This Data Processing Agreement (“DPA”) is an addendum to the agreement or general terms (“Terms of Service”) regulating the service provided to ______________ (“Data Controller”) by Supertech SL (“Data Processor”). The following clauses are applicable whenever the intended use of Supertech SL triggers the application of the European Union's General Data Protection regulation (“GDPR”) and/or is subject to the California Privacy Protection Act (“CCPA”).
“Privacy Laws” means all privacy and data protection laws, rules, regulations, decrees, orders and other government requirements applicable to the processing of personal data under this DPA.
The terms “personal data”, “personal information”, “processing”, “controller”, “processor”, “service provider”, “data subject”, “personal data”, “personal data breach” and “data breach” will have the meanings ascribed to them in the applicable Privacy Laws.
"The Product" refers to a cloud-based software provided by Supertech SL.
"Data processor" or “service provider” refers to Supertech SL.
“Buyer” or "Data Controller" refers to the company identified in this agreement as such, having entered into a contract to either deploy the Product on one or various websites or use the Product to store, process, analyze, visualize or retrieve structured or unstructured data pertaining to its own current or potential customers.
The subject matter of processing is the personal data provided in respect of the services under the Terms of Service. The duration of the processing is the duration of the provision of the services under the Terms of Service until disposal of the personal data in accordance with such terms. The nature and purpose of the processing is in connection with the provision of the services. The types of personal data processed are those submitted by or at the direction of the Data Controller as part of the services under the Terms of Service. The categories of data subjects are those whose personal data is submitted by or at the direction of the Data Controller as part of the services being provided.
The Data Controller will not be collecting data, in aggregated or granular form, about a data subject's health, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. As a result, the Product will not be storing or processing such data.
To the extent that Supertech SL is processing personal data on behalf of the Data Controller, Supertech SL shall notify the Data Controller without undue delay after becoming aware of a personal data breach and shall reasonably respond to the Data Controller’s requests for further information to assist the Data Controller in fulfilling its obligations under the Privacy Laws.
Supertech SL has the Data Controller’s general authorization to engage other processors for the processing of personal data in accordance with this DPA from the list included in app.comply.org/attest/Supertech SL, which Supertech SL may update from time to time. Supertech SL will inform the Data Controller of any intended changes by updating the list on its website at least fifteen (15) days in advance. The Data Controller may object to the change without penalty by notifying Supertech SL within fifteen (15) days after the list is updated and describing its reasons to object. Supertech SL shall use reasonable endeavors to avoid processing of personal data by such new processor to which the Data Controller reasonably objects.
Where Supertech SL engages another processor for carrying out specific processing activities on behalf of the Data Controller, the same data protection obligations as set out in this DPA, in substance, shall be imposed on that other processor by way of a contract or other legal act under applicable law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Privacy Laws. Where that other processor fails to fulfill those data protection obligations, Supertech SL shall (subject to the Terms of Service) remain fully liable to the Data Controller for the performance of that other processor's obligations.
To the extent that Supertech SL is processing personal data on behalf of the Data Controller, Supertech SL shall, to the extent legally permitted, promptly notify the Data Controller of any data subject requests Supertech SL receives, and the Data Controller authorizes Supertech SL to redirect such requests to the Data Controller to respond directly.
To the extent legally permitted, the Data Controller shall be responsible for any reasonable costs arising from Supertech SL providing assistance to the Data Controller in responding to such requests.
Supertech SL shall ensure that, to the extent that any personal data originating from the Data Controller’s country is transferred by Supertech SL to another country, such transfer shall be subject to appropriate safeguards in accordance with the Privacy Laws.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the parties shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
To the extent that Supertech SL is processing personal data on behalf of the Data Controller, Supertech SL shall take steps to ensure that any natural person acting under the authority of Supertech SL who has access to such personal data does not process it except on instructions from the Data Controller, unless he or she is required to do so by applicable law.
The Supertech platform is hosted in