Data Processing Addendum

Version 1.0 | September 2, 2024

 

Note to Applicable Customers: If your organization requires a signed Data Processing Addendum (DPA) to be included in the Agreement between Erudita.Tech and your organization, please inform your Account Executive.

This Data Processing Addendum (this “DPA”) governs the processing of Uploaded Personal Data and Collected Personal Data (collectively, “Customer Personal Data”) by Erudita.Tech (“Vendor”) in relation to natural persons in the European Economic Area (“EEA”) in connection with the Vendor’s provision of the services described in the Agreement. This DPA, once fully executed, will be incorporated into and form part of either (i) the Proposal with Erudita.Tech Subscription Terms, (ii) Erudita.Tech Terms of Service, or (iii) the Master Subscription Agreement (each referred to herein as the “Contract”), which collectively constitute the “Agreement” between customers (“Customer”) and Erudita.Tech (“Vendor”).

In the event of a conflict between the terms of the Agreement and this DPA, the terms of this DPA will prevail. This DPA applies to each subscription for services between Customer and Vendor under the Agreement where Vendor processes Uploaded Personal Data and/or Collected Personal Data in the course of providing the Services.

Definitions:

– “Contract”: The binding terms of the Agreement between the Parties, which may be the Proposal with Erudita.Tech Subscription Terms, Erudita.Tech Terms of Service, or the Master Subscription Agreement.

– “Collected Personal Data”: Personal Data collected by Vendor needed for Customer and its Users to register for and access the Service, including contact and notification details.

– “Controller”: As defined in the GDPR.

– “Controller-to-Processor Clauses”: Module Two of the Standard Contractual Clauses for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914.

– “Data Protection Laws”: Includes the GDPR, UK Data Protection Act 2018, Swiss FADP, CCPA, and PIPL.

– “Processing”: As defined in the GDPR.

– “Processor”: As defined in the GDPR.

– “Processor-to-Controller Clauses”: Module Four of the Standard Contractual Clauses for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914.

– “Security Incident”: An incident resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

– “Services”: All services and Software provided by Vendor as described in one or more Proposals, including Vendor’s web-based applications such as Erudita.Tech™ and associated tools.

– “Standard Contractual Clauses”: The Controller-to-Processor Clauses.

– “Third Country”: A country outside the EEA not recognized by the European Commission as providing adequate data protection.

– “Uploaded Personal Data”: Personal Data uploaded by Customer or its Users to the Service.

– “Users”: Individuals authorized by Customer to use the Service(s), including employees, consultants, and contractors.

 

1. Data Processing

1.1. Scope and Roles  

Vendor will act as a processor for Uploaded Personal Data and as a controller for Collected Personal Data. Customer, as the controller, will be responsible for the protection of Uploaded Personal Data. Vendor will not access Uploaded Personal Data without Customer’s explicit consent.

1.1.1. Customer acknowledges that Vendor does not have general access to the categories of Uploaded Personal Data unless specifically authorized.

1.1.2. The uploading of Prohibited Personal Data is prohibited. Any such uploads will be considered a material breach of the Agreement and this DPA.

1.2. Inaccurate or Outdated Customer Personal Data  

Vendor will notify Customer of any inaccuracies or outdated Customer Personal Data identified during processing.

1.3. Details of Data Processing  

– Subject Matter: Uploaded and/or Collected Personal Data.

– Duration: Determined by Customer.

– Purpose: To provide the Services subscribed to by Customer.

– Nature: Includes intake, storage, archiving, deletion, and processing in line with Customer instructions.

– Type: Uploaded Personal Data and Collected Personal Data as per Vendor’s Privacy Statement.

– Categories: Employees, suppliers, Users, or other individuals whose information is lawfully obtained.

 

2. Customer Instructions

2.1. Vendor will process Customer Personal Data only based on documented instructions from Customer.

2.2. Additional processing outside the scope of this DPA must be accompanied by documented instructions from Customer. Customer will bear any additional costs incurred.

