DATA PROCESSING AGREEMENT
Revision: 6th of May 2021
This Data Processing Agreement (the “Data Processing Agreement“) governs Simplifai’s processing of personal data in the role of a data processor (“Processor“) on behalf of the Customer, who may act either in the role of a data controller or processor on behalf of an end customer. For the purposes of this Data Processing Agreement, the term (“Controller“) will be used for the Customer acting in either role as the case may be.
The Data Processing Agreement forms an integral part of the Agreement regarding the provision of Simplifai’s Software and/or appurtenant services. The nature of the Processor’s processing of personal data under this Data Processing Agreement is the collection, structuring, storage, retrieval and consultation, of personal data as necessary to fulfil its obligations under the Agreement.
The Processor shall only process personal data for the purpose of fulfilling the Agreement and in accordance with the Controller’s documented instructions and the applicable privacy laws and not disclose personal data to third parties unless it has been instructed to do so or where necessary to comply with applicable law.
The Processor may claim compensation for time spent and reasonable and documentable expenses incurred by the Processor as a result of new or amended documented instructions or routines from the Controller. The Processor shall only process personal data for as long as the Agreement and any agreed transfer assistance services last.
The Processor may use personal data for product improvement purposes in accordance with the Agreement, to the extent that this does not contravene the Controller’s documented instructions.
Terms in this Data Processing Agreement shall have the same meaning as in the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable privacy laws.
1.3 Scope of Processing
The Processor will process the personal data provided by the Customer through its use of the Software and/or the Processor’s appurtenant services in accordance with the Agreement. Such data may include but will not be limited to name, e-mail address, telephone number and traffic data belonging to the Customer’s employees, suppliers, partners and end-customers.
1.4 The Controller’s Obligations
The Controller owns the personal data and is responsible for the accuracy, integrity and reliability of the data and shall process these in accordance with applicable privacy laws and the requirements set out in this Data Processing Agreement.
The Controller is responsible for ensuring a lawful basis for its processing of personal data and for determining the purposes for and the means by which the Processor shall process personal data in accordance with this Data Processing Agreement.
The Controller shall ensure that any instructions provided to the Processor are in accordance with applicable law and that the Processor’s compliance with said instructions will not cause the Processor to violate applicable law or the rights of others.
The Controller warrants that it is entitled to transfer the personal data to the Processor and/or the Processor’s sub-processors within the EU/EEA in accordance with applicable privacy laws
1.5 The Processor’s Obligations
The Processor is responsible for ensuring that anyone that processes personal data on its behalf is subject to a duty of confidentiality and only processes the personal data in connection with the fulfillment of the Agreement and in accordance with the documented instructions of the Controller, unless otherwise agreed or required by applicable law. The personal data shall only be made available to those of the Processor’s employees who require access to the personal data.
The Processor shall keep records of any processing activities carried out on behalf of the Controller.
The Processor shall provide the Controller with access to information necessary to demonstrate compliance with Article 28 of the GDPR.
The Processor shall implement all measures required under Article 32 of the GDPR taking into account the nature of the processing and the information available to the Processor and otherwise assist the Controller with its obligations pursuant to Article 32 to 36 of the GDPR and applicable privacy laws, including information security, personal data breach notifications, impact assessments and prior consultations with supervisory authorities. The Processor may claim compensation for time spent and reasonable and necessary expenses incurred as a result of such assistance.
The Processor shall, without undue delay, notify the Controller if the Processor is of the opinion that the Controller’s documented procedures or instructions are in violation of the applicable privacy laws.
At the request of the Controller, the Processor shall assist in the and in safeguarding the rights of the data subjects as stipulated in Chapter 3 of the GDPR, insofar as possible and taking into account the nature of the processing. The Processor may claim compensation for time spent and reasonable and necessary expenses incurred as a result of such assistance.
1.6 Personal Data Breach
The Processor shall notify the Controller without undue delay if the Processor becomes aware of a personal data breach. The notification shall, as far as possible, contain the following information:
1. Description of the nature of the breach.
2. The categories and approximate number of data subjects and categories of personal data affected.
3. The name and contact information of the Data Processor.
4. A description of the likely consequences of the personal data breach.
5. A description of the measures taken or proposed to be taken in order to handle the personal data breach, including, where appropriate, measures to mitigate any adverse effects resulting from the breach.
