Data Processing Agreement
.
This is a data processing agreement ("DPA") for the product called Deyel offered by Optaris Inc., and includes the standard contractual clauses adopted by the European Commission, as applicable, and reflects the agreement of the parties governing the processing of personal data under the Optaris Terms of Service ("ToS"). This DPA is an amendment to the Terms of Service, it is effective as of its incorporation into them and will be part of the ToS. The term of this DPA will follow the term of the ToS; and terms defined otherwise will have the meaning set forth in the Terms of Service.
The GDPR protects the fundamental right of data subjects in the European Union to privacy and the protection of personal data. It introduces robust requirements that will raise and harmonize standards for data protection, security, and compliance.
"Client": refers to the entity that you represent.
"Customer Data": refers to "personal data" (as defined in the GDRP) that is uploaded to Customer's AWS accounts.
"Data Protection Law": refers to all legislation related to data protection and privacy, including, among others, the EU Data Protection Directive 95/46 / EC and all local laws and regulations that modify or replace any of them, including the GDPR, together with applicable national laws in any member state of the European Union or, to the extent applicable, in any other country, as modified, repealed, consolidated or replaced periodically.
"Data subject": refers to the individual with whom the personal data relates.
"GDPR": refers to Regulation 2016/679 of the European Parliament and of the Council, of April 27, 2016, on the protection of natural persons in relation to the processing of personal data and the free circulation of said data, and by which repeals Directive 95/46 / EC (General Data Protection Regulation).
"Instruction": is the written and documented instruction, issued by the Controller to the Processor to take a specific action with respect to personal data (including, among others, depersonalization, blocking, deletion, making available).
"Personal data": means any information related to an identifiable individual contained in customer data and protected in a manner similar to personal data or personally identifiable information according to the applicable Data Protection Law.
"Breach of protection of personal data" means a breach of security that leads to the destruction, loss, alteration, unauthorized disclosure or unauthorized or illegal access of Personal Data transmitted, stored or otherwise processed.
"Processing": any operation or set of operations that is carried out on personal data, which includes the collection, registration, organization, structuring, storage, adaptation or alteration, recovery, consultation, use, disclosure by transmission, dissemination or making available otherwise, alignment or combination, restriction or erasure of personal data. The terms "process", "processes" and "processing" will be interpreted similarly. "Processor": natural or legal person, public authority, agency or other body that processes Personal Data on behalf of the Controller. "Security Incident" - Means a breach of AWS security that generates an accidental or illegal destruction, loss, alteration, unauthorized disclosure, or access to Customer Data.
The Processor will take appropriate technical and organizational measures to adequately protect Personal Data against accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to Personal Data. Such measures include, but are not limited to:
Here is the list of sub processors
The GDPR protects the fundamental right of data subjects in the European Union to privacy and the protection of personal data. It introduces robust requirements that will raise and harmonize standards for data protection, security, and compliance.
1.Definitions
"Controller": natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data."Client": refers to the entity that you represent.
"Customer Data": refers to "personal data" (as defined in the GDRP) that is uploaded to Customer's AWS accounts.
"Data Protection Law": refers to all legislation related to data protection and privacy, including, among others, the EU Data Protection Directive 95/46 / EC and all local laws and regulations that modify or replace any of them, including the GDPR, together with applicable national laws in any member state of the European Union or, to the extent applicable, in any other country, as modified, repealed, consolidated or replaced periodically.
"Data subject": refers to the individual with whom the personal data relates.
"GDPR": refers to Regulation 2016/679 of the European Parliament and of the Council, of April 27, 2016, on the protection of natural persons in relation to the processing of personal data and the free circulation of said data, and by which repeals Directive 95/46 / EC (General Data Protection Regulation).
"Instruction": is the written and documented instruction, issued by the Controller to the Processor to take a specific action with respect to personal data (including, among others, depersonalization, blocking, deletion, making available).
"Personal data": means any information related to an identifiable individual contained in customer data and protected in a manner similar to personal data or personally identifiable information according to the applicable Data Protection Law.
"Breach of protection of personal data" means a breach of security that leads to the destruction, loss, alteration, unauthorized disclosure or unauthorized or illegal access of Personal Data transmitted, stored or otherwise processed.