2.3. Vendor will inform Customer if compliance with instructions would violate data protection laws or if legal obligations require disclosure.

 

3. Confidentiality

Vendor will restrict access to Customer Personal Data to authorized personnel and ensure they maintain confidentiality.

 

4. Security of Data Processing

Both parties will implement appropriate measures to protect Customer Personal Data, considering industry standards and applicable laws.

 

5. Sub-processing

5.1. Approved Sub-processors  

Vendor may use Sub-processors listed in Vendor’s Approved Sub-processors list. Customer will be notified of any changes, and may review or object to such changes according to the process described.

5.2. Objections  

Customer may object to new Sub-processors within ten business days. Vendor will address objections and provide explanations.

5.3. Sub-Processor Obligations  

Vendor will ensure Sub-processors adhere to equivalent data protection obligations.

5.4. Liability  

Vendor remains liable for the performance of Sub-processors.

 

6. Vendor Assistance with Data Subject Requests

Vendor will forward data subject requests to Customer and assist with Collected Personal Data requests.

 

7. Optional Security Features

Customer may use optional security features provided by Vendor. Customer is responsible for maintaining security of access credentials.

 

8. Security Incident Notification

Vendor will notify Customer of a Security Incident within 48 hours, including details of the incident and affected data.

 

9. Audits

Vendor will provide necessary information and cooperate with audits conducted by Customer to demonstrate compliance with this DPA.

 

10. Transfers of Customer Personal Data

10.1. Standard Contractual Clauses  

These Clauses apply to transfers to Third Countries. Vendor will establish relevant safeguards and ensure compliance with applicable data protection laws.

10.2. Authorization  

Customer authorizes Vendor to process Customer Personal Data in the US or other countries, subject to GDPR compliance.

 

11. Termination of the DPA

This DPA will remain in effect until terminated according to the Agreement.

 

12. Return or Deletion of Customer Personal Data

Customer can request return or deletion of Customer Personal Data, subject to applicable laws and Vendor’s internal procedures.

 

13. Duties to Inform

Vendor will inform Customer of any confiscation of Customer Personal Data during legal proceedings.

 

14. Entire Agreement; Conflict

This DPA incorporates Module Two of the Standard Contractual Clauses by reference. The Agreement remains in full force except as amended by this DPA.

 

SCHEDULE 1

TRANSFER MECHANISMS FOR EUROPEAN DATA TRANSFERS

1.1. Standard Contractual Clauses  

The Standard Contractual Clauses are incorporated by reference, with specific provisions in Schedule 2.

1.2. Instructions  

This DPA and Agreement constitute Customer’s complete instructions for processing Customer Personal Data.

1.3. Security of Processing  

Vendor’s technical and organizational measures are described in the SOC II Type II report.

1.4. Sub-Processors  

Vendor has Customer’s general authorization to engage Sub-processors.

1.5. Notification and Objection Rights  

Customer’s rights and procedures regarding Sub-processors are described in sections 5.1 to 5.3.

1.6. Audits  

Audits will be conducted as per section 9 of this DPA.

1.7. Redress  

Customer can contact Vendor for complaints or requests regarding Customer Personal Data.

1.8. Supervision  

The Data Protection Commission of Ireland is the competent supervisory authority.

1.9. Government Access Requests  

Vendor will notify Customer of government access requests as per Clause 15(1).

1.10. Governing Law  

The governing law is that of the Republic of Ireland.

 

SCHEDULE 2

ANNEX I

  1. LIST OF PARTIES

– Data Importer  

Name: Erudita.Tech  

Address: Nyelandsvej 24, 4th, DK-2000 Frederiksberg 

Contact person: Representatives of the company 

Role: Processor of Uploaded Personal Data and Controller of Collected Personal Data

2. DESCRIPTION OF TRANSFER

– Categories of Data Subjects  

Employees, suppliers, Users, or other individuals lawfully obtained.

– Categories of Personal Data  

Uploaded Personal Data and Collected Personal Data.

