Beta Trial Toqan Data Processing Agreement

Recitals

(A) Controller (Customer) and Processor (Supplier) have entered into the Beta Trial Toqan Terms of Service (“the Agreement”).

(B) To the extent that the provision of the Services involves the processing of personal data of end users and/or employees, contractors and affiliates of Customer, the parties enter into this DPA, which is incorporated into the Agreement. Therefore, the acceptance of the Agreement by the Customer is also an acceptance of this DPA by the Customer. 

1. DEFINITIONS

  1. Terms such as "process/processing", "data subject", "(data) processor”, "(data) controller", "personal data/personal(ly identifiable) information", "(personal) data breach", "data protection impact assessment", etc.; shall be interpreted in accordance with such meaning or the meaning of equivalent terms in Data Protection Laws.

  2. "Data Protection Laws" means in relation to any Personal Data which is processed in the performance of the  Agreement, all applicable laws and regulations relating to the processing of data relating to natural persons, including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, “GDPR”).

  3. "Effective Date" means the date on which the Customer accepts the Agreement.

  4. "EEA" means the European Economic Area.

  5. "Personal Data" means the personal data as defined under the Agreement, and included under Annex I of this DPA (Details of Processing of Personal Data).

  6. "Services" means the services described in the Agreement.

  7. "Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to recipients established in third countries, as approved by the European Commission in Implementing Decision 2021/914, or any set of clauses approved by the European Commission which amends, replaces or supersedes these.

  8. "Subprocessor" means any data processor (including any third party and any Processor Affiliate) appointed by Processor to process Personal Data on behalf of the Controller; a list of Sub-processors can be furnished to the Controller on request. 

  9. "Supervisory Authority" means any regulatory authority responsible for the enforcement of Data Protection Laws.

2. PROCESSING OF THE PERSONAL DATA

The Parties agree that this DPA and the Agreement constitute Controllers documented instructions regarding Processors processing of personal data under this Agreement, unless processing is required by EU or Member State law to which Processor is subject, in which case Processor shall to the extent permitted by such law inform the Controller of that legal requirement before processing that Personal Data. The details of the processing operations are specified in Annex I of this DPA(Details of Processing of Personal Data). 

3. PROCESSOR PERSONNEL

Processor shall grant access to the Personal Data to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the Agreement. The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and have undertaken appropriate training.

4. SECURITY

Processor shall implement and maintain appropriate technical and organisational measures to always ensure a level of security of the Personal Data appropriate to the risk and shall take all necessary measures required pursuant to article 32 GDPR and equivalent security requirements resulting from Data Protection Laws, if applicable to the processing. Technical and organisational measures implemented by the Processor are specified in Annex 2 (Technical and Organizational Measures) to this DPA.

5. SUBPROCESSING

  1. As of the Effective Date, the Controller hereby provides a general authorization to Processor to engage the Subprocessors listed in the Sub-processors list to process Personal Data in connection with the Services. The Sub-processors list will be made available to the Controller on request. Processor will notify Controller of any changes to this list via notification within the Services or other reasonable means. The Controller may object to the use of such additional Sub-processor within 30 days of receiving notice of change by contacting the Processor via authorized channels. 

  2. With respect to each Subprocessor, Processor shall:

    • On receiving a request from the Controller, provide the Controller with  details of the processing to be undertaken by each Subprocessor; 

    • enter into a contract which imposes on the Subprocessor, in substance, the same data protection obligations as the ones imposed on the Processor in accordance with this Agreement.

6. DATA SUBJECT RIGHTS AND LAW ENFORCEMENT REQUESTS 

  1. Processor shall promptly, and in any case within five (5) working days, notify the Controller if it receives a request from a data subject whose Personal Data is processed by Processor on behalf of the Controller and shall provide full details of that request. The Processor shall not respond to the request itself, unless specifically authorised do so by the Controller. 

