Version 1.0 | September 2, 2024
Note to Applicable Customers: If your organization requires a signed Data Processing Addendum (DPA) to be included in the Agreement between Erudita.Tech and your organization, please inform your Account Executive.
This Data Processing Addendum (this “DPA”) governs the processing of Uploaded Personal Data and Collected Personal Data (collectively, “Customer Personal Data”) by Erudita.Tech (“Vendor”) in relation to natural persons in the European Economic Area (“EEA”) in connection with the Vendor’s provision of the services described in the Agreement. This DPA, once fully executed, will be incorporated into and form part of either (i) the Proposal with Erudita.Tech Subscription Terms, (ii) Erudita.Tech Terms of Service, or (iii) the Master Subscription Agreement (each referred to herein as the “Contract”), which collectively constitute the “Agreement” between customers (“Customer”) and Erudita.Tech (“Vendor”).
In the event of a conflict between the terms of the Agreement and this DPA, the terms of this DPA will prevail. This DPA applies to each subscription for services between Customer and Vendor under the Agreement where Vendor processes Uploaded Personal Data and/or Collected Personal Data in the course of providing the Services.
Definitions:
– “Contract”: The binding terms of the Agreement between the Parties, which may be the Proposal with Erudita.Tech Subscription Terms, Erudita.Tech Terms of Service, or the Master Subscription Agreement.
– “Collected Personal Data”: Personal Data collected by Vendor needed for Customer and its Users to register for and access the Service, including contact and notification details.
– “Controller”: As defined in the GDPR.
– “Controller-to-Processor Clauses”: Module Two of the Standard Contractual Clauses for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914.
– “Data Protection Laws”: Includes the GDPR, UK Data Protection Act 2018, Swiss FADP, CCPA, and PIPL.
– “Processing”: As defined in the GDPR.
– “Processor”: As defined in the GDPR.
– “Processor-to-Controller Clauses”: Module Four of the Standard Contractual Clauses for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914.
– “Security Incident”: An incident resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
– “Services”: All services and Software provided by Vendor as described in one or more Proposals, including Vendor’s web-based applications such as Erudita.Tech™ and associated tools.
– “Standard Contractual Clauses”: The Controller-to-Processor Clauses.
– “Third Country”: A country outside the EEA not recognized by the European Commission as providing adequate data protection.
– “Uploaded Personal Data”: Personal Data uploaded by Customer or its Users to the Service.
– “Users”: Individuals authorized by Customer to use the Service(s), including employees, consultants, and contractors.
1. Data Processing
1.1. Scope and Roles
Vendor will act as a processor for Uploaded Personal Data and as a controller for Collected Personal Data. Customer, as the controller, will be responsible for the protection of Uploaded Personal Data. Vendor will not access Uploaded Personal Data without Customer’s explicit consent.
1.1.1. Customer acknowledges that Vendor does not have general access to the categories of Uploaded Personal Data unless specifically authorized.
1.1.2. The uploading of Prohibited Personal Data is prohibited. Any such uploads will be considered a material breach of the Agreement and this DPA.
1.2. Inaccurate or Outdated Customer Personal Data
Vendor will notify Customer of any inaccuracies or outdated Customer Personal Data identified during processing.
1.3. Details of Data Processing
– Subject Matter: Uploaded and/or Collected Personal Data.
– Duration: Determined by Customer.
– Purpose: To provide the Services subscribed to by Customer.
– Nature: Includes intake, storage, archiving, deletion, and processing in line with Customer instructions.
– Type: Uploaded Personal Data and Collected Personal Data as per Vendor’s Privacy Statement.
– Categories: Employees, suppliers, Users, or other individuals whose information is lawfully obtained.
2. Customer Instructions
2.1. Vendor will process Customer Personal Data only based on documented instructions from Customer.
2.2. Additional processing outside the scope of this DPA must be accompanied by documented instructions from Customer. Customer will bear any additional costs incurred.
2.3. Vendor will inform Customer if compliance with instructions would violate data protection laws or if legal obligations require disclosure.
