DATA PROCESSING AGREEMENT

Revision: 5th of June 2023

1.1 General

This Data Processing Agreement (the “Data Processing Agreement“) governs Simplifai’s processing of personal data in the role of a data processor (“Processor“) on behalf of the Customer, who may act either in the role of a data controller or processor on behalf of an end customer. For the purposes of this Data Processing Agreement, the term (“Controller“) will be used for the Customer acting in either role as the case may be.

The Data Processing Agreement forms an integral part of the Agreement regarding the provision of Simplifai’s Software and/or appurtenant services. The nature of the Processor’s processing of personal data under this Data Processing Agreement is the collection, structuring, storage, retrieval and consultation, of personal data as necessary to fulfil its obligations under the Agreement.

The Processor will process the personal data made available by the Controller and solely for the purpose of fulfilling the Agreement and in accordance with the Controller’s documented instructions and the applicable privacy laws. The Processor shall not disclose personal data to third parties, unless it has been instructed to do so or where necessary to comply with applicable law.

The Processor may claim compensation for time spent and reasonable and documentable expenses incurred by the Processor as a result of new or amended documented instructions or routines from the Controller. The Processor shall only process personal data for as long as the Agreement and any agreed transfer assistance services last.

The Processor may use personal data for product improvement purposes in accordance with the Agreement, to the extent that this does not contravene the Controller’s documented instructions.

1.2 Definitions

Terms in this Data Processing Agreement shall have the same meaning as in the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable privacy laws.

1.3 Scope of Processing

The Processor will process the personal data provided by the Customer through its use of the Software and/or the Processor’s appurtenant services in accordance with the Agreement. Such data may include but will not be limited to name, e-mail address, telephone number and traffic data belonging to the Customer’s employees, suppliers, partners and end-customers.

1.4 The Controller’s Obligations

The Controller owns the personal data and is responsible for the accuracy, integrity and reliability of the data and shall process these in accordance with applicable privacy laws and the requirements set out in this Data Processing Agreement.

The Controller is responsible for ensuring a lawful basis for its processing of personal data and for determining the purposes for and the means by which the Processor shall process personal data in accordance with this Data Processing Agreement.

The Controller shall ensure that any instructions provided to the Processor are in accordance with applicable law and that the Processor’s compliance with said instructions will not cause the Processor to violate applicable law or the rights of others.

The Controller warrants that it is entitled to transfer the personal data to the Processor and/or the Processor’s sub-processors within the EU/EEA in accordance with applicable privacy laws.

1.5 The Processor’s Obligations

The Processor is responsible for ensuring that anyone that processes personal data on its behalf is subject to a duty of confidentiality and only processes the personal data in connection with the fulfillment of the Agreement and in accordance with the documented instructions of the Controller, unless otherwise agreed or required by applicable law. The personal data shall only be made available to those of the Processor’s employees who require access to the personal data.

The Processor shall keep records of any processing activities carried out on behalf of the Controller.

The Processor shall provide the Controller with access to information necessary to demonstrate compliance with Article 28 of the GDPR.

The Processor shall implement all measures required under Article 32 of the GDPR taking into account the nature of the processing and the information available to the Processor and otherwise assist the Controller with its obligations pursuant to Article 32 to 36 of the GDPR and applicable privacy laws, including information security, personal data breach notifications, impact assessments and prior consultations with supervisory authorities. The Processor may claim compensation for time spent and reasonable and necessary expenses incurred as a result of such assistance.

The Processor shall, without undue delay, notify the Controller if the Processor is of the opinion that the Controller’s documented procedures or instructions are in violation of the applicable privacy laws.

At the request of the Controller, the Processor shall assist in the and in safeguarding the rights of the data subjects as stipulated in Chapter 3 of the GDPR, insofar as possible and taking into account the nature of the processing. The Processor may claim compensation for time spent and reasonable and necessary expenses incurred as a result of such assistance.

1.6 Personal Data Breach

The Processor shall notify the Controller without undue delay if the Processor becomes aware of a personal data breach. The notification shall, as far as possible, contain the following information:

  1. Description of the nature of the breach.
  2. The categories and approximate number of data subjects and categories of personal data affected.
  3. The name and contact information of the Processor.
  4. A description of the likely consequences of the personal data breach.
  5. A description of the measures taken or proposed to be taken in order to handle the personal data breach, including, where appropriate, measures to mitigate any adverse effects resulting from the breach.

If all information cannot be provided on the first notice, the information shall be given successively as soon as it is available.

In the event of a personal data breach, the Processor shall cooperate with the Controller in order to detect, mitigate and rectify the breach. The Controller is responsible for providing a notification of the breach to the supervisory authorities.

1.7 Sub-processing and Transfers

The Processor is entitled to use sub-processors to process personal data on behalf of the Controller.

The Processor shall ensure that all sub-processors are informed of and bound by similar requirements for information security, confidentiality, use and other requirements set forth in this Data Processing Agreement and applicable privacy laws.

If the Processor wishes to engage a new sub-processor, the Processor must notify the Controller of this at least two months before the sub-processor begins processing the personal data. The Controller may deny the use of such sub-processor only if the Controller has well-grounded doubts about the ability of the sub-processor to comply with the applicable privacy laws. If the Controller has not opposed the intended sub-processor within 21 days of the Processor’s notice, the sub-processor shall be deemed approved by the Controller.

Notwithstanding the above, the Controller acknowledges that the Processor may need to engage a sub-processor within a short period of time in order to deal with an unforeseen emergency, in which case the Processor shall provide the Controller with immediate notice of the identity of the sub-processor, the emergency and the extent of assistance/sub-processing required to deal with the emergency.

If the Controller opposes the use of a sub-processor, the Parties shall negotiate in good faith on how to resolve this issue. If the negotiations do not resolve the issue, the Processor may terminate the Agreement with reasonable notice as its sole remedy.

The Processor shall not transfer personal data outside the EU/EEA or to countries other than those considered by the European Commission to have an adequate level of protection, unless such transfer is authorized by the Controller or the Processor is obligated to carry out the transfer in accordance with applicable law. If the Processor is obligated by law to transfer personal data, the Controller shall be informed of this to the extent permitted.

If the Controller has authorized the transfer of personal data to sub-processors located in countries outside the EU/EEA or other countries than the EU Commission has deemed to have an adequate level of protection, the transfer shall be carried out using the EU Standard Contractual Clauses (SCC). The Controller authorizes the Processor or its sub-processor to enter into EU Standard Contractual Clauses on behalf of the Controller.

The Controller authorises the use of the following sub-processors for processing of personal data as necessary for the Processor’s provision of the Software:

Document
Name Processing Location
Microsoft Ireland Operations Limited Simplifai solutions are hosted on Microsoft Azure EU/EEA or India
DevOps Solutions Wlodzimierz Borkowski DevOps consultant located in Poland EU/EEA

Personal data will be stored at the Microsoft data centre location selected by the Controller. If the Controller has not chosen a location or such choice is or subsequently becomes unavailable for whatever reason, personal data will be stored at a data centre within the EU/EEA.

As with the use of other Microsoft products such as Microsoft 365, Microsoft reserves the right to enable access to the personal data stored on its Azure platform from countries outside of the data center region in which the data is stored (e.g. a country outside the EU/EEA) in extraordinary circumstances, hereunder as necessary to:

  • detect and protect customers against security threats;
  • operate, troubleshoot, and secure the Azure platform; and
  • reduce routing latency and maintain routing resiliency.

If access is required, Microsoft will utilise Standard Contractual Clauses as the mechanism for transfer. Rest assured that as the world’s leading cloud service provider, Microsoft employs best practice technical and organisational security measures such as data denial by default, access on an audited just-in-time (JIT) model, principle of least privilege, state of the art auditing and logging of access requests and MFA from secure consoles. Further information on how Microsoft secures personal data is available from the Processor upon request.

The Processor remains fully liable to the Controller for the performance of the sub-processors’ obligations.

1.8 Audits

The Processor shall, as far as necessary to demonstrate compliance with the obligations under Article 28 of the GDPR, allow and assist the Controller or an independent third party appointed by the Controller to carry out audits, including inspections. Inspections shall take place within normal working hours, with reasonable prior notice and without interfering with the operations of the Processor. Audits shall not include information that is business sensitive or which concerns other customers and any third party must have signed a confidentiality agreement prior to commencing the audit.

The Controller shall cover its own costs in carrying out the audit and the Processor may claim compensation for time spent and necessary expenses incurred in connection with the audit.

1.9 Termination

Upon termination of the Data Processing Agreement, the Processor shall cease the processing of all personal data and, in accordance with the Controller’s documented instructions, return or destroy any data containing information covered by the Data Processing Agreement.

Upon request, the Processor will provide a written confirmation that the personal data has been returned and/or deleted in accordance with the Controller’s instructions and that it has not kept any copies of such data unless otherwise required by applicable law.

If the Controller requires the Processor to provide the personal data to a third party, the Processor may claim compensation for time spent and necessary expenses incurred as a result of such assistance.