Data Processing Addendum

This Data Processing Addendum (hereinafter “DPA“) is a part of SaaS Agreement (Terms of Service) as available at: https://www.syteca.com/en/terms-service-saas (“Agreement“) between Provider and Customer, under which Provider provides certain Cloud Services to Customer.

This DPA sets out the additional terms, requirements and conditions on which Provider will process Personal Data within the Uploaded Data for the purpose of its obligations under the Agreement.

General terms of business of the Customer shall only apply if and insofar as Provider has explicitly accepted them in writing. Any references of Provider to correspondence from the Customer containing or referring to the Customer’s general terms of business shall not constitute Provider ‘s acceptance of the applicability to the contract of such general terms of business

“Controller” has the same meaning under the Data Protection Laws

“Data Subject” means the individual to whom Personal Data relates.

“Data Protection Laws” means all applicable laws governing the protection of Personal Data including, but not limited to, if applicable, the General Data Protection Regulation 2016/679 (“GDPR”) and all other laws implementing or supplementing the GDPR

“Processing” means processing of Personal Data as defined under the Data Protection Laws, including the storage, amendment, transfer, blocking or erasure of personal data by the Processor acting on behalf of the Customer.

“Processor” has the same meaning under the Data Protection Laws.

“Instruction” means the written instruction, issued by Customer to Provider, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, de­personalizing, blocking, deletion, making available). Instructions shall initially be specified in the Agreement and may, from time to time, thereafter, be amended, amplified or replaced by Customer in separate written instructions (individual instructions).

“Personal Data Breach” a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

“Standard Contractual Clauses”, “EU SCCs” – means the standard contractual clauses pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 or (if applicable) any future clauses issued by the EU for the transfer of personal data to non-EU (sub)processors, and replacing or modifying the clause in the wording as issued by the EU. 

A reference to writing or written includes email.

In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail, unless other is not explicitly specified in writing in the Agreement.

The Customer and Provider acknowledge that for the purpose of the Data Protection Laws, the Customer is the controller and Provider is the Processor. In some circumstances, Customer may be a Processor, in which case Customer appoints Provider as Customer’s Sub-processor, which shall not change the obligations of either Customer or Provider under this DPA, as Provider will always remain a Processor with respect to the Customer in such event.

Customer retains control of the Personal Data and remains responsible for its compliance with its obligations under the applicable Data Protection Laws, including providing any required notices and obtaining any required consents for the lawful processing of Personal Data made available to or otherwise transferred to Provider, and for the processing instructions it gives to Provider.

Provider shall process Personal Data on behalf of Customer. Processing shall include such actions as may be specified in the Agreement and in the applicable Statement of Work. Within the scope of the Agreement, Customer shall be solely responsible for complying with the statutory requirements relating to the lawfulness of the data Processing. Purpose of processing: performance of the Agreement (provision of Cloud Services).

Based on this responsibility, Customer shall be entitled to request that Provider, subject to the Data Protection Laws, rectifies, deletes, blocks and makes available Personal Data during and after the term of the Agreement at Customer’s cost. Provider shall promptly comply with any of Customer’s request or instruction requiring Provider to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorized Processing

The provisions of this DPA shall also apply if testing or maintenance of automatic processes or of Processing equipment is performed on behalf of Customer.

Provider shall process Personal Data only within the scope of Customer’s Instructions as set-out in this Agreement, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which Provider is subject. In this case, Provider shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

Provider shall implement appropriate technical and organizational measures required pursuant with respect to the Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Such measures shall be designed to ensure a level of security appropriate to the risk in order to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or use. Such measures hereunder shall include, but are not limited to taking reasonable steps to achieve the following:

Provider will, insofar this is possible, by appropriate technical and organizational measures, reasonably assist Customer with meeting Customer’s compliance obligations with respect to the rights exercised by Data Subjects under the Data Protection Laws (particularly the Data Subject’s Rights related to Data Subject’s requests), taking into account the nature of data Processing. Taking into account the nature of Processing and any information available to Provider, Provider will further assist the Customer in ensuring compliance with the obligations to undertake data protection impact assessments and report to and consult with supervisory authorities under the Data Protection Laws. In a situation where, requested level of assistance will be excessive or unreasonably burdensome for Provider, any such assistance will be exercised at Customer’s cost.

If applicable, Customer shall retain title as to any carrier media provided to Provider as well as any copies or reproductions thereof. Provider shall store such media safely and protect them against unauthorized access by third parties. Provider shall, upon Customer’s request, provide to Customer all information on Customer’s Personal Data and information. Provider shall be obliged to securely delete any test and scrap material based on