Data Processing Agreement

1. REPS AND WARRANTIES

The Processor represents, warrants and covenants that:

• the privacy, security and data handling practices adopted and maintained by the Processor shall be in effect and consistently applied as long as the Processor provides the services in connection with, or otherwise retains, personal data for or on behalf of the Controller; and
• the Processor shall promptly notify the Controller in writing with at least fifteen (15) business days prior to any material change in the Processor’s privacy, security, or data handling practices.

2. ACTING UPON INSTRUCTIONS

The Processor, acting on behalf of the Controller regarding the processing of personal data, agrees to operate solely based on the Controller's instructions.

The Processor and any other person acting under its authority who has access to personal data, shall process those data solely according to the instructions received from the Controller, solely for the purpose of performing the Agreement, and not for any other purpose, or in any other manner, unless required to do so by the applicable laws. The Processor will implement all the necessary measures in this respect.

The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes GDPR or other internal or European Union data protection legal provisions.

This document reflects the instructions from the Controller. The Controller can also give subsequent instructions throughout the duration of the processing of personal data, but such instructions shall always be documented and kept in writing, including electronically.

The instructions should include at least the following details regarding the processing, which can be completed and adjusted on a case-by-case basis:

• subject-matter: Performance by the Processor of the services or delivery of the Services covered by the Legal Terms;
• duration of the processing: Personal Data will be stored only as long as necessary for the performance of the services under the Legal Terms and for as long as the Controller is subject to the Legal Terms, unless there are deletion or return instructions from the Controller;
• nature and purpose of processing: Carrying out the necessary processing operations with regard to Personal Data in order to achieve the purposes pursued by the execution of the services under the Legal Terms;
• type of personal data: The personal data processed on the content of the recordings that are captured via the Services or uploaded by the Controller. The content of the recording is linked to the purpose of the meeting/dialogue, which is in complete control of the Controller, Controller staff or affiliates using the Services provided by the Processor. Email addresses and calendar schedules may be processed if the Controller chooses to integrate the Services with calendar apps.
• categories of data subjects: Individuals attending calls/meetings, or individuals whose data may be included in the recordings uploaded by the Controller.

When the Processor must process personal data to which it has access in its role as Controller’s data processor, due to a legal obligation imposed on the Processor, it shall promptly inform the Controller of that legal requirement before processing, unless such disclosure is prohibited by law for significant reasons of public interest.

3. ACCESS RIGHTS OF PERSONNEL

The Processor shall designate the persons who will process the personal data in the context of this Agreement, as well as the persons specialized in information security in order to ensure the processing of personal data, including the accurate functioning of used information systems.

Such persons (i) shall act under the Processor’s authority, (ii) must have committed themselves to confidentiality obligation or must be under an appropriate statutory obligation of confidentiality and (iii) shall access or otherwise process the personal data in the context of this Agreement only on a need to know basis. The Processor is required to update at the occurence of every change and keep under periodic review the list of persons to whom the access has been granted. On the basis of such review, such access to personal data can be withdrawn, if access is no longer necessary, and personal data shall consequently not be accessible anymore to those persons.

The Processor shall at the request of the Controller demonstrate that the said persons under the Processor’s authority (i) are subject to the aforementioned confidentiality obligation and (ii) have been adequately and timely subjected to training sessions regarding processing of data.

4. SECURITY MEASURES

The Processor applies and keeps constantly updated appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, as well as against any other form of illegal processing.

The Processor represents and warrants that it shall implement and maintain reasonable administrative, technical and physical safeguards, and other security measures proportionate with the type of personal data being processed by the Processor for or on behalf of the Controller and the risk of a personal data breach.

5. DATA BREACH

In case of a personal data breach affecting personal data processed for or on behalf of Controller, the Processor shall take all necessary and appropriate corrective actions and shall cooperate with the Controller.

The Processor shall provide to the Controller a prompt written notice of any personal data breach affecting personal data processed by the Processor for or on behalf of the Controller, no later than 48 hours following the occurrence of such personal data breach.

Such notice shall summarize in reasonable detail (i) the nature of the data security breach, (ii) the impact of such data security breach upon the Controller and the persons whose personal data is affected by data security breach and (iii) the measures taken or proposed to be taken to address the data security breach.

The Processor shall assist the Controller in notifying the personal data breach with the supervisory authority, obtaining the information listed above, necessary to fill in the notification, and in communicating with the data subjects, as the case may be.

The Processor will not make any public announcements relating to personal data breach without the Controller’s prior written approval.

6. ASSISTING THE CONTROLLER

The Processor assists the Controller in respect of the management of the data subjects rights requests, the security of personal data, respectively the data protection impact assessment and prior consultation, the management of the requests received from public authorities, including supervisory authority, taking into account the nature of processing and the information available to the Processor.

7. RECORDS OF PROCESSING

The Processor will maintain a record of the Processing operations carried out on the Controller's behalf in the format to be communicated from time to time to the Controller.

8. RETURNING OR DELETING DATA AT TERMINATION

At the end of the provision of services related to processing, at the choice of the Controller, the Processor (i) shall return all original documents or (ii) shall delete or destroy all materials in any medium, containing personal data, including all copies, and any materials derived from or incorporating such personal data and shall certify to the Controller that it has done so, unless the law requires the Processor to retain such personal data.

The Processor shall delete all personal data processed on behalf 30 days after the end of the provision of services relating to processing/ the termination of the Agreement.

9. AUDIT AND INSPECTION

The Processor shall provide to the Controller with all necessary materials, documents and other information to enable the Controller to confirm that the Processor has complied with its obligations under this document.

The Controller or another auditor mandated by the Controller shall have the right to inspect the Processor’s business processes and practices that involve the Processing of personal data in relation to the services being provided for or on behalf of the Controller. The Processor shall allow and contribute to such audits, including inspections conducted by the Controller or another auditor mandated by the Controller.

Such audits shall be conducted during the Processor’s normal business hours, with prior written notice of at least thirty (30) days, and shall be carried out in a manner that causes minimum disruption to the Processor’s operations.

10. SUBCONTRACTING

The Controller grants the Processor a general authorization to engage sub-processors. The list of sub-processors, as well as any subsequent changes to the list, shall be communicated by the Processor to the Data Controller. The Data Controller shall have the right to object to the amendment of the list within 30 days of the communication by the Processor, stating the reasons.

The list of subcontractors already authorised by the Controller is included in Appendix A to these clauses.

Processor shall, prior to any such disclosure to any sub-processor, enter into a written, valid and enforceable agreement with such subcontractor that includes terms that: (i) are substantially the same as the obligations applicable to personal data as contained in these Clauses, (ii) otherwise require such subcontractors to comply with the terms and conditions of these Clauses regarding the process of personal data.

11. TRANSFERS OUTSIDE UK/EEA

The Processor shall not disclose or transfer any personal data processed by the Processor for or on behalf of the Controller outside UK/European Economic Area, to third countries or international organisations without informing the Controller or on the documented instructions from the Controller.

In case transfers to third countries or international organizations, which the Processor has not been instructed to perform by the Controller are required under local laws to which the Processor is subject, the latter shall inform the Controller without undue delay of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.

Any transfer outside European Economic Area to third countries or international organizations shall always take place in compliance with the requirements provided by GDPR/UK GDPR and internal law and the Processor shall comply with applicable law governing the transfer of personal data into such third country or international organization.

In case of a transfer of the personal data from Controller to Processor or access by the Processor from locations outside EU/EEA, the Parties will comply and ensure the applicability of the SCC for controllers to processors as approved by the ICO, that will be included in an Annex of these clauses. The Processor undertakes that the sub-processor shall sign the standard contractual clauses defined by the ICO/European Commission decision in force at the time of acceptance of this Legal Terms and shall communicate them to the Processors. In the event that the Processor will transfer personal data to the United States of America it undertakes and will ensure that the entity receiving the personal data holds the certifications required and recognised by applicable law and European regulations, recommendations, such as but not limited to the Data Privacy Framework (DPF).

12. OTHER CLAUSES

Insofar the Processor discloses its collaborators’, employees’ and any other individual's personal data to the Controller for the purpose or in connection with the Agreement, the Processor has the obligation to inform all such individuals with regard to such disclosure and to the processing of their personal data by the Controller, including in connection with the Controller's audit rights set out in these Clauses. The Processor shall take all the appropriate measures (including obtaining the consent from such individuals, if the case) so that the Controller may process such personal data for purposes provided by the Agreement, without any formalities.

Appendix A

Authorized Sub-procesors