Data Processing Agreement
This Data Processing Agreement is entered into between the Service Provider and the Customer and is incorporated into and governed by the Terms of Service.
|Terms Of Service||means the agreement between Service Provider and the Customer for the provision of the Services|
|GDPR||European Parliament and the Council’s Regulation No. 2016/679 dated on 27/04/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data|
|Data Controller||means Customer|
|Data Subject||shall have the same meaning as in GDPR|
|Data Processor||means the Service Provider|
|Personal Data||shall have the same meaning as in GDPR|
|Sub-Processor||a third party Data Processor used by Service Provider, that has or potentially will have access to or process Client Data (which may contain Personal Data)|
|Sub-Processor Notice Period||14 days period before transferring any personal data to a new sub-processor|
|Services||as per definitions in Terms Of Service|
|Customer Data||as per definitions in Terms Of Service|
|Data Breach||any accidental or unlawful destruction, loss, alteration or unauthorised disclosure or access to any Personal Data|
|Compliance Website||Service Provider’s website’s section regarding Compliance - https://www.dokobit.com/compliance|
2. Purpose and scope
- 2.1. The Data Processor has agreed to provide the Services to the Data Controller in accordance with the Terms of Service. In providing the Services, the Data Processor shall Process Customer Data on behalf of the the Data Controller. Customer data may include Personal Data. The Data Processor will process and protect such Personal Data in accordance with the terms of this Data Processing Agreement.
- 2.2. The Data processor shall process Personal Data only to the extent necessary to provide the Services in accordance with both Terms of Service and Data Processing Agreement.
3. Data Processor obligations
- 3.1. The Data Processor may collect, process or use Personal Data only within the scope of this Data Processing Agreement and act strictly in accordance with the Data Controller's lawful and reasonable instructions.
- 3.2. The Data Processor ensures that its personnel is authorised to process the Personal Data within the scope of this Data Processing Agreement, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- 3.3. The Data Processor shall implement appropriate technical and organisational security measures to protect the Personal Data in accordance with GDPR.
- 3.4. The Data Processor shall enable the Data Controller to access, rectify, erase, restrict and transmit the Personal Data processed by the Data Processor.
- 3.5. The Data Processor shall provide assistance to enable the Data Controller to comply with its obligations under GDPR, including using appropriate technical and organisational measures to assist the Data Controller in responding to data subject requests to access Personal Data.
- 3.6. The Data Processor shall retain ISO/IEC 27001 certification for its services used by the Data Controller.
- 3.7. Data Processor shall make all information necessary to demonstrate compliance with its processing obligations available and allow for and contribute to audits and inspections, conducted by or on behalf of the Data Controller. Any audit conducted under this Data Processing Agreement shall consist of examination of the most recent reports, certificates and/or extracts prepared by an independent auditor bound by confidentiality provisions similar to those set out in the Terms of Service. In the event that provision of the same is not deemed sufficient in the reasonable opinion of the Data Controller, the Data Controller may at its own expense conduct a more extensive audit, which will be:
- 3.7.1. limited in scope to matters specific to the Data Controller and agreed in advance with the Data Processor;
- 3.7.2. upon reasonable notice which shall be not less than 4 weeks unless an identifiable material issue has arisen;
- 3.7.3. conducted in a way which does not interfere with the Data Processor’s day-to-day business.
- 3.8. Data Processor may charge a fee (based on its reasonable time and costs) for assisting with any audit. Data Processor will provide the Data Controller with further details of any applicable fee and the basis of its calculation in advance of any such audit.
- 4.1. The Data Controller hereby gives the Data Processor a general consent to engage sub-processors to process Personal Data of the Data Controller in connection with the provision of the Services.
- 4.2. All Sub-processors who process Personal Data in the provision of the Services to the Data Controller shall comply with the obligations of Data Processor similar to those set out in this Data Processing Agreement.
- 4.3. The Data Processor shall make details of its sub-processors available at Compliance Webpage’s Sub-Processors section.
- 4.4. If the Data Processor intends to add a new Sub-Processor it shall make details of such new Sub-Processor available at Compliance Webpage’s Sub-Processors section at least 14 calendar days ("Sub-processor Notice Period") before transferring any personal data to a new Sub-Processor. The Data Controller shall notify The Data Processor during the Sub-processor Notice Period if it objects to the new Sub-Processor. If the Data Controller does not object to the Sub-Processor during the Sub-processor Notice Period, the Data Controller shall be deemed to have accepted the Sub-Processor. If the Data Controller has raised a reasonable objection to the new Sub-Processor, and the parties have failed to agree on a solution within the Sub-Processor Notice period time, the Data Controller shall have the right to terminate the The Terms of Service and this Data Processing Agreement.
5. Data Controller obligations
- 5.2. The Data Controller represents and warrants that it has obtained all necessary permissions and authorisations necessary to permit the Data Processor and its Sub-Processors to execute their rights or perform their obligations under this Data Processing Agreement.
- 5.3. The Data Controller acknowledges and agrees that some instructions from the Data Controller, including destruction or return of data from the Data Processor, may result in additional fees. In such case, the Data Processor will notify the Data Controller of such fees in advance unless otherwise agreed.
6. Data breach
- 6.1. The Data Processor shall notify the Data Controller without undue delay after becoming aware of (in any event with 72 hours of discovering) Data Breach or a critical risk that can lead to a breach of Personal Data.
- 6.2. The Data Processor shall have and maintain registers of such data breaches and risk events. The registers shall at a minimum include the following:
- 6.2.1. description of the nature of the personal data breach or critical risk;
- 6.2.2. description of the likely as well as actually occurred consequences;
- 6.2.3. description of the measures that the Data Processor has taken or proposes to take to address the Personal Data breach or critical risk.
- 6.3. The register of Personal Data breaches shall be provided to the Data Controller in copy if requested in writing by the Data Controller or the relevant Data Protection Agency.
- 6.4. The Data Controller is solely responsible for complying with data breach notification laws applicable to the Data Controller and fulfilling any third party notification obligations related to any Data Breach(es).
- 7.1. The limitations on liability set out in the Terms of Service apply to all claims made pursuant to any breach of the terms of this Data Processing Agreement.
- 7.2. Data Processor and Data Controller agrees that the Data Processor shall be liable for any breaches of this Data Processing Agreement caused by the acts and omissions or negligence of its Sub-Processors to the same extent the Data Processor would be liable if performing the services of each Sub-Processor directly under the terms of this Data Processing Agreement, subject to any limitations on liability set out in the terms of Terms of Service.
8. Duration and Termination
- 8.1. The term of this Data Processing Agreement shall coincide with the commencement of the Terms of Service and this Data Processing Agreement shall terminate automatically together with the termination or expiry of the Terms of Service.