This Data Processing Agreement ("DPA") supplements the Terms of Use, which are updated from time to time between you (together with subsidiaries and affiliates, collectively, "Customer") and Claspo.io (together with its subsidiary(s), jointly referred to as "Claspo.io") when the GDPR applies to Customer's use of the Claspo.io Services to process Customer data.
This DPA is effective from the date the Customer agrees to the Terms of Use. In any conflict between this DPA and the Terms of Use, the relevant terms of this DPA take precedence.
Please contact our Data Protection Officer (DPO) at info@claspo.io if you need advice or recommendations about the interpretation or application of the data protection rules.
This agreement is entered between
1. Customer
and
2. CLASPO INC., WILMINGTON, DE, USA duly represented by Dmytro Kudrenko with due power and authority for purposes hereof, having its principal office 3524 SILVERSIDE RD STE 35B, WILMINGTON, DE 19810, USA
It is hereby agreed as follows
1. Scope and Order of Precedence
This agreement applies to processing of Personal Data provided to Claspo.io by Customer, as specified in the agreement executed between Claspo.io and Customer dated when the Customer agrees to the Terms of Use (the "Agreement").
The Data Processing Agreement is subject to the terms of the Agreement and incorporated into it. In event of conflict between the Agreement and this Data Processing Agreement, the relevant terms of this DPA take precedence.
2. Definitions
Capitalized terms not otherwise defined in this Data Processing Agreement have meanings assigned in the Agreement.
"Customer" or "Controller" means Customer.
"Directive" means Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995, as amended, on protection of individuals regarding Processing of Personal Data and free movement of such data.
"Model Clauses" means standard contractual clauses annexed to EU Commission Decision 2021/914/EU of 4 June 2021 on standard contractual clauses for transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as may be amended, superseded or replaced.
"Personal Data" means any information relating to an identified or identifiable natural person that (i) Customer or any person acting on Customer's behalf provides to Claspo.io or (ii) Claspo.io processes as part of services provided under the Agreement. An identified or identifiable natural person (a "Data Subject") is one who can be identified, directly or indirectly, by reference to identifier such as name, identification number, location data, online identifier or factors specific to physical, physiological, genetic, mental, economic, cultural or social identity.
"Process" or "Processing" means any operation or set of operations performed by Claspo.io as part of the Agreement upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Processor" or "Claspo.io" means the entity mentioned above.
"Subprocessor" means a third-party subcontractor engaged by Claspo.io which, as part of the subcontractor's role of delivering services under the Agreement, will Process Personal Data belonging to Customer.
"Regulation" means Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016, on protection of natural persons regarding processing of personal data and free movement of such data, repealing Directive 95/46/EC.
3. Categories of Personal Data and Purpose of the Personal Data Processing
Types of Company Personal Data to be Processed:
A. Customer and Users: identification and contact data (name, address, title, contact details, username); financial information (account details, payment information); employment details (employer, job title, geographic location, area of responsibility).
B. Subscribers: identification and contact data (name, date of birth, gender, general occupation or other demographic information, address, title, contact details, including email address), personal interests or preferences (including purchase history, marketing preferences); IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data).
Processing of special categories of personal data is forbidden.
Data transfer: The data is transferred on a continuous basis.
Processing activities: Collecting, sorting, saving, transferring, restricting, and deleting of controller's data to provide relevant marketing communications.
Purpose: To assist the controller to provide relevant marketing communications.
Data retention: Personal data will be processed and retained for as long as execution of the Agreement is needed and shall be removed upon the controller's request and in accordance with the controller's instructions.
4. Controller's Instructions
During the term of the Agreement, Customer may provide instructions to Claspo.io in addition to those specified in the Agreement regarding processing of Personal Data. Claspo.io will comply with all such instructions without additional charge to the extent necessary for Claspo.io to comply with laws applicable to Claspo.io as a data processor in performance of the Agreement.
Claspo.io shall immediately inform Customer if, in Claspo.io's opinion, an instruction infringes the Directive, the Regulation, or other applicable data protection and privacy provisions.
Control of Personal Data remains with Customer. As between Customer and Claspo.io, Customer will at all times remain the data controller for purposes of the Agreement and this Data Processing Agreement. Customer is responsible for compliance with its obligations as a data controller under data protection laws, in particular for its decisions and actions concerning Processing and use of the data.