"Processing": any operation or set of operations that is carried out on personal data, which includes the collection, registration, organization, structuring, storage, adaptation or alteration, recovery, consultation, use, disclosure by transmission, dissemination or making available otherwise, alignment or combination, restriction or erasure of personal data. The terms "process", "processes" and "processing" will be interpreted similarly. "Processor": natural or legal person, public authority, agency or other body that processes Personal Data on behalf of the Controller. "Security Incident" - Means a breach of AWS security that generates an accidental or illegal destruction, loss, alteration, unauthorized disclosure, or access to Customer Data.
2. Subject and Nature of the processing
The processing of personal data by the processor is the execution of the services that the controller requests. Personal data will be subject to the processing activities specified in the Terms of Service and to a specific request.3. Types of Personal Data and purpose of processing.
Contact information, the scope of which is determined and controlled by the customer at its sole discretion, and other personal data such as browsing data (including website usage information), email, system usage data, integration data of applications and other electronic data sent, stored and received by end users through the Deyel Platform will be processed in order to provide the services established and agreed in the terms of service and for any applicable order.4. Category of data subjects.
Contacts of the Controller and other end users, including the Controller's employees, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data subjects also include individuals attempting to communicate or transfer personal data to the controller's end users.5. Responsibility of the client
The controller will be solely responsible for complying with the legal requirements related to data protection and privacy, in particular with regard to the disclosure and transfer of personal data to the processor and the processing of personal data. To avoid doubts, the Controller's instructions for the Processing of Personal Data must meet the Data Protection Law. The Controller will inform the Processor without undue delay and exhaustively about any errors or irregularities related to the legal provisions on the Processing of Personal Data.6. Processor obligations
The controller will be solely responsible for complying with the legal requirements related to data protection and privacy, in particular with regard to the disclosure and transfer of personal data to the processor and the processing of personal data. To avoid doubts, the Controller's instructions for the Processing of Personal Data must meet the Data Protection Law. The Controller will inform the Processor without undue delay and exhaustively about any errors or irregularities related to the legal provisions on the Processing of Personal Data (in addition to storing and maintaining the security of the affected Personal Data) until such time as the Controller issues new instructions that the Processor can comply with.The Processor will take appropriate technical and organizational measures to adequately protect Personal Data against accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to Personal Data. Such measures include, but are not limited to:
- The prevention of unauthorized persons having access to personal data processing systems (physical access control).
- The prevention of the use of personal data processing systems without authorization (logical access control).
- Ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage in storage media, and that the entities involved in any transfer of Personal Data can be established and verified (control data transfer).
- Ensuring that Personal Data is processed only in accordance with Instructions (control of instructions).
- Ensure that personal data is protected against accidental destruction or loss (availability control).
- Ensure personal data is backed up and maintained using industry standards
- Ensure that infrastructure providers use commercially reasonable efforts to guarantee a minimum activity time of 99.77% for access to Processor services.
7. Rectification, Restriction and Security Data
The Processor will provide reasonable assistance, including through appropriate technical and organizational measures and taking into account the nature of the Processing, to enable the Controller to respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Act with respect to personal data (including access, rectification, restriction, deletion or portability of Personal Data, as applicable), to the extent permitted by law. If such request is made directly to the Processor, the Processor will immediately inform the Controller and advise the Data Subjects to submit their request to the Controller. The controller will be the only responsible for responding to the requests of any interested party. The Controller will reimburse the Processor for the costs derived from this assistance.8. Violations of personal data.
The Processor will notify the Controller as soon as possible when it becomes aware of any violation of Personal Data that affects them. At the request of the Controller, the Processor will immediately provide all reasonable assistance necessary to allow it to notify the relevant Personal Data breaches to the competent authorities and/or the Data Subjects affected, if required by law enforcement of Data Protection.9. Sub Processors
The Processor shall have the right to contract sub-processors to fulfill the obligations defined in the Terms of Service to the extent that the controller the Optaris terms of service. When the Processor involves sub-processors, they must meet with the same terms of service and obligations that apply to the Processor under this DPA.Here is the list of sub processors
- Amazon Web Services, Inc. (https://aws.amazon.com/compliance/)
- Google, Inc. (https://cloud.google.com/security/compliance)