Data Processing Agreement (DPA) SwipeGuide B.V.
[Updated February 8th, 2021]
1. DEFINITIONS
|
Agreement |
The underlying Data Processing Agreement, applicable between Parties. |
|
Data Controller |
You, who as a user makes use of our services and therefore you supply us with personal data of Data subjects. As such, you are the Controller in the sense of the GDPR. |
|
Data Processor |
We, SwipeGuide, with the following address: John M Keynesplein 12-46, 1066EP Amsterdam, The Netherlands, registered with the Chamber of Commerce under the following number: 62.58.47.74, operating as a processor of personal data with which the Controller supplies us. |
|
Data Subjects |
The persons of which personal data is collected on the basis of this data processing agreement; data subjects within the meaning of what is specified in the GDPR. |
|
GDPR |
The General Data Protection Regulation (EU) 2016/679 per 25 May 2018. |
|
Parties |
The processor and Controller referred to jointly. |
|
Personal data |
Data which can be used either directly or indirectly to identify a natural person, as intended in the GDPR. |
|
Sub Processors |
Third parties, employed by the Processor for the processing of personal data for the benefit of the Controller. |
2. BACKGROUND
2.1. The controller acts as a controller (also called a ‘data controller’), in the sense of the GDPR. This means that the purpose and the means of the processing of personal data are determined by Controller and that Controller uses this data for its own personal purposes.
2.2. The processor acts as a ‘processor’ in the sense of the GDPR. This means that Processor only processes the personal data supplied by the Controller in accordance with Controller’s written instructions, as described in this Data Processing Agreement. The processor shall not process the data for its own personal purposes.
3. EXECUTION OF PROCESSING
3.1. In the execution of the assignment, the Data Processor will handle the personal data in a careful manner and only process the personal data based on the assignment of the Data Controller, in accordance with its written instructions and in accordance with this Agreement and the GDPR.
3.2. The Data Processor will not process the personal data for any other purpose than as determined by the Data Controller. Data Processor has no control over the purpose and means of the processing of the personal data.
3.3. Data Processor and Controller each guarantee that every person acting under its authority will process the personal data lawfully and in accordance with this Agreement and the GDPR.
3.4. At the request of Data Controller, Data Processor will provide Data Controller with information about the (security) measures taken in order to comply with the obligations under the GDPR, this Agreement, and other instructions from Data Controller.
4. WARRANTY DATA CONTROLLER
4.1. Data Controller guarantees the processing of the personal data of the Data Subjects, as referred to in this Agreement, is not unlawful and does not violate the rights of others. Data Controller indemnifies Data Processor against all claims relating to this.
5. TRANSFER OF PERSONAL DATA
5.1. In principle, the Processor only processes the personal data within the confines of the European Union and the countries that have been designated by the European Commission as countries offering an adequate level of protection.
5.2. The Processor shall only pass along personal data to countries for which no adequacy decision has been taken if this is in accordance with the requirements of the GDPR. In case the consent of Data Subjects is required, the Controller shall bear the responsibility for acquiring it.
5.3. The processor shall notify the Controller in advance of any processing in another country that is not included in paragraph 1 of this article unless such processing is legally prohibited.
5.4. Article 6 - Security measures Data Processor implements all appropriate technical and organizational measures to prevent loss of personal data or any form of unlawful processing, subject to the relevant provisions of the GDPR. These measures shall guarantee an adequate level of protection of the personal data being processed, subject to the relevant provisions of the GDPR
5.5. Data Processor will at least take the following security measures:
- Encryption of digital files containing personal data.
- Security of the network connection with Secure Socket Layer (SSL) technology or a similar technology.
- Restriction of access to personal data to authorized employees.
- Annual audits of the security policy by an external party.
- Back-ups of the personal data to restore them in time in case of physical or technical incidents.
5.6. Data Processor shall provide Data Controller with all available information to provide Data Controller assistance in carrying out security measures, conducting audits and inspections, and carrying out data protection impact assessments. Any audits and / or inspections by Data Controller require prior written agreement of Data Processor.
6. SECURITY INCIDENTS
6.1. The Data Processor will report any theft, loss, misuse or other forms of data incidents, as defined in the GDPR, to the Data Controller as soon as possible. This report includes, as far as possible, at least the following: the nature of the breach, the categories, and scope of the personal data concerned, the likely consequences of the data breach, the measures the Data Processor has taken, and the contact details for Data Controller to obtain more information.
6.2. If needed, the Data Processor will fully cooperate to inform the authorities and Data Subjects about such security incidents or data breaches. In addition, the Data Processor will fully cooperate in carrying out risk assessments, analyzing the cause of the incident or breach, identifying required corrective measures and implementing those measures.
7. RETURN OF DATA
7.1. If this Agreement is ended, Data Processor will return all data, including personal data, which are processed by Data Processor based on this Agreement, to Data Controller at his request. The Data Controller must submit this request to the Data Processor within 1 month. After this period, Data Processor will safely remove or destroy all personal data, including any copies of it, unless Data Processor is legally obliged to store the (personal) data for a longer period.
8. RIGHTS OF DATA SUBJECTS
8.1. The Data Processor will assist the Data Controller with all requests which may be received from Data Subjects, such as the right to access, rectification or erasure.
8.2. If the Data Processor receives a request from a third party to provide access to the personal data based on an alleged (legal) obligation, the Data Processor will inform Data Controller in writing before he provides the third party access, so Data Controller can assess whether the request is legitimate.
9. PEOPLE WORKING UNDER THE AUTHORITY OF DATA PROCESSOR
9.1. The obligations for Data Processor arising from this Agreement also apply to those who process personal data under the authority of Data Processor, including but not limited to employees.
10. SUBPROCESSORS
10.1. The Data Processor may subcontract the processing of the personal data to external parties. Data Processor has sub-contracted (part of) the processing of the personal data to the following "Sub Processors" as indicated under Annex 1 & 2 below. Data Controller hereby authorizes the aforementioned Sub Processors. Data Processor acknowledges and agrees that the applicable legal terms as agreed between the Data Processor and the aforementioned Sub Processors are applicable in the relation between Data Processor and Sub Processors in this agreement.
10.2. The Data Processor may appoint new Sub Processors for the processing of the personal data. Data Processor will notify Data Controller of the addition or replacement of any Sub Processors. Data Processor is then also offered the possibility to object to this. In addition, the Data Controller may request an overview of all appointed Sub Processors.
11. LIABILITY
11.1 With regard to the liability and indemnification obligations of Processor under this Processor’s Agreement the stipulation in the Agreement regarding the limitation of liability applies.
11.2. Without prejudice to article 9.1 of this Processor’s Agreement, Processor is solely liable for damages suffered by Controller and/or third-party claims as a result of any Processing, in the event the specific obligations of Processor under the GDPR are not complied with or in case the Processor acted in violence of the legitimate instructions of the Controller.
11.3. This clause is also subject to provisions as stated in the SaaS Agreement.
12. NULLITY
12.1. If a part of this Agreement is deemed void or voidable, this does not change the validity of the rest of this Agreement. Any invalid provision shall be replaced by a provision that is valid and which interpretation shall be as close as possible to the intent of the invalid provision.
13. FINAL PROVISION
13.1. This Agreement can only be amended in writing.
13.2. This Agreement replaces all prior agreements between parties.
ANNEX 1 – The purpose of the Processing of Personal Data and categories of Personal Data and Data subjects
The purpose of the processing of personal data is to grant access rights to the SwipeGuide platform.
1. Categories of data subjects:
- Employees;
- Contractors;
- Registered users: we store and save data of registered license users (name + email address).
2. Categories of Personal Data regarding the following categories of data subjects:
- Name;
- Email address;
- IP Addresses. For security reasons, we process IP addresses to block them if a user has too many failed attempts of logging into the platform. We do this as we cannot identify who is trying to log in. We do not create reports on IP addresses, and they are not linked to identifiable personal data. In some rare cases, the IP address might be linked to an email address in the error log for failed log-ins.
ANNEX 2 - Sub-Processors
|
Company |
Full address |
Data & purpose |
|
Amazon Web Services (Ireland) |
Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg |
Name & e-mail for the SwipeGuide Web solution |
|
Cloudinary |
20 Aharon Bart St Building C, Petach Tikva 4951448, Israel |
None, only media |
|
Hubspot |
Hubspot Inc. 25 First Street, 2nd Floor Cambridge, MA 02141, United States |
Name & e-mail for communication |
|
Intercom |
KPMG Building, 55 2nd St 4th floor, San Francisco |
Name & e-mail for user support |
|
SiSense |
SISENSE SF, INC. (formerly known as Periscope, Inc.) 1125 Mission St. San Francisco, CA 94103 |
None, only usage data |