This Data Processing Agreement (“DPA”) forms part of the Terms of Service (the “ToS”) by CaspianDB Inc. (“Service Provider”) regarding the Services provided to the Customer (“Customer”) pursuant to which Service Provider provides the Services (as defined in the ToS) to Customer.
The subject matter of the data processing is the performance of the Services pursuant to the ToS and the Processing shall be carried out for the duration of the ToS. It replaces and prevail from any previous existing data protection provisions in the ToS.
Service Provider agrees to comply with the following provisions with respect to any Personal Data Processed by Service Provider in connection with its provision of the Services. References to the ToS will be construed as including this DPA and, except as modified below, the terms of the ToS shall remain in full force and effect.
The Parties recognize that, depending upon the region or jurisdiction where the End User is located, different data protection rules and regulations may apply:
the Personal Data that Service Provider processes is subject to the GDPR because the End User is located in the EEA or the United Kingdom; or
the Personal Information that Service Provider processes is subject to the CCPA because the End User is a California Consumer.
Any capitalized terms not defined herein shall have the respective meanings given to them in the ToS. In the event of any conflict between this DPA and the ToS, this DPA will prevail.
“Adequate Country” means a country or territory that the European Commission recognized under Data Protection Laws as providing adequate protection for Personal Data and attributed an adequacy decision as defined under the GDPR.
“Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
“Adequate Country” means a country or territory that the European Commission recognized under Data Protection Laws as providing adequate protection for Personal Data and attributed an adequacy decision as defined under the GDPR.
“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
“Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), tailored by the Data Protection Act 2018, and California Consumer Privacy Act (“CCPA”).
“Data Subject” means the individual to whom Personal Data relates.
“Personal Data” means any information relating to an identified or identifiable natural person or as such is defined in applicable Data Protection Laws and as described in Appendix A. No sensitive data shall be processed under the ToS.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“process”, “processes” and “processed” shall have the same meaning).
“Sale” has the meaning set forth in the CCPA.
“Security Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise Processed on Service Provider’s equipment or in Service Provider’s facilities.
“Sub-Processor” means any Data Processor engaged by Service Provider as a Data Processor.
2.1. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data:
(I) Customer is the Data Controller and Service Provider is the Data Processor of or regarding the processing of Personal Data of Data Subject in the EEA described in Appendix A only;
(II) Service Provider is Data Controller of Personal Data Processed within the CaspianDB data Platform. For the avoidance of doubt, such information is being used by Service Provider to provide its Services to Customer and its other clients benefiting from the same Services. Service Provider undertakes to comply with its obligations as Data Controller according to Data Protection Laws and such Personal Data shall not be construed as part of the DPA;
(III) Customer is “Business” and Service Provider is “Service Provider” as defined under the CCPA of Personal Data of or regarding Data Subject subject to the CCPA. If a party considers that the role of Service Provider no longer corresponds with the understanding of the parties stated in paragraph 2.1, that party shall promptly notify the other party and the parties shall discuss and agree in good faith such steps or amendments to this DPA that may be required to reflect the Service Provider’s role and/or to ensure that the requirements of the Data Protection Laws are met.
2.2. Each Party shall comply with its obligations under applicable Data Protection Laws. Service Provider shall process Personal Data in accordance with the requirements of the Data Protection Laws. Customer shall supervise the Data Processing, document in writing any instruction to Service Provider, ensure that its instructions for the Processing of Personal Data comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality and legality of Personal Data and allows Service Provider to collect Personal Data through its Platform. Customer instructs Service Provider to Process Personal Data for the purposes described in Appendix A and to comply with other reasonable written instructions provided by Customer where such instructions are consistent with the terms of the ToS. Service Provider may Process Personal Data other than on the written instructions of Customer if it is required by applicable law provided that Service Provider shall inform Customer within their Account or the relevant email address set forth in within registration unless it is prohibited by applicable law. If Service Provider believes or becomes aware that any of Customer’s instructions conflicts with any Data Protection Laws, Service Provider shall immediately inform Customer at the email address above.
2.3. During the provision of the Services, Service Provider shall treat Personal Data as confidential information.
2.4. Customer acknowledges and agrees that on the own discretion of the Service Provider Sub-Processors may be retained in the provision of the Services. In addition, Customer agrees that Service Provider may engage from time to time, new Sub-processors in connection with the provision of the Services provided that Customer will be given a prior written notice within their Account or the relevant email address set forth in within registration and an opportunity to object to the appointment by deleting their Account. Such notification shall specify the concerned Processing, and the duration of the Sub-Processing, along with any other appropriate information. Customer shall have ten (10) calendar days from the reception date of the notice to present any motivated objections. Service Provider agrees that any agreement with an approved Sub-Processor shall include no less protective data protection obligations as set out in this DPA. Service Provider shall remain responsible for any approved Sub-Processor’s compliance with the obligations of this DPA. Service Provider shall be liable for the acts and omissions of its Sub-Processors to the same extent Service Provider would be liable if performing the services of each Sub-Processor directly under the terms of this DPA, except as otherwise set forth in the ToS.
2.5 The Customer agrees and warrants that it will provide Data Subject with the adequate information regarding the Processing of Personal Data and will implement within its systems and sites a consent management or opt-out (to notably inform Data Subject and allow them to opt-out from the Sale of Customer Personal Data) solution compliant with Applicable Data Protection Laws including for Service Provider’s and its Sub-processors’ Processing, prior to and within using the Services. Service Provider will provide all required information to be provided to such Data Subjects and Customer is responsible to ensure the consent prior to the Processing. Customer will provide their Data Subject with the link to the privacy policy of Service Provider at Privacy statement. When legal basis is consent, Customer shall, upon reasonable request, assist the Processor in providing records of consent in a suitable form. Such proof can be provided by Customer obtaining access to the consent management solution Records for the Processor.
2.6 No Sale of Customer Personal Information to Caspian DB. Customer and Service Provider hereby acknowledge and agree that in no event shall the transfer of Customer Personal Information from Customer to Service Provider pursuant to the Agreement constitute a sale of information to CaspianDB, and that nothing in the Agreement shall be construed as providing for the sale of Customer Personal Information to CaspianDB.
2.7 Limitations on Use and Disclosure. Service Provider is prohibited from using or disclosing Customer Personal Information for any purpose other than the specific purpose of performing the Services specified in the Agreement, the permitted business purposes set under applicable law, and as required under applicable law. Service Provider hereby certifies that it understands the foregoing restriction and will comply with it in accordance with the requirements of applicable U.S. Data Protection Laws.
3.1. Customer shall provide the information set forth in Data Protection Laws to Data Subject when their Personal Data is collected.
3.2. To the extent Customer, in its use or receipt of the Services, does not have the ability to correct, amend, restrict, block or delete Personal Data, as required by Data Protection Laws, Service Provider shall comply with reasonable requests by Customer to facilitate such actions to the extent Service Provider is legally permitted and able to do so, and within the delay set forth by Data Protection Laws.
3.3. When Service Provider acts as a: Data Processor (i) it shall, to the extent legally permitted, promptly notify Customer within their Account or the relevant email address set forth in within registration if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the processing of that person’s Personal Data (ii) it shall not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to Customer. To the extent that Customer responds to any such Data Subject request, Service Provider shall provide Customer with commercially reasonable cooperation and assistance, including by implementing appropriate technical and organizational measures, in relation to handling of a Data Subject’s request, to the extent legally permitted.
4.1. Service Provider shall ensure that its personnel engaged in the Processing of Personal Data is informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and are subject to obligations of confidentiality which shall survive the termination of that individual’s engagement with Service Provider.
4.2. Service Provider shall ensure that access to Personal Data is limited to those personnel who require such access to fulfill Service Provider’s obligations under the ToS.
4.3. Data Protection Officer. Service Provider has appointed a data protection officer where such appointment is required by Data Protection Laws. The appointed person may be reached via email at: info@caspiandb.com.
5.1. Service Provider shall secure Personal Data as required by Data Protection Laws.
5.2. Service Provider shall make available to Customer, upon request, all information necessary to demonstrate compliance with the obligations laid down in Data Protection Laws and this DPA and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer provided such audits are at Customer’s own expense.
5.3. Service Provider will reasonably cooperate with Customer to assist Customer in ensuring compliance with Articles 32 to 36 of the GDPR.
6.1. If Service Provider becomes aware of a Security Breach, Service Provider shall: (I) notify Customer of the Security Breach within their Account or the relevant email address set forth in within registration after having becoming aware of the Security Breach within a delay allowing the Customer to fulfill its own notification requirements towards the competent supervisory authority within seventy two (72) hours after having become aware of the Security Breach; (II) investigate the Security Breach and provide Customer with all relevant information about the Security Breach; and (III) take all steps to mitigate the effects and to minimize any damage resulting from the Security Breach.
6.2. Customer agrees that: (i) an unsuccessful Security Breach attempt will not be subject to this Section. An “unsuccessful Security Breach attempt” is one that results in no unauthorized access to Customer Personal Data or to any of Service Provider’s equipment or facilities storing Customer Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing or other or similar incidents; and (ii) Service Provider’s obligation to report or respond to a Security Breach under this Section is not and will not be construed as an acknowledgement by Service Provider of any fault or liability with respect to the Security Breach.
Upon termination of using the Services and upon Customer’s request, Service Provider shall return (only after a quote provided by the Service Provider and approved by the Customer) or delete Personal Data to Customer and shall delete existing copies unless applicable Data Protection Laws requires storage of such data.
8.1. Geographic locations where Customer’s Personal Data will be Processed by Service Provider and any Sub-processors are disclosed in Appendix A of this DPA. Customer acknowledges and agrees that Personal Data processed by the Service Provider may be transferred to the United States for the performance of the Service and shall inform the Users of this fact.
8.2. Without prejudice to Section 2.4., Service Provider may transfer Personal Data of Data Subject located in the EEA outside the EEA (other than exclusively in an Adequate Country) including but not limited to a Sub-processor. In such case, Service Provider shall ensure that in accordance with Article 44 of the GDPR a mechanism to achieve adequacy for that Processing is in place such as: (a) the requirement for Service Provider to execute or procure that recipient execute Standard Contractual Clauses approved by the EU authorities under Data Protection Laws; (b) the existence of any other specifically approved safeguard for data transfers as recognized under the Data Protection Laws and/or a European Commission finding of adequacy.
8.3. The Standard Contractual Clauses and UK IDTA are incorporated by reference and deemed executed as of the effective date of this DPA. The SCC Module 2 shall be applied, and shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
8.4. Any dispute arising thereof shall be resolved by the courts of an EU Member State. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.
9.1. Limitation of liability. Each Party’s liability, taken together in the aggregate, arising out of or related to this DPA, including DPAs associated with Sub-Processors, is subject to the ‘Limitation of liability’ section of the ToS.
9.2. Parties to this DPA. Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA. The aforementioned does not apply to any third-party beneficiary clauses in the Standard Contractual Clauses.
9.3. Legal Authority. Each Party mutually represents and warrants that (i) the person executing this DPA on its respective behalf has the legal authority to bind such party, and (ii) it has right, power, and authority to (a) enter into this DPA, (b) make the representations and warranties contained herein, and (c) commit to and perform the respective duties, obligations and covenants set forth hereunder.
9.4. Amendments and modifications. Any amendment to this DPA shall be made in writing.
9.4. Severance. Should any provision of this DPA be deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in full force and effect. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
9.4.Amendments and modifications. Any amendment to this DPA shall be made in writing.
9.5. Severance. Should any provision of this DPA be deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in full force and effect. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein
List of parties
Controller(s):
Name:
Customer as defined in the Account
Address:
As defined in the Account
Contact person’s name, position and contact details
As defined in the Account
Accession date:
As defined in the Account
Processor(s):
Name:
CaspianDB Inc
Address:
800 North State Street Suite 403 Dover,
DE 19901, the USA
Contact person’s name, position and contact details
Camuel Gilyadov, CEO,
camuel@caspiandb.com
Accession date:
As defined in the Account
Location of storage of Personal Data: Ohio, USA; N. Virginia, USA; N. California, USA; Oregon, USA
Duration of Processing (duration of Agreement): The period of provision of the Services to the Controller plus the time for the deletion of personal data, unless retention is required under applicable laws or if otherwise agreed by the parties.
Categories of Data Subject: Controller's employees, contractors, end-users, individuals whose data processed by Controller at the Controller's discretion, and any other person who transmits data through the services provided to the Controller.
Categories of personal data processed: Personal data submitted, stored, sent or received by the Controller via the Services.
Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: Sensitive personal data submitted, stored, sent or received by the Controller via the Services. The same restrictions and safeguards are applied to all personal data processed with the use of the Services.
Nature of the processing: Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission or otherwise making available, alignment or combination, restriction, erasure and destruction.
Purpose(s) for which the personal data is processed on behalf of the controller: The Processor will process Controller data submitted, stored, sent or received by the Controller for the purposes of providing the Services to the Controller in accordance with the ToS.
For processing by (sub-) processors, also specify subject matter, nature and duration of the processing: The (sub-) processors perform all the operations required to render the Services to the Controller under the ToS. The (sub-) processors process the personal data until the agreement between the Controller and the Processor is valid and until the processing is required to render the Services to the Controller.
© 2022 CaspianDB