– Sensitive Data  

Not applicable.

– Frequency of Transfer  

Continuous, depending on Service use.

– Nature of Processing  

Intake, storage, archiving, deletion, and processing.

– Purpose  

Provision of Services as described in the Agreement.

– Retention Period  

As specified

At Erudita we only use strictly necessary cookies to ensure a clean, secure navigation for our users. The only cookies we implemented are the cookie necessary for the correct functioning of the Google ReCaptcha anti-spam authenticator and the one in charge of remembering your preferences in the Erudita.tech website. Cookie policy. View more
Cookies settings
Accept
Decline
Erudita's Cookie & Privacy policy.
Privacy & Cookies policy
Cookie name Active

Privacy Policy

Version 1.0 | September 2, 2024

Purpose   This Privacy Statement explains how Erudita collects, uses, discloses, and protects your Personal Information. Definitions   “Personal Information” refers to information about an identifiable individual, including but not limited to names, identification numbers, location data, and online identifiers. Customer Data Exclusion   This Privacy Statement does not cover data you upload to our software, such as project workflow or research data, which is governed by your subscription agreement with Erudita. Exclusions   We do not collect, process, or retain: - Personal information of children under 16 - Personal health or financial information - Any Sensitive Personal Information as defined by the European Union Personal Information We Collect
Information Collected Purpose Legal Basis
Account Information (name, email, business contact) To create and manage your account, notify you of updates Consent; Contractual necessity
Payment Information (contact info, purchase history) To process payments and ensure tax compliance Consent; Contractual necessity; Legitimate interests
Usage Data (IP address, performance metrics) To improve software and user experience Legitimate interests
Information You Provide (support requests, forms) To assist with technical issues and provide information Contractual necessity; Legitimate interests
Student Status (proof of enrollment) To verify eligibility for student accounts Consent; Legitimate interests
Employment Data (resume, payroll info) For hiring, onboarding, and benefits administration Consent; Contractual necessity; Legitimate interests; Compliance with legal obligations
Audit Trail Data (pages visited, changes made) To maintain software functionality and compliance Legitimate interests; Contractual necessity
Marketing Data (contact info, conversation summaries) To provide requested information and promotional content Legitimate interests
Website Data (browsing activity) To respond to inquiries and refine marketing efforts Legitimate interests

Cookies and Tracking Technology We use cookies to enhance your experience on our website (https://www.erudita.tech) and platform (https://www.sysreviewai.erudita.tech). Cookies help with functionality, performance, analytics, targeting, and social media interactions. You can manage cookie settings through your browser. Do Not Track We do not currently respond to Do Not Track (DNT) signals. Sale of Information   We do not sell personal information. Links to Other Websites Our site may contain links to external sites. We are not responsible for their privacy practices, which are governed by their respective policies. Third-Party Service Providers   We may share your Personal Information with third-party providers for services such as support, payments, compliance, and marketing. These providers access only necessary information and comply with data protection laws. Sales and Marketing   We may send marketing information based on your relationship with us or public contact details. You can opt out by contacting us or using unsubscribe links.

Students   If you apply for a student account, you must be of legal age and provide valid consent for processing your Personal Information. Data Storage and Retention   We retain Personal Information as needed for compliance and service purposes. We securely dispose of data once no longer required, unless legally obligated to retain it.

Your Rights   You may have rights to: - Access, update, or delete your Personal Information - Withdraw consent or object to processing - Request data portability or restriction

Contact us at info@erudita.tech to exercise these rights. Protecting Personal Information   We use technical, physical, and administrative measures to protect your data, including encryption, secure access controls, and regular audits. Changes to Privacy Statement   We review and update this Privacy Statement periodically. Significant changes will be communicated through our website or email. Contact Information   For questions or concerns about data protection: Erudita Tech Nyelandsvej 24, 4th, DK-2000 Frederiksberg T: +45 30 64 82 83 E: info@erudita.tech

Save settings
Cookies settings
Scroll to Top