Data Processing Addendum
1. Terms
This addendum (the “Addendum”) supplements the TypingDNA Authentication API - Standard Service Terms for Free and Pro Users Agreement and regulates the parties’ obligations in relation to personal data processing.
For the purposes of this Addendum, The Customer, as a Controller, and the Company, as a Processor, have concluded this Addendum in accordance with the legal requirements in the field of personal data protection and in order to establish their responsibilities regarding the protection of personal data which may be processed as a result of the Parties entering into the TypingDNA Authentication API Standard Service Terms for Free and Pro Users Agreement. The Customer, which in this case is the Controller, has full control over the data sent for processing. This Addendum does not apply to the data processed as a result of using third party cloud integrations, which are subject to their own terms and conditions and privacy policies. The Controller is responsible for complying with its applicable data protection laws and for assessing whether the use of the Services meets its compliance and contractual obligations.
Whereas:
(i) the parties concluded a TypingDNA Authentication API - Standard Service Terms for Free and Pro Users Agreement pursuant to which the COMPANY offers the CUSTOMER the SERVICE (as defined in the AGREEMENT) consisting of an online service developed and licensed by the COMPANY, in the form of an API, for the purpose of personal authentication and identification using typing patterns;
(ii) the CUSTOMER may enrol its own END-USERS in the SERVICE;
(iii) the CUSTOMER collects, processes and uses the END-USERS’ personal data (including, but
not limited to, their typing patterns) for its own purposes and is, therefore, the “data controller” in respect of such END-USER DATA, within the meaning the General Data Protection Regulation1 (the “GDPR”);
(iv) the CUSTOMER may provide the COMPANY certain personal data (as defined in the GDPR) about its END-USERS to be stored and/or processed for limited purposes in the name and on behalf of the CUSTOMER, and in accordance with the CUSTOMER’S instructions, the COMPANY acting as a Data Processor for the CUSTOMER;
(v) the COMPANY may share or otherwise transfer certain personal data for the provision of the SERVICE to TYPINGDNA INC as part of the COMPANY’s processing activities.
This Addendum has been entered into to regulate the respective rights and obligations of the CUSTOMER and the COMPANY with respect to the processing by the latter of certain END-USER DATA (as defined below) for and on behalf of the CUSTOMER.
1. End-User Data and Purpose of Processing
1.1. The CUSTOMER provides to the COMPANY such limited personal data (within the meaning of the GDPR) about its own END-USERS who are enrolled in the SERVICE, as listed in Appendix 1 hereto (hereinafter the “END-USER DATA”).
1.2. Depending on CUSTOMER requirements, or future legislative changes, CUSTOMER may transfer other END-USER DATA in addition to those reflected in Appendix 1, and the processing of such (additional) END-USER DATA by the COMPANY hereunder shall be subject to the same rules as provided in this Addendum.
1.3. The COMPANY shall process the END-USER DATA solely for the purposes of (and strictly to that extent) required to provide the SERVICE, as described further in Appendix 2 (the “Purposes of Processing”) and they shall not collect, use or otherwise process the End-User Data other than as required for the Purposes of Processing.
2. Representations and Warranties of the CUSTOMER
2.1. The CUSTOMER represents and warrants that it collects, uses and processes the End-User
Data in accordance with all applicable data privacy rules and, in particular, the GDPR.
2.2. The CUSTOMER represents and warrants that the processing of the End-User Data provided to the COMPANY hereunder has a legal basis and lawful purpose.
2.3. The CUSTOMER represents and warrants to the COMPANY that it has obtained adequate consent from the End-Users with respect to the collection and processing of the End-User Data by the CUSTOMER and the further processing of the End-User Data by the COMPANY under this Addendum.
2.4. The CUSTOMER represents and warrants to the COMPANY that it has provided all requisite information to the END-USERS (as data subjects) regarding the collection and processing of their personal data (including the END-USER DATA provided to the COMPANY hereunder), as may be required under the applicable data privacy rules and, in particular, in accordance with GDPR standards and requirements.
2.5. In particular, the CUSTOMER represents and warrants to the COMPANY that it has notified the END-USER with respect to the processing of their END-USER DATA by the COMPANY for the Purposes of Processing regulated under this Addendum.
2.6. The COMPANY are not required to verify whether such consent and/or prior information has been duly obtained from/given to the END-USERS with respect to the END-USER DATA disclosed to the DATA PROCESSORS hereunder, and the CUSTOMER shall bear all liability related thereto, and shall indemnify the COMPANY for any failure or omission to do the same which may result in any adverse consequences (including fines and/or other sanctions or penalties by the relevant data privacy supervisory authority) for the COMPANY.
2.7. The parties acknowledge and agree that the COMPANY do not have immediate visibility over the CUSTOMER’s END-USERS, or adequate methods of contacting the END-USERS, and that therefore it would be impossible (or otherwise it would imply disproportionate efforts) for the COMPANY to comply with information requirements vis-à-vis the data subjects as required under the GDPR.
2.8. Notwithstanding the above, the CUSTOMER shall take all the measures to procure that – to the greatest extent possible – any information about the END-USERS that is disclosed/transferred to the COMPANY under this Addendum is de-personalised, anonymised and/or otherwise encrypted/hashed so as to no longer constitute “personal data” within the meaning of the GDPR by the time it is disclosed/transferred to the COMPANY.
2.9. The CUSTOMER shall take all the measures to ensure that – to the greatest extent possible – any text typed by the END-USER when using the SERVICE shall not contain any personal data of the END-USER.