5. Rights of Data Subject
Claspo.io undertakes to assist Customer in responding to requests of data subjects exercising their rights to access, to rectify, to erase, to restrict, to data portability, or to object.
In particular, upon Customer's instructions, Claspo.io will delete, release, correct or restrict access to any specific Personal Data and undertake to pass on promptly to Customer any requests of an individual data subject to access, to rectify, to erase, to restrict or to object Personal Data processed under the Agreement.
6. Processor's Obligations
In addition to other provisions of this Data Processing Agreement, Claspo.io undertakes to:
1. Appoint a data protection officer, where required by applicable law, and to supply Customer with his/her contact details;
2. Ensure that all persons who have access to Personal Data belonging to Customer under the terms of the Agreement and Data Processing Agreement undertake to maintain confidentiality and have signed agreements with Claspo.io containing protections no less stringent than those herein and will be informed by Claspo.io of any data protection requirements related to Processing of the Personal Data, including limitation of use to specific purpose of the Agreement and instructions of Customer; and
3. Assist Customer in ensuring compliance with its obligations in terms of security of personal data. In particular, Claspo.io undertakes to promptly notify Customer of any data breach as described in section 11 below and to provide all reasonable assistance to Customer in carrying out data protection impact assessment related directly or indirectly to the Agreement and/or the Data Processing Agreement.
7. Cross Border and Onward Data Transfer
Claspo.io will treat all Personal Data in compliance with requirements of the Agreement and this Data Processing Agreement in all locations globally.
To the extent Personal Data originating from the EEA is transferred by Customer to Claspo.io, or any of Claspo.io Subprocessors located in countries outside the EEA that have not received a binding adequacy decision by the European Commission, such transfers should be managed as follows:
1. Transfers from Customer to Claspo.io, where appropriate, will be made subject to terms of this Data Processing Agreement and the Model Clauses reproduced in Appendix 3.
2. For transfers from Claspo.io to Claspo.io Subprocessors, where appropriate, Claspo.io shall ensure that such transfers are subject to any appropriate transfer mechanisms that provide an adequate level of protection in compliance with applicable requirements, or execute Model Clauses incorporating security and other data privacy requirements at least as restrictive as those of this Data Processing Agreement.
No transfer to a country outside the EEA should be made without Customer's written prior consent.
8. Subprocessors
Claspo.io shall not subcontract any of the Processing operations performed on behalf of Customer under the Agreement without prior written consent of Customer.
Customer hereby expressly agrees to Claspo.io using the Subprocessors listed in Appendix 1.
Where Claspo.io engages Subprocessors with consent of Customer, Claspo.io shall do so only by way of a written agreement with the Subprocessor which imposes same obligations on Subprocessor as are imposed on Claspo.io under this Data Processing Agreement.
Claspo.io remain responsible at all times for compliance with terms of the Agreement and this Data Processing Agreement by Claspo.io Subprocessors.
Customer may request that Claspo.io audit the Subprocessor or provide confirmation that such an audit has occurred to ensure compliance with its obligations. Customer will also be entitled, upon written request, to receive copies of relevant terms of Claspo.io agreement with Subprocessors that may Process Personal Data.
9. Technical and Organizational Measures
When Processing Personal Data on behalf of Customer in connection with the Agreement, Claspo.io warrant that Claspo.io have implemented and will maintain appropriate technical and organizational security measures for Processing of such data, including measures specified in Appendix 2.
These measures are intended to protect Personal Data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and against all other unlawful forms of processing. Additional information concerning such measures may be specified in the Agreement.
Claspo.io undertake to document implementation of technical and organisational measures to provide this documentation to Customer upon request and to present any update of this documentation to Customer.
10. Audit Rights
Customer may audit, at its own expense, Claspo.io compliance with terms of the Agreement and this Data Processing Agreement. If a third party is to conduct audit, the third party must be mutually agreed to by Customer and Claspo.io and must execute a written confidentiality agreement before conducting audit.
To request an audit, Customer must submit an audit plan at least two weeks in advance of proposed audit date to Claspo.io describing proposed scope, duration, and start date of audit. Claspo.io will review audit plan and provide Customer with any concerns or questions. Claspo.io undertake to work cooperatively with Customer to agree on final audit plan.
Audit will be conducted during regular business hours at applicable facility and may not unreasonably interfere with Claspo.io business activities.
Customer will provide Claspo.io a copy of any audit reports generated in connection with any audit under this section, unless prohibited by law. Customer may use audit reports only for purposes of meeting its regulatory audit requirements and/or confirming compliance with requirements of the Agreement, this Data Processing Agreement and applicable law. Audit reports are Confidential Information of parties under terms of the Agreement.
Claspo.io undertake to provide reasonable assistance with any audit conducted by Customer.
Claspo.io agree that competent data protection authority has right to conduct an inspection of Claspo.io, and of any Subprocessor.
Claspo.io undertake to make available to Customer and/or competent data protection authority all information necessary to demonstrate compliance with obligations laid down in this Data Processing Agreement and applicable law and to fully cooperate with Customer and/or any competent data protection authority in course of any audit and/or inspection.
11. Data Breach Notification
For purposes of this section, "Security Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed on Claspo.io systems or Claspo.io environment. Claspo.io will promptly inform Customer if Claspo.io determine that Personal Data has been subject to Security Breach (including by one of Claspo.io employees) or any other circumstance in which Customer is required to provide notification under applicable law.
Claspo.io will promptly investigate Security Breach and take reasonable measures to identify its root causes and prevent recurrence. As information is collected or otherwise becomes available, Claspo.io will provide Customer with description of Security Breach, type of data that was subject of breach, and other information Customer may reasonably request concerning affected persons.
Parties agree to coordinate in good faith on developing content of any related public statements or any required notices for affected persons and/or relevant data protection authorities.
12. Return and Deletion of Personal Data upon End of the Agreement or at Customer's Request
Unless otherwise provided in Agreement, following termination of Agreement, Claspo.io will return or otherwise make available for retrieval all Customer's Personal Data.
Following return of data, or as otherwise specified in Agreement, Claspo.io will promptly delete all copies of Personal Data Claspo.io may have, except as may be required by law.
13. Legally Required Disclosures
Except as otherwise required by law, Claspo.io will promptly notify Customer of any subpoena, judicial, administrative or arbitral order of an executive or administrative agency or other governmental authority ("Demand") that it receives and which relates to Personal Data Claspo.io are Processing on Customer's behalf.
At Customer's request, Claspo.io will provide Customer with reasonable information in Claspo.io possession that may be responsive to Demand and any assistance reasonably required for Customer to respond to Demand in timely manner.
|
By: ……………………………… For and on the behalf of CLASPO INC., duly empowered to sign this Agreement. |
By: ……………………………… For and on the behalf of Customer duly empowered to sign this Agreement. |
Appendix 1: List of Subprocessors (if applicable)
| Name of Subprocessor | Address | Activity of Subprocessor for You | Subprocessors' Security Measures |
|---|---|---|---|
| Amazon Web Services | Dublin, Ireland | Leasing servers and other resources to process the data | https://aws.amazon.com/products/security |
| Intercom | California, USA | Live chat & help desk solutions | https://www.intercom.com/security |
| Hetzner Online GmbH | Gunzenhausen, Germany | Leasing servers and other resources to host online services | https://www.hetzner.com/unternehmen/zertifizierung/ |
Appendix 2: Organizational and Technical Measures Implemented by Claspo.io
1. Physical Access Control
Measures in order to prevent unauthorized persons from gaining access to data processing equipment where personal data are processed or used.
Outsourced processing: We host Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide Service in accordance with DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: We host product infrastructure with multi-tenant, outsourced infrastructure providers. Physical and environmental security controls of providers are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
2. System Access Control
Measures to prevent data processing systems from being used by unauthorized persons.
Authorization: Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to underlying application infrastructure. Authorization model in each product is designed to ensure that only appropriately assigned individuals can access relevant features, views, and customization options.
Authentication: We implement uniform password policy for customer products. Customers who interact with products via user interface must authenticate before accessing non-public customer data.
3. Data Access Control
Measures to ensure that persons entitled to use data processing systems are only able to access data within scope and to extent covered by their respective access permission.
Product access: A subset of employees have access to products and to customer data via controlled interfaces. Intent of providing access to subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through "just in time" requests for access; all such requests are logged. Employee roles are reviewed at least once every six months.
Background checks: All employees undergo a third-party background check prior to being extended an employment offer, in accordance with and as permitted by applicable laws. All employees are required to conduct themselves in manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
4. Transmission Control
Measures to prevent personal data from being read, copied, altered or deleted by unauthorized parties during transmission thereof or during transport of data media.
