Data Processing Agreement (DPA) SwipeGuide B.V.
[Updated June 2024]
1. DEFINITIONS
|
Agreement |
the agreement concluded between the Controller (Customer) and the Processor (Supplier) regarding the provision of the Service (as defined in the Agreement); |
|
Controller |
You, who as a user makes use of our Services (as defined in the Agreement) and therefore you supply us with Personal Data of Data Subjects. As such, you classify as a controller within the meaning of article 4(7) GDPR. |
|
DPA |
The present data processing agreement. |
|
Data Subjects |
The persons of which Personal Data is collected on the basis of this DPA. within the meaning of article 4(1) GDPR. |
|
GDPR |
The General Data Protection Regulation (EU) 2016/679 per 25 May 2018. |
|
Parties |
The Processor and Controller referred to jointly. |
|
Personal Data |
Data which can be used either directly or indirectly to identify a natural person, as defined in article 4(1)GDPR. |
|
Process |
As well as conjugations of this verb: the Processing of Personal Data as referred to in article 4(2) GDPR. |
|
Processor |
We, SwipeGuide, with the following address: John M Keynesplein 12-46, 1066EP Amsterdam, The Netherlands, registered with the Chamber of Commerce under the following number: 62.58.47.74, operating as a processor within the meaning of article 4(8) GDPR. |
|
Sub Processors |
Third parties, engaged by the Processor for the Processing of Personal Data for the benefit of the Controller. |
2. BACKGROUND
2.1 The Controller acts as a Controller, within the meaning of article 4(7) GDPR. This means that the purpose and the means of the Processing of Personal Data are determined by Controller and that Controller uses this Personal Data for its own personal purposes.
2.2 The Processor acts as a ‘processor’ within the meaning of article 4(8) GDPR. This means that Processor only Processes the Personal Data supplied by the Controller in accordance with Controller’s written instructions, as described in this DPA. The Processor shall not Process the Personal Data for its own personal purposes.
3. EXECUTION OF PROCESSING
3.1. In the execution of the assignment, the Processor will handle the Personal Data in a careful manner and only Process the Personal Data based on the assignment of the Controller, in accordance with its written instructions and in accordance with this DPA and the GDPR.
3.2. The Processor will not Process the Personal Data for any other purpose than as determined by the Controller. Processor has no control over the purpose and means of the Processing of the Personal Data.
3.3. Processor and Controller each guarantee that every person acting under its authority will Process the Personal Data lawfully and in accordance with this DPA and the GDPR.
3.4. At the request of Controller, Processor will provide Controller with information about the (security) measures taken in order to comply with the obligations under the GDPR, this DPA, and other instructions from Controller.
4. WARRANTY DATA CONTROLLER
4.1. Controller guarantees the Processing of the Personal Data of the Data Subjects is not unlawful and does not violate the rights of others. Controller indemnifies Processor against all claims relating to this.
5. TRANSFER OF PERSONAL DATA
5.1. In principle, the Processor only Processes the Personal Data within the confines of the EEA and the countries that have been designated by the European Commission as countries offering an adequate level of protection.
5.2. Any transfer of Personal Data to a third country or an international organisation by the Processor shall be done only in a way that is compliant with the GDPR and this DPA. In case the consent of Data Subjects is required, the Controller shall bear the responsibility for acquiring it.
6. SECURITY INCIDENTS
6.1. Processor shall render all reasonable efforts in taking appropriate technical, physical and organizational security measures to protect Personal Data against all other forms of unlawful Processing to ensure a level of security appropriate to the risk.
6.2. Processor will at least take the following security measures:
- Encryption of digital files containing personal data.
- Security of the network connection with Secure Socket Layer (SSL) technology or a similar technology.
- Restriction of access to personal data to authorized employees.
- Annual audits of the security policy by an external party.
- Back-ups of the personal data to restore them in time in case of physical or technical incidents.
7. SECURITY INCIDENTS
7.1. In the event Processor becomes aware of any incident that may have a (significant) impact on the protection of Personal Data, (i) it will notify via email Controller without undue delay, and; (ii) will take all reasonable measures to prevent or limit (further) violation of the GDPR.