2.10. Any such END-USER DATA which constitutes “personal data” under the GDPR and which the CUSTOMER has not been able to de-personalise/anonymise/encrypt/hash prior to disclosure/transfer to the COMPANY shall be subject to the rules set out in this Addendum.
2.11. The Parties shall collaborate at all times to ensure that the amount of “personal data” about the END-USERS disclosed by the CUSTOMER to the COMPANY and processed under this Addendum is limited to such END-USER DATA as may be strictly required for the purposes of the SERVICE.
3. Representations and Warranties of the COMPANY
3.1. The COMPANY represent and warrant that they have implemented appropriate technical and organisational measures for the processing of the END-USER DATA under this Addendum, so that processing will meet the requirements of the GDPR and ensure the protection of the rights of the END-USERS as “data subjects” under the GDPR.
3.2. The COMPANY hereby represents and warrants to the DATA CONTROLLER that it has adhered to the EU-US Privacy Shield Framework Principles (the “Principles”) (https://www.privacyshield.gov/servlet/servlet.FileDownload?file=015t00000004qAg) and has self-certified compliance therewith, and that it will continue to comply with the Principles and be listed on the Privacy Shield List administered by the U.S. Department of Commerce's International Trade Administration.
4. COMPANY’s obligations
4.1.
COMPANY’s obligations
The COMPANY:
(i) Shall process the END-USER DATA only on instructions from the CUSTOMER and only for the Purposes of Processing regulated by this Addendum;
(ii) Shall ensure that any persons authorised by the COMPANY to process the End-User Data have committed themselves to confidentiality;
(iii) May engage another data processor or sub-contract any obligations of the COMPANY under this Addendum (other than within the Group), without the CUSTOMER’s prior written approval;
The parties hereby acknowledge and agree that the processing and the storage of the END-USER DATA by the COMPANY with TYPINGDNA INC and/or third party cloud services providers does not constitute a sub-contracting of the COMPANY’S obligations hereunder, and the third party cloud services providers do not constitute data processors in relation to such END-USER DATA within the meaning of the GDPR;
(iv) Shall inform the CUSTOMER promptly if, in their opinion, an instruction conflicts with the GDPR or other provisions of the relevant applicable local law regulating data privacy matters (and, in case the COMPANY consider – in their reasoned opinion – that such instruction is in breach of the law, the COMPANY may refuse to act on such instruction);
(v) Shall assist the CUSTOMER by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the CUSTOMER’s obligation to respond to requests for exercising the END-USERS’ rights under the GDPR;
(vi) Shall adopt necessary measures to ensure the security of the END-USER DATA provided by the CUSTOMER and take adequate technical and organisational measures to ensure an adequate level of security, proportionate to the risks posed to the rights and freedoms of the END-USERS;
(vii) Shall delete or return, at the choice of the CUSTOMER, all the END-USER DATA at the end of the Agreement, and shall delete existing copies thereof;
(viii) Shall make available to the CUSTOMER all information necessary to demonstrate compliance with the obligations set forth in this Addendum, and shall – subject to reasonable prior written notice – allow for and contribute to audits and inspections conducted by the CUSTOMER (or a person designated by the latter);
(ix) Shall ensure that individuals engaged by it for the purposes of this Addendum and/or the SERVICES under the AGREEMENT have received adequate training in data protection and security regulations;
(x) Shall promptly forward any requests from data subjects and/or a supervisory authority in relation to the processing of END-USER DATA under this Addendum to the CUSTOMER and shall provide the latter with information and support as may be reasonably requested by the CUSTOMER to enable it to prepare a response;
(xi) Shall cooperate with the CUSTOMER in implementing any measures that may be imposed by any supervisory authority in relation to the data processing regulated under this Addendum;
(xii) Shall take such technical and organisational measures, including physical and IT security measures, to prevent accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the END-USER DATA and shall ensure the security, integrity, availability and resilience of the systems and services used to process the END-USER DATA;
(xiii) Shall implement such other instructions received from the CUSTOMER (such as rectifying, deleting or updating) with respect to the END-USER DATA processed under this Addendum;
(xiv) Shall report any data breach involving the END-USER DATA immediately to the CUSTOMER and assist the CUSTOMER in any remedial action or reporting that may need to be done in relation to such data breach incident.
5. Term and Termination
5.1. This Addendum shall terminate on the same date as the main Agreement.
5.2. Upon termination of this Addendum, all END-USER DATA received from the CUSTOMER
during the term hereof shall be, subject to the CUSTOMER’s decision, either deleted or returned by the COMPANY to the CUSTOMER in a structure defined by the CUSTOMER.
5.3. Upon termination of this Addendum, all existing copies of such END-USER DATA shall be deleted (unless the law requires that the COMPANY maintain such data).
6. Governing law
The provisions of this Addendum shall be governed by the law applicable to the main Agreement. Notwithstanding the above, the standards of data privacy and data confidentiality/security to which the Parties are bound shall be assessed by reference to the GDPR (unless the law applicable as per the above is stricter, in which case it shall prevail).
In witness whereof, the Parties have executed this Addendum, on the date first written above, through their duly authorised representatives.
Appendix 1
End-User Data
(i) End-User typing patterns
(ii) Any other de-personalised, anonymised and/or otherwise encrypted/hashed data received
from the END-USER
Appendix 2
Purposes of processing
The COMPANY shall process the END-USER DATA only for the following permitted purposes:
(i) storing the End-User Data, on behalf of the CUSTOMER, on the COMPANY’s own or third- party servers (including cloud services);
(ii) providing the SERVICE as provided under the Agreement i.e. matching/confirming/ authenticating the typing patterns of the End-Users;
(iii) Research and Development;
to improve the Company's services and products or create new services and products.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC