Data Processing
Data Processing Addendum
This Data Processing Addendum ("DPA") supplements the Terms of Service (the "Agreement") entered into by and between the customer signing this DPA ("Customer") and http://Deflekt.ai (“Company”). By executing this DPA, Customer enters into this DPA on its behalf and, where applicable under relevant Data Protection Laws (defined below), on behalf of its Affiliates (defined below). This DPA incorporates the terms of the Agreement, and any undefined terms in this DPA shall have the meanings given in the Agreement.
Definitions
- Affiliate: Refers to (i) an entity in which a party directly or indirectly owns fifty percent (50%) or more of the stock or equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or equity interest of a party, or (iii) an entity under common control with a party by having at least fifty percent (50%) or more of the stock or equity interest of such entity and the party owned by the same person, while such ownership exists.
- Authorized Sub-Processor: A third party with legitimate need to access Customer's Personal Data for Company to fulfill its obligations under this DPA or the Agreement,
- Company Account Data: Personal data relating to the relationship between Company and Customer, including contact information of individuals authorized by Customer to access the account and billing information of individuals linked with Customer’s account. It may also include data collected by Company to manage its relationship with Customer, verify identity, or comply with applicable laws and regulations.
- Company Usage Data: Service usage data collected and processed by Company in connection with providing Services, including data identifying the source and destination of communications, activity logs, and data used to optimize and maintain Service performance or prevent system misuse.
- Data Exporter: Refers to Customer.
- Data Importer: Refers to Company.
- Data Protection Laws: Includes any applicable laws and regulations relating to the use or processing of Personal Data in relevant jurisdictions, specifically: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR"); (ii) the Swiss Federal Act on Data Protection; and (iii) the Privacy and Electronic Communications (EC Directive) Regulations 2003. Terms like "Data Subject," "Personal Data," "Personal Data Breach," "processing," "processor," "controller," and "supervisory authority" shall have their meanings as defined in the GDPR.
- EU SCCs: Refers to the standard contractual clauses approved by the European Commission in Decision 2021/914, dated June 4, 2021, for personal data transfers to non-EEA countries.
- ex-EEA Transfer: Transfer of Personal Data processed under GDPR from the Data Exporter to the Data Importer outside the European Economic Area (EEA) that is not covered by an adequacy decision by the European Commission.
- Services: Shall have the meaning as defined in the Agreement.
- Standard Contractual Clauses: Refers to the EU SCCs.
Relationship of the Parties; Processing of Data
The parties acknowledge and agree that, concerning the processing of Personal Data, Customer may act either as a controller or processor, and, except as expressly provided in this DPA or the Agreement, Company is a processor. Customer shall, in its use of the Services, ensure all processing of Personal Data and provide processing instructions compliant with Data Protection Laws. Customer must ensure that its instructions for processing Personal Data do not cause Company to breach Data Protection Laws and bears sole responsibility for the accuracy, quality, and legality of (i) the Personal Data provided to Company, (ii) the means by which it acquired any such Personal Data, and (iii) the instructions it provides to Company regarding such data processing. Customer shall not provide or make Personal Data available to Company in violation of the Agreement or for Services inconsistent with data requirements and will indemnify Company against any resulting claims or losses.
Company shall not process Personal Data (i) for purposes other than those outlined in the Agreement and/or (ii) inconsistently with this DPA or any documented instructions from Customer, including regarding transfers of Personal Data to third countries or international organizations, unless required by applicable Supervisory Authority law to which Company is subject; if so, Company shall inform Customer of that legal requirement before processing, except where prohibited by law for public interest, or (iii) in violation of Data Protection Laws. Customer hereby instructs Company to process Personal Data per the above conditions and any processing initiated by Customer in its use of the Services.
Exhibit A
Details of Processing
Nature and Purpose of Processing
http://Deflekt.ai (“Company”) will process Customer’s Personal Data as required to deliver the Services under the Agreement, following the purposes specified in the Agreement and this DPA, and according to Customer’s instructions as outlined in this DPA. Processing activities may include, but are not limited to:
- Receiving Data: Collecting, accessing, retrieving, recording, and data entry
- Protecting Data: Securing data through restriction, encryption, and security testing
- Holding Data: Storage, organization, and structuring of data
- Erasing Data: Data destruction and deletion
- Analyzing Data: Assessing product usage and related metrics
- Sharing Data: Disclosing information to approved subprocessors as outlined in this DPA
Duration of Processing
Company will process Customer’s Personal Data for as long as necessary to (i) provide the Services to Customer under the Agreement; (ii) fulfill Company’s legitimate business purposes; or (iii) meet legal or regulatory requirements. Company Account Data and Company Usage Data will be processed and stored according to Company’s privacy policy.
Categories of Data Subjects
Customer’s employees, consultants, contractors, and/or agents.
Categories of Personal Data
Company processes Personal Data as contained in Company Account Data, Company Usage Data, and any other Personal Data provided by Customer, including data Customer collects from its end users and processes through its use of the Services. Categories of Personal Data may include:
- Name, email, job title, username
- Company device identifiers (e.g., serial number), IP address for company devices
- Installed applications on company devices
- Background check verification records (if determined by Customer as Controller)
- Security training records
Sensitive Data or Special Categories of Data
Customers are prohibited from providing sensitive personal data or special categories of data to Company, including, without limitation, any data disclosing criminal history.
Exhibit B
This Exhibit includes information required by Annex I and Annex III of the EU SCCs.
The Parties
Data Exporter(s):
- Name: Customer, as specified and defined in the applicable Order under the Agreement.
- Trading Name (if different):
- Address: Customer’s registered business address or any address provided to http://Deflekt.ai when using the Services.
- Official Registration Number (if any):
- Contact Person: The designated Customer contact who accepts and binds Customer to the Agreement, unless otherwise specified in writing to http://Deflekt.ai.
- Activities Relevant to Data Transferred Under These Clauses: As described in the DPA.
- Signature and Date: EU SCCs are considered executed upon Customer’s formal acceptance of the Agreement.
- Role (Controller/Processor): Controller
Data Importer(s):
- Name: http://Deflekt.ai
- Activities Relevant to Data Transferred Under These Clauses: As described in the DPA.