, monitoring, list, export, or integration function agreed with the customer.
Data subjectsThe customer's authorized users and, if the documented scope requires, people named in sources or selections made by the customer.
Data categoriesAccount identifiers, technical data, selections, and outputs from the functions used. The exact list must be documented for the contracted service.

The Platform does not ask the customer to intentionally submit special-category data. The customer must not enter it without a lawful basis and a written agreement describing the required safeguards.

4. Processor obligations

For processing within the confirmed scope, the processor:

  • processes data only on documented instructions, unless a contrary legal requirement applies;
  • limits access to authorized people bound by confidentiality;
  • applies technical and organizational measures proportionate to the risk and the real implementation;
  • uses subprocessors under the agreed conditions and GDPR Article 28;
  • provides reasonable assistance with data-subject requests, taking account of the nature of processing;
  • provides reasonable assistance with security, assessment, and notification duties applying to the scope;
  • at termination, deletes or returns in-scope data under the agreed choice and available mechanism, except where law requires retention;
  • provides information reasonably needed to demonstrate compliance.

If an instruction appears unlawful, the processor informs the customer and may pause it until the issue is clarified.

5. Subprocessors and providers

General or specific authorization and the notification mechanism must be set in the applicable contract.

A named inventory must record each provider's role, processing location, and applicable safeguards and be available to the customer in the agreed form.

Changes are communicated with reasonable notice where the contract or law requires. We do not publish a fixed period unsupported by the operational process.

  • infrastructure and hosting;
  • transactional email;
  • payment and invoicing, including Stripe and FGO to the extent they act for the relevant scope;
  • monitoring and error reporting, including Sentry;
  • security or browser services, including Cloudflare and Google services depending on the feature and role.

We do not state that all providers are in the EU or that each automatically acts as a subprocessor. Their classification and Article 28 contracts require legal review.

6. International transfers

If data within the DPA scope is accessed or transferred outside the EEA, the parties identify the relevant roles and transfer mechanism.

Where required, an adequacy decision, Standard Contractual Clauses, or another GDPR Chapter V mechanism is used. Exclusive EU hosting is not promised without confirmation from the provider inventory.

7. Technical and organizational measures

Verified measures for the current service include:

  • Argon2id password hashes and TOTP secrets encrypted with Fernet;
  • an HttpOnly, SameSite=Lax session cookie that is Secure in production, together with CSRF protection;
  • role-based access controls and rate limits on relevant flows;
  • audit logs for administrative actions and operational error monitoring.

The list is not an absolute guarantee and does not make unverified promises about EU hosting, a particular backup frequency, a fixed TLS version, testing on a fixed schedule, or training at a particular cadence.

8. Security incidents

The processor informs the Controller without undue delay after becoming aware of a personal-data breach within the confirmed scope and provides available information needed for assessment.

The Controller remains responsible for its own legal assessment and notifications, including the GDPR 72-hour deadline to the supervisory authority where it applies. This document does not invent an identical contractual deadline from processor to controller.

9. Information and audit

The processor provides reasonable documentation about measures and providers relevant to the agreed scope.

An audit is coordinated to protect security, confidentiality, and other customers' data. Scope, notice, format, auditor, and costs are set by contract or mutual agreement.

This version does not promise an unlimited audit right, fixed notice period, or fixed cost allocation pending commercial and legal validation.

10. Data-subject requests

The processor provides reasonable assistance with access, rectification, erasure, restriction, portability, and objection within the available functions and information.

If it directly receives a request about data controlled by the customer, it forwards the request to the customer unless law or a valid instruction requires a direct response.

11. Liability

Contractual liability follows the main contract and mandatory rules. Liability to data subjects follows GDPR Article 82 and other applicable provisions.

12. Termination and deletion

For data processed solely on the customer's behalf, return or deletion follows the documented choice and mechanism, except for retention required by law.

For the user's own account, account deletion and loss of access are immediate, and any active Stripe subscription is cancelled immediately.

Necessary invoices and fiscal records may be retained in the form required by law, with the link to the active profile removed or pseudonymized where permitted.

Public-register data for which Registru Companii acts as an independent controller is not automatically deleted when the customer's account closes.

13. Governing law

Governing law and jurisdiction follow the main contract without limiting mandatory GDPR rules or data-subject rights.

14. Contact

Use the address below to confirm the scope, request the provider list, or discuss a signed DPA.

[email protected]

This is a standard form conditional on the real roles and its incorporation into a contract. Controller/processor classification, the subprocessor list, transfers, audit terms, and measures must be validated by counsel or a DPO before signature.

Registru Companii

Romanian company intelligence in one place: financials, court cases, public procurement and tax checks.

© 2026 Registru Companii

ANPC - Romanian Alternative Dispute ResolutionEU consumer redress information

Product

Company searchInsolvencyNew companiesPricingBlogService status

Legal

Terms and conditionsPrivacyCookiesDPACompany details