Data Processing Addendum

Version 1.0 | September 2, 2024

 

Note to Applicable Customers: If your organization requires a signed Data Processing Addendum (DPA) to be included in the Agreement between Erudita.Tech and your organization, please inform your Account Executive.

This Data Processing Addendum (this “DPA”) governs the processing of Uploaded Personal Data and Collected Personal Data (collectively, “Customer Personal Data”) by Erudita.Tech (“Vendor”) in relation to natural persons in the European Economic Area (“EEA”) in connection with the Vendor’s provision of the services described in the Agreement. This DPA, once fully executed, will be incorporated into and form part of either (i) the Proposal with Erudita.Tech Subscription Terms, (ii) Erudita.Tech Terms of Service, or (iii) the Master Subscription Agreement (each referred to herein as the “Contract”), which collectively constitute the “Agreement” between customers (“Customer”) and Erudita.Tech (“Vendor”).

In the event of a conflict between the terms of the Agreement and this DPA, the terms of this DPA will prevail. This DPA applies to each subscription for services between Customer and Vendor under the Agreement where Vendor processes Uploaded Personal Data and/or Collected Personal Data in the course of providing the Services.

Definitions:

– “Contract”: The binding terms of the Agreement between the Parties, which may be the Proposal with Erudita.Tech Subscription Terms, Erudita.Tech Terms of Service, or the Master Subscription Agreement.

– “Collected Personal Data”: Personal Data collected by Vendor needed for Customer and its Users to register for and access the Service, including contact and notification details.

– “Controller”: As defined in the GDPR.

– “Controller-to-Processor Clauses”: Module Two of the Standard Contractual Clauses for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914.

– “Data Protection Laws”: Includes the GDPR, UK Data Protection Act 2018, Swiss FADP, CCPA, and PIPL.

– “Processing”: As defined in the GDPR.

– “Processor”: As defined in the GDPR.

– “Processor-to-Controller Clauses”: Module Four of the Standard Contractual Clauses for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914.

– “Security Incident”: An incident resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

– “Services”: All services and Software provided by Vendor as described in one or more Proposals, including Vendor’s web-based applications such as Erudita.Tech™ and associated tools.

– “Standard Contractual Clauses”: The Controller-to-Processor Clauses.

– “Third Country”: A country outside the EEA not recognized by the European Commission as providing adequate data protection.

– “Uploaded Personal Data”: Personal Data uploaded by Customer or its Users to the Service.

– “Users”: Individuals authorized by Customer to use the Service(s), including employees, consultants, and contractors.

 

1. Data Processing

1.1. Scope and Roles  

Vendor will act as a processor for Uploaded Personal Data and as a controller for Collected Personal Data. Customer, as the controller, will be responsible for the protection of Uploaded Personal Data. Vendor will not access Uploaded Personal Data without Customer’s explicit consent.

1.1.1. Customer acknowledges that Vendor does not have general access to the categories of Uploaded Personal Data unless specifically authorized.

1.1.2. The uploading of Prohibited Personal Data is prohibited. Any such uploads will be considered a material breach of the Agreement and this DPA.

1.2. Inaccurate or Outdated Customer Personal Data  

Vendor will notify Customer of any inaccuracies or outdated Customer Personal Data identified during processing.

1.3. Details of Data Processing  

– Subject Matter: Uploaded and/or Collected Personal Data.

– Duration: Determined by Customer.

– Purpose: To provide the Services subscribed to by Customer.

– Nature: Includes intake, storage, archiving, deletion, and processing in line with Customer instructions.

– Type: Uploaded Personal Data and Collected Personal Data as per Vendor’s Privacy Statement.

– Categories: Employees, suppliers, Users, or other individuals whose information is lawfully obtained.

 

2. Customer Instructions

2.1. Vendor will process Customer Personal Data only based on documented instructions from Customer.

2.2. Additional processing outside the scope of this DPA must be accompanied by documented instructions from Customer. Customer will bear any additional costs incurred.

2.3. Vendor will inform Customer if compliance with instructions would violate data protection laws or if legal obligations require disclosure.