In-transit: We make HTTPS encryption (also referred to as SSL or TLS) available on every one of login interfaces. HTTPS implementation uses industry standard algorithms and certificates.
At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest.
5. Input Control
Measures to ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems or removed.
Detection: We designed infrastructure to log extensive information about system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities.
Response and tracking: We maintain record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented.
6. Job Control
Measures to ensure that data are processed strictly in accordance with instructions of Customer.
System is located in secure cloud, we use encryption for any sensitive data, centralized access management with strict roles, and very limited access to databases for staff. Also, we log any actions on servers and cloud platform.
7. Availability Control
Measures to ensure data are protected from accidental destruction or loss.
Infrastructure availability: Infrastructure providers use commercially reasonable efforts to ensure minimum of 99.95% uptime. Providers maintain minimum of N+1 redundancy to power, network, and HVAC services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry-standard methods.
Products are designed to ensure redundancy and seamless failover. Server instances that support products are also architected with goal of preventing single points of failure.
8. Data Segregation
Measures to separate processing for different purposes and/or operations.
a) Environments used for development, testing and production purposes are physically separated.
b) Usage of production un-anonymized data in development environment is not allowed.
Appendix 3: Model Clauses
Standard Contractual Clauses (processors)
For purposes of Article 26(2) of Directive 95/46/EC for transfer of personal data to processors established in third countries which do not ensure adequate level of data protection.
Data exporter: Customer
Data importer: CLASPO INC., 3524 SILVERSIDE RD STE 35B, WILMINGTON, DE 19810, USA. E-mail: info@claspo.io
Each a "party"; together "the parties", HAVE AGREED on following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to protection of privacy and fundamental rights and freedoms of individuals for transfer by data exporter to data importer of personal data specified in Appendix 1.
Clause 1: Definitions
For purposes of Clauses: (a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject', and 'supervisory authority' shall have same meaning as in Directive 95/46/EC; (b) 'data exporter' means controller who transfers personal data; (c) 'data importer' means processor who agrees to receive from data exporter personal data intended for processing on his behalf after transfer; (d) 'subprocessor' means any processor engaged by data importer who agrees to receive personal data exclusively intended for processing activities on behalf of data exporter; (e) 'applicable data protection law' means legislation protecting fundamental rights and freedoms of individuals regarding processing of personal data applicable to data controller in Member State in which data exporter is established; (f) 'technical and organizational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access.
Clause 2: Details of the Transfer
Details of transfer and in particular special categories of personal data where applicable are specified in Appendix 1 which forms integral part of Clauses.
Clause 3: Third-party Beneficiary Clause
Data subject can enforce against data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e) and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
Data subject can enforce against data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where data exporter has factually disappeared or has ceased to exist in law.
Data subject can enforce against subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both data exporter and data importer have factually disappeared or ceased to exist in law or have become insolvent. Such third-party liability of subprocessor shall be limited to its own processing operations under Clauses.
Clause 4: Obligations of the Data Exporter
Data exporter agrees and warrants:
a. that processing, including transfer itself, of personal data has been and will continue to be carried out in accordance with relevant provisions of applicable data protection law;
b. that it has instructed and throughout duration of services will instruct data importer to process personal data transferred only on data exporter's behalf and in accordance with applicable data protection law and Clauses;
c. that data importer will provide sufficient guarantees in respect of technical and organizational security measures specified in Appendix 2;
d. that after assessment of requirements of applicable data protection law, security measures are appropriate to protect personal data;
e. that it will ensure compliance with security measures;
f. that, if transfer involves special categories of data, data subject has been informed or will be informed before or as soon as possible after transfer;
g. to forward any notification received from data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to data protection supervisory authority;
h. to make available to data subjects upon request a copy of Clauses, with exception of Appendix 2;
i. that, in event of subprocessing, processing activity is carried out in accordance with Clause 11 by subprocessor providing at least same level of protection; and
j. that it will ensure compliance with Clause 4(a) to (i).
Clause 5: Obligations of the Data Importer
Data importer agrees and warrants:
a. to process personal data only on behalf of data exporter and in compliance with its instructions and Clauses;
b. that it has no reason to believe that legislation applicable to it prevents it from fulfilling instructions received from data exporter;
c. that it has implemented technical and organizational security measures specified in Appendix 2 before processing personal data transferred;
d. that it will promptly notify data exporter about: (i) any legally binding request for disclosure of personal data by law enforcement authority, (ii) any accidental or unauthorized access, and (iii) any request received directly from data subjects without responding to that request;
e. to deal promptly and properly with all inquiries from data exporter relating to its processing of personal data;
f. at request of data exporter to submit its data processing facilities for an audit;
g. to make available to data subject upon request a copy of Clauses, or any existing contract for subprocessing;
h. that, in event of subprocessing, it has previously informed data exporter and obtained its prior written consent;
i. that processing services by subprocessor will be carried out in accordance with Clause 11;
j. to send promptly a copy of any subprocessor agreement it concludes under Clauses to data exporter.
Clause 6: Liability
Parties agree that any data subject who has suffered damage as result of any breach of obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from data exporter for damage suffered.
If data subject is not able to bring claim for compensation against data exporter, data importer agrees that data subject may issue claim against data importer as if it were data exporter.
If data subject is not able to bring claim against data exporter or data importer, subprocessor agrees that data subject may issue claim against data subprocessor with regard to its own processing operations under Clauses.
Clause 7: Mediation and Jurisdiction
Data importer agrees that if data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under Clauses, data importer will accept decision of data subject: to refer dispute to mediation, by independent person or, where applicable, by supervisory authority; or to refer dispute to courts in Member State in which data exporter is established.
Clause 8: Cooperation with Supervisory Authorities
Data exporter agrees to deposit copy of this contract with supervisory authority if it so requests or if such deposit is required under applicable data protection law.
Parties agree that supervisory authority has right to conduct audit of data importer, and of any subprocessor.
Data importer shall promptly inform data exporter about existence of legislation applicable to it or any subprocessor preventing conduct of audit.
Clause 9: Governing Law
Clauses shall be governed by law of Member State in which data exporter is established.
Clause 10: Variation of the Contract
Parties undertake not to vary or modify Clauses. This does not preclude parties from adding clauses on business related issues where required as long as they do not contradict Clause.
Clause 11: Subprocessing
Data importer shall not subcontract any of its processing operations performed on behalf of data exporter under Clauses without prior written consent of data exporter. Where data importer subcontracts its obligations under Clauses, with consent of data exporter, it shall do so only by way of written agreement with subprocessor which imposes same obligations on subprocessor as are imposed on data importer under Clauses.
Prior written contract between data importer and subprocessor shall also provide for third-party beneficiary clause as laid down in Clause 3.
Provisions relating to data protection aspects for subprocessing shall be governed by law of Member State in which data exporter is established.
Clause 12: Obligation After the Termination of Personal Data Processing Services
Parties agree that on termination of provision of data processing services, data importer and subprocessor shall, at choice of data exporter, return all personal data transferred and copies thereof to data exporter or shall destroy all personal data and certify to data exporter that it has done so, unless legislation imposed upon data importer prevents it from returning or destroying all or part of personal data transferred.
Data importer and subprocessor warrant that upon request of data exporter and/or of supervisory authority, it will submit its data processing facilities for audit of measures referred to in paragraph 1.
On behalf of the data importer:
Name: Dmytro Kudrenko
Position: Director
Address: 3524 SILVERSIDE RD STE 35B, WILMINGTON, DE 19810, USA
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of Clauses and must be completed and signed by parties.
Data Exporter
Data exporter is (please specify briefly your activities relevant to transfer): Customer
Data Importer
Data importer is (please specify briefly activities relevant to transfer): an online service designed to create and send marketing and transactional messages to third parties
Data Subjects
Personal data transferred concern following categories of data subjects (please specify): See as specified in Article 3.2 of Data Processing Agreement.
Categories of Data
Personal data transferred concern following categories of data (please specify): See as specified in Article 3.1 of Data Processing Agreement.
Special Categories of Data
Personal data transferred concern following special categories of data (please specify): N/A
Processing Operations
Personal data transferred will be subject to following basic processing activities (please specify): See as specified in Service Agreement.
DATA EXPORTER: Customer
DATA IMPORTER: CLASPO INC.
|
DATA EXPORTER Name: Customer Authorised Signature |
DATA IMPORTER Name: CLASPO INC. Authorised Signature |
Appendix 2 to the standard contractual clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
See Appendix 2 of the Data Processing Agreement.