7.2. The Processor will, insofar as reasonable, provide all reasonable cooperation requested by the Controller in order for Controller to comply with its legal obligations relating to the identified incident.
7.3. The Processor will, insofar as reasonably possible, assist the Controller with the Controller’s notification obligation relating to the Personal Data to the data protection authority and/or the Data Subjects, as meant in Section 33 and 34 GDPR. Processor is never held to report a personal data breach with the data protection authority and/or the Data Subjects.
7.4. Processor will not be responsible and/or liable for the (timely and correctly) notification obligation to the relevant supervisor and/or data subjects, as meant in Section 33 and 34 GDPR.
8. RETURN OF DATA
8.1.Without prejudice to the specific provisions of the DPA, the Processor will, at the first request of the Controller, delete or return all the Personal Data, and delete all existing copies, unless the Processor is legally required to store (part of) the Personal Data. The Controller must submit this request to the Data Processor within one (1) month after termination of the DPA. After this period,
8.2. Processor will safely remove or destroy all Personal Data, including any copies of it, unless Processor is legally obliged to store the (Personal) Data for a longer period.
8.3. The Processor will, insofar as reasonably possible, provide all reasonable cooperation to the Controller in fulfilling its obligation pursuant to the GDPR to respond to requests for exercising rights of Data Subjects, in particular the right of access (Section 15 GDPR), rectification (Section 16 GDPR), erasure (Section 17 GDPR), restriction (Section 18 GDPR), data portability (Section 20 GDPR) and the right to object (Section 21 and 22 GDPR). The Processor will forward a complaint or request from a Data Subject with regard to the Processing of Personal Data to the Controller without undue delay, as the Controller is responsible for handling the request. The Processor is entitled to charge any costs associated with the cooperation with the Controller.
8.4. The Processor will, insofar as reasonably possible, provide all reasonable cooperation to the Controller in fulfilling its obligation pursuant to the GDPR to carry out a data protection impact assessment (Section 35 and 36 GDPR).
8.5. The Processor will provide the Controller with all the information reasonably necessary to demonstrate that the Processor fulfills its obligations under the GDPR. Furthermore, the Processor will – at the request of the Controller – enable and contribute to audits, including inspections by the Controller or an auditor that is authorized by the Controller, provided Parties reach prior written agreement on the cope of such audit. In case the Processor is of the opinion that an instruction relating to the provisions of this paragraph infringes the GDPR or other applicable data protection legislation, the Processor will inform the Controller immediately.
9. COOPERATION
9.1. The Processor will, insofar as reasonably possible, provide all reasonable cooperation to the Controller in fulfilling its obligation pursuant to the GDPR to respond to requests for exercising rights of Data Subjects, in particular the right of access (Section 15 GDPR), rectification (Section 16 GDPR), erasure (Section 17 GDPR), restriction (Section 18 GDPR), data portability (Section 20 GDPR) and the right to object (Section 21 and 22 GDPR). The Processor will forward a complaint or request from a Data Subject with regard to the Processing of Personal Data to the Controller without undue delay, as the Controller is responsible for handling the request. The Processor is entitled to charge any costs associated with the cooperation with the Controller.
9.2. The Processor will, insofar as reasonably possible, provide all reasonable cooperation to the Controller in fulfilling its obligation pursuant to the GDPR to carry out a data protection impact assessment (Section 35 and 36 GDPR).
9.3. The Processor will provide the Controller with all the information reasonably necessary to demonstrate that the Processor fulfills its obligations under the GDPR. Furthermore, the Processor will – at the request of the Controller – enable and contribute to audits, including inspections by the Controller or an auditor that is authorized by the Controller, provided Parties reach prior written agreement on the cope of such audit. In case the Processor is of the opinion that an instruction relating to the provisions of this paragraph infringes the GDPR or other applicable data protection legislation, the Processor will inform the Controller immediately.
10. PEOPLE WORKING UNDER THE AUTHORITY OF PROCESSOR
10.1 The obligations for Processor arising from this DPA also apply to those who Process Personal Data under the authority of Processor, including but not limited to employees.