  2. Taking into account the nature of the processing, Processor shall cooperate as requested by the Controller to enable the Controller to comply with any exercise of rights by a data subject whose Personal Data is processed by Processor under any Data Protection Laws in respect of Personal Data and comply with any assessment, enquiry, notice or investigation under any Data Protection Laws in respect of Personal Data or this DPA.

  3. The Processor agrees to promptly notify the Controller, to the extent such notification is permissible under applicable laws, if it receives a legally binding request from a public authority, including judicial authorities for the disclosure of Personal Data or if it becomes aware of any direct access by public authorities to such Personal Data. 

7. INCIDENT MANAGEMENT

In the event of a personal data breach, the Processor shall cooperate with and assist the Controller to comply with the Controller’s obligations under the applicable Data Protection Laws, taking into account the nature of processing and the information available to the Processor. Processor shall promptly notify the Controller upon becoming aware of a personal data breach in relation to the Personal Data, providing the Controller with sufficient information which allows the Controller to meet any obligations to report a personal data breach under the Data Protection Laws. 

8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

Processor shall, where appropriate, provide reasonable assistance to the Controller with any data protection impact assessments, supervisory authority consultations or similar assessments, only to the extent where such assistance is required under Data Protection Laws.

9. AUDIT AND INSPECTION

  1. Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Data Protection Laws, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

  2. The Controller shall give the Processor reasonable prior written notice of any audit or inspection (which shall be no less than thirty (30) days, except where an audit is required by a Supervisory Authority or following a personal data breach, in which case the Controller shall provide as much notice as is reasonably practicable). Audits shall be conducted during normal business hours, with due regard to the Processor's operations, and shall be limited in scope to the processing of Personal Data under this DPA. The Controller shall ensure that its auditors are bound by appropriate confidentiality obligations. Unless otherwise required by Data Protection Laws or a Supervisory Authority, the Controller shall be entitled to conduct no more than one (1) audit per twelve (12) month period. The costs of any audit shall be borne by the Controller, unless the audit reveals a material breach by the Processor of its obligations under this DPA or Data Protection Laws, in which case the reasonable costs of the audit shall be borne by the Processor.

10. DELETION OF PERSONAL DATA

Upon termination or expiry of the Agreement, the Processor shall delete all Personal Data processed on behalf of the Controller as part of the Services, unless the Controller, by written notice to the Processor, requests the return of such Personal Data in a commonly used, machine-readable format, in which case the Processor shall promptly return the Personal Data and thereafter delete all remaining copies. This Section 10 is without prejudice to the Processor’s right to process non-personal data related to the use of the Services.

11. INTERNATIONAL DATA TRANSFERS 

  1. Any transfer of Personal Data to a non-EEA country  (i) by the Processor or (ii) by the Controller to the Processor under the Agreement shall be done only if required for purposes of performance of the Agreement or in order to fulfil a specific requirement under EU or Member State law to which the Processor is subject and shall take place in compliance with all applicable requirements for international data transfers under Data Protection Laws (in particular Chapter V of GDPR), as well as the remainder of this Clause 11. If required, the parties will enter into the appropriate Standard Contractual Clauses (SCC’s) or equivalent international data transfer mechanism, to be incorporated by reference.  

  2. In the event the Processor engages a Subprocessor in accordance with Clause 5 for carrying out specific processing activities (on behalf of the Controller) and those processing activities  involve a transfer of Personal Data to a non-EEA country, then  the Processor and such Subprocessor shall enter into the appropriate Standard Contractual Clauses, or equivalent data transfer mechanism in accordance with Data Protection Laws

12. MISCELLANEOUS

  1. Subject to section 11.2, the parties agree that this DPA shall terminate automatically upon termination of the Agreement. 

  2. Any obligation imposed on Processor under this DPA in relation to the processing of Personal Data shall survive any termination or expiration of this DPA, to the extent any such obligations remain applicable under Data Protection Laws.

  3. In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of the DPA shall prevail insofar as the inconsistency relates to data protection obligations or Personal Data. 

  4. The governing law and dispute settlements procedure set out in the Agreement applies mutatis mutandis to this DPA.