 

3. Confidentiality

Vendor will restrict access to Customer Personal Data to authorized personnel and ensure they maintain confidentiality.

 

4. Security of Data Processing

Both parties will implement appropriate measures to protect Customer Personal Data, considering industry standards and applicable laws.

 

5. Sub-processing

5.1. Approved Sub-processors  

Vendor may use Sub-processors listed in Vendor’s Approved Sub-processors list. Customer will be notified of any changes, and may review or object to such changes according to the process described.

5.2. Objections  

Customer may object to new Sub-processors within ten business days. Vendor will address objections and provide explanations.

5.3. Sub-Processor Obligations  

Vendor will ensure Sub-processors adhere to equivalent data protection obligations.

5.4. Liability  

Vendor remains liable for the performance of Sub-processors.

 

6. Vendor Assistance with Data Subject Requests

Vendor will forward data subject requests to Customer and assist with Collected Personal Data requests.

 

7. Optional Security Features

Customer may use optional security features provided by Vendor. Customer is responsible for maintaining security of access credentials.

 

8. Security Incident Notification

Vendor will notify Customer of a Security Incident within 48 hours, including details of the incident and affected data.

 

9. Audits

Vendor will provide necessary information and cooperate with audits conducted by Customer to demonstrate compliance with this DPA.

 

10. Transfers of Customer Personal Data

10.1. Standard Contractual Clauses  

These Clauses apply to transfers to Third Countries. Vendor will establish relevant safeguards and ensure compliance with applicable data protection laws.

10.2. Authorization  

Customer authorizes Vendor to process Customer Personal Data in the US or other countries, subject to GDPR compliance.

 

11. Termination of the DPA

This DPA will remain in effect until terminated according to the Agreement.

 

12. Return or Deletion of Customer Personal Data

Customer can request return or deletion of Customer Personal Data, subject to applicable laws and Vendor’s internal procedures.

 

13. Duties to Inform

Vendor will inform Customer of any confiscation of Customer Personal Data during legal proceedings.

 

14. Entire Agreement; Conflict

This DPA incorporates Module Two of the Standard Contractual Clauses by reference. The Agreement remains in full force except as amended by this DPA.

 

SCHEDULE 1

TRANSFER MECHANISMS FOR EUROPEAN DATA TRANSFERS

1.1. Standard Contractual Clauses  

The Standard Contractual Clauses are incorporated by reference, with specific provisions in Schedule 2.

1.2. Instructions  

This DPA and Agreement constitute Customer’s complete instructions for processing Customer Personal Data.

1.3. Security of Processing  

Vendor’s technical and organizational measures are described in the SOC II Type II report.

1.4. Sub-Processors  

Vendor has Customer’s general authorization to engage Sub-processors.

1.5. Notification and Objection Rights  

Customer’s rights and procedures regarding Sub-processors are described in sections 5.1 to 5.3.

1.6. Audits  

Audits will be conducted as per section 9 of this DPA.

1.7. Redress  

Customer can contact Vendor for complaints or requests regarding Customer Personal Data.

1.8. Supervision  

The Data Protection Commission of Ireland is the competent supervisory authority.

1.9. Government Access Requests  

Vendor will notify Customer of government access requests as per Clause 15(1).

1.10. Governing Law  

The governing law is that of the Republic of Ireland.

 

SCHEDULE 2

ANNEX I

  1. LIST OF PARTIES

– Data Importer  

Name: Erudita.Tech  

Address: Nyelandsvej 24, 4th, DK-2000 Frederiksberg 

Contact person: Representatives of the company 

Role: Processor of Uploaded Personal Data and Controller of Collected Personal Data

2. DESCRIPTION OF TRANSFER

– Categories of Data Subjects  

Employees, suppliers, Users, or other individuals lawfully obtained.

– Categories of Personal Data  

Uploaded Personal Data and Collected Personal Data.

– Sensitive Data  

Not applicable.

– Frequency of Transfer  

Continuous, depending on Service use.

– Nature of Processing  

Intake, storage, archiving, deletion, and processing.

– Purpose  

Provision of Services as described in the Agreement.

– Retention Period  

As specified

Scroll to Top