11. SUBPROCESSORS
11.1. The Processor is entitled to outsource the implementation of the Processing on the Controller’s instructions to Sub Processors, either wholly or in part, which parties are described in Annex 2. In case the Processor wishes to engage Sub Processors, the Processor will inform Controller of any intended changes concerning the addition or replacement of other processors. The Controller will be able to object to such changes within 10 working days. The Processor will respond to the objection within 10 working days.
11.2. Processor obligates each Sub Processors to contractually comply with the confidentiality obligations, notification obligations and security measures relating to the Processing of Personal Data, which obligations and measures must at least comply with the provisions of this DPA.
12. LIABILITY
12.1. With regard to the liability and indemnification obligations of Processor under this DPA the stipulation in the Agreement regarding the limitation of liability applies.
12.2. Processor is solely liable for damages suffered by Controller and/or third party claims as a result of any Processing, in the event the specific obligations of Processor under the GDPR are not complied with or in case the Processor acted in violence of the legitimate instructions of the Controller.
12.3. This clause is also subject to provisions as stated in the Agreement.
13. NULLITY
13.1. If a part of this DPA is deemed void or voidable, this does not change the validity of the rest of this DPA. Any invalid provision shall be replaced by a provision that is valid and which interpretation shall be as close as possible to the intent of the invalid provision.
14. FINAL PROVISION
14.1. This DPA can only be amended in writing.
14.2. This DPA replaces all prior agreements between parties.
ANNEX 1 – The purpose of the Processing of Personal Data and categories of Personal Data and Data subjects
The purpose of the processing of personal data is to grant access rights to the SwipeGuide platform, to enable provision of services to the users, to assess and manage (the development of) skills and to ensure the correct functioning of the platform.
1. Categories of data subjects:
- Employees:
- Contractors;
- Registered users: we store and save data of registered license users (name + email address).
2. Categories of Personal Data regarding the following categories of data subjects:
- Name;
- Email address;
- Job Title;
- Department;
- Manager/Supervisor;
- Skill levels/assessments;
- Learning activities;
- Checklist results;
- Sign-off results
- IP Addresses. For security reasons, we process IP addresses to block them if a user has too many failed attempts of logging into the platform. We do this as we cannot identify who is trying to log in. We do not create reports on IP addresses, and they are not linked to identifiable personal data. In some rare cases, the IP address might be linked to an email address in the error log for failed log-ins.
ANNEX 2 - Sub-Processors
|
Full official company name |
Description of processing activities |
Description of categories of personal data |
Countries of processing |
|
Amazon Web Services |
We have the data located on AWS cloud services in Ireland (human data and machine generated data) and the USA (machine generated data) regions. |
Email, names |
Ireland |
|
Cloudinary |
Media storage. Content Delivery Network (CDN) |
IP-address |
EU/EEA |
|
Hotjar |
Website heatmaps and behavior tracking |
Unique ids |
Ireland |
|
Hubspot |
CRM. HubSpot for our support to be able to inform the users about the latest changes and updates. We store names and email in the HubSpot platform. |
Email, names, phone numbers (if shared) |
EU/EEA |
|
Intercom |
Customer communication |
Email, names |
EU/EEA |
|
Azure OpenAI Service by Microsoft Ireland Operations Limited |
Artificial intelligence research service to support with creating content and give improvement suggestions |
None, unless submitted by user |
EU/EEA |
|
Papertrail (SolarWinds) |
Logging, monitoring, availability checking service |
Email, IP addresses |
US |
|
Posthog |
Analytics/behavior tracking service |
Unique ids |
US |
|
Sentry |
Logging, monitoring, error tracking |
Email, IP addresses |
US |
|
SolarWinds Pingdom |
Website performance and availability monitoring |
IP addresses |
US |
|
ThoughtSpot |
ThoughtSpot helps us to process and display analytics data for the admin users. They only process machine generated data. |
Anonymous user ids |
EU/EEA |
|
WeberCloud |
Proxy cache service to provide availability to China |
None |
Germany |