3. Confidentiality
Vendor will restrict access to Customer Personal Data to authorized personnel and ensure they maintain confidentiality.
4. Security of Data Processing
Both parties will implement appropriate measures to protect Customer Personal Data, considering industry standards and applicable laws.
5. Sub-processing
5.1. Approved Sub-processors
Vendor may use Sub-processors listed in Vendor’s Approved Sub-processors list. Customer will be notified of any changes, and may review or object to such changes according to the process described.
5.2. Objections
Customer may object to new Sub-processors within ten business days. Vendor will address objections and provide explanations.
5.3. Sub-Processor Obligations
Vendor will ensure Sub-processors adhere to equivalent data protection obligations.
5.4. Liability
Vendor remains liable for the performance of Sub-processors.
6. Vendor Assistance with Data Subject Requests
Vendor will forward data subject requests to Customer and assist with Collected Personal Data requests.
7. Optional Security Features
Customer may use optional security features provided by Vendor. Customer is responsible for maintaining security of access credentials.
8. Security Incident Notification
Vendor will notify Customer of a Security Incident within 48 hours, including details of the incident and affected data.
9. Audits
Vendor will provide necessary information and cooperate with audits conducted by Customer to demonstrate compliance with this DPA.
10. Transfers of Customer Personal Data
10.1. Standard Contractual Clauses
These Clauses apply to transfers to Third Countries. Vendor will establish relevant safeguards and ensure compliance with applicable data protection laws.
10.2. Authorization
Customer authorizes Vendor to process Customer Personal Data in the US or other countries, subject to GDPR compliance.
11. Termination of the DPA
This DPA will remain in effect until terminated according to the Agreement.
12. Return or Deletion of Customer Personal Data
Customer can request return or deletion of Customer Personal Data, subject to applicable laws and Vendor’s internal procedures.
13. Duties to Inform
Vendor will inform Customer of any confiscation of Customer Personal Data during legal proceedings.
14. Entire Agreement; Conflict
This DPA incorporates Module Two of the Standard Contractual Clauses by reference. The Agreement remains in full force except as amended by this DPA.
SCHEDULE 1
TRANSFER MECHANISMS FOR EUROPEAN DATA TRANSFERS
1.1. Standard Contractual Clauses
The Standard Contractual Clauses are incorporated by reference, with specific provisions in Schedule 2.
1.2. Instructions
This DPA and Agreement constitute Customer’s complete instructions for processing Customer Personal Data.
1.3. Security of Processing
Vendor’s technical and organizational measures are described in the SOC II Type II report.
1.4. Sub-Processors
Vendor has Customer’s general authorization to engage Sub-processors.
1.5. Notification and Objection Rights
Customer’s rights and procedures regarding Sub-processors are described in sections 5.1 to 5.3.
1.6. Audits
Audits will be conducted as per section 9 of this DPA.
1.7. Redress
Customer can contact Vendor for complaints or requests regarding Customer Personal Data.
1.8. Supervision
The Data Protection Commission of Ireland is the competent supervisory authority.
1.9. Government Access Requests
Vendor will notify Customer of government access requests as per Clause 15(1).
1.10. Governing Law
The governing law is that of the Republic of Ireland.
SCHEDULE 2
ANNEX I
– Data Importer
Name: Erudita.Tech
Address: Nyelandsvej 24, 4th, DK-2000 Frederiksberg
Contact person: Representatives of the company
Role: Processor of Uploaded Personal Data and Controller of Collected Personal Data
2. DESCRIPTION OF TRANSFER
– Categories of Data Subjects
Employees, suppliers, Users, or other individuals lawfully obtained.
– Categories of Personal Data
Uploaded Personal Data and Collected Personal Data.
– Sensitive Data
Not applicable.
– Frequency of Transfer
Continuous, depending on Service use.
– Nature of Processing
Intake, storage, archiving, deletion, and processing.
– Purpose
Provision of Services as described in the Agreement.
– Retention Period
As specified