If all information cannot be provided on the first notice, the information shall be given successively as soon as it is available.
In the event of a personal data breach, the Processor shall cooperate with the Controller in order to detect, mitigate and rectify the breach. The Controller is responsible for providing a notification of the breach to the supervisory authorities.
1.7 Sub-processing and Transfers
The Processor is entitled to use sub-processors to process personal data on behalf of the Controller.
The Processor shall ensure that all sub-processors are informed of and bound by similar requirements for information security, confidentiality, use and other requirements set forth in this Data Processing Agreement and applicable privacy laws.
If the Processor wishes to engage a new sub-processor, the Processor must notify the Controller of this at least two months before the sub-processor begins processing the personal data. The Controller may deny the use of such sub-processor only if the Controller has well-grounded doubts about the ability of the sub-processor to comply with the applicable privacy laws. If the Controller has not opposed the intended sub-processor within 21 days of the Processor’s notice, the sub-processor shall be deemed approved by the Controller. If the Controller opposes the use of the sub-processor, the Parties shall negotiate in good faith on how to resolve this issue. If the negotiations do not resolve the issue, the Processor may terminate the Agreement with reasonable notice.
The Processor shall not transfer personal data outside the EU/EEA or to countries other than those considered by the European Commission to have an adequate level of protection, unless such transfer is authorized by the Controller or the Processor is obligated to carry out the transfer in accordance with applicable law. If the Processor is obligated by law to transfer personal data, the Controller shall be informed of this to the extent permitted.
If the Controller has authorized the transfer of personal data to sub-processors located in countries outside the EU/EEA or other countries than the EU Commission has deemed to have an adequate level of protection, the transfer shall be carried out using the EU Standard Contractual Clauses (SCC). The Controller authorizes the Processor or its sub-processor to enter into EU Standard Contractual Clauses on behalf of the Controller.
The Controller authorises the use of the following sub-processors for processing of personal data as necessary for the Processor’s provision of the Software:
|Microsoft||Simplifai solutions are hosted on Microsoft Azure|
|Mr W. Borkowski||DevOps consultant located in Poland|
Personal data is stored in Microsoft’s data centres within the EU/EEA. However, Microsoft reserves the right to enable access to the personal data from a third country (i.e. a country outside the EU/EEA) in extraordinary support-related circumstances. Such access will only be used by Microsoft in order to recover or restore services in unexpected or unpredictable scenarios or where a Microsoft engineer accesses the Azure platform as part of troubleshooting and inadvertently gains access to the personal data. If access is required, Microsoft will utilise Standard Contractual Clauses as the mechanism for transfer. Rest assured that as the world’s leading cloud service provider, Microsoft employs best practice technical and organisational security measures such as data denial by default, access on an audited just-in-time (JIT) model, principle of least privilege, state of the art auditing and logging of access requests and MFA from secure consoles. For more information on how Microsoft secures personal data, please visit the following websites:
a) Microsoft EU Model clauses: https://docs.microsoft.com/en-us/compliance/regulatory/offering-eu-model-clauses
b) Online Services DPA: https://www.microsoftvolumelicensing.com/Downloader.aspx?DocumentId=18600
c) Azure encryption overview: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview
The Processor remains fully liable to the Controller for the performance of the sub-processors’ obligations.
The Processor shall, as far as necessary to demonstrate compliance with the obligations under Article 28 of the GDPR, allow and assist the Controller or an independent third party appointed by the Controller to carry out audits, including inspections. Inspections shall take place within normal working hours, with reasonable prior notice and without interfering with the operations of the Processor. Audits shall not include information that is business sensitive or which concerns other customers and any third party must have signed a confidentiality agreement prior to commencing the audit.
The Controller shall cover its own costs in carrying out the audit and the Processor may claim compensation for time spent and necessary expenses incurred in connection with the audit.
Upon termination of the Data Processing Agreement, the Processor shall cease the processing of all personal data and, in accordance with the Controller’s documented instructions, return or destroy any data containing information covered by the Data Processing Agreement.
Upon request, the Processor will provide a written confirmation that the personal data has been returned and/or deleted in accordance with the Controller’s instructions and that it has not kept any copies of such data unless otherwise required by applicable law.
If the Controller requires the Processor to provide the personal data to a third party, the Processor may claim compensation for time spent and necessary expenses incurred as a result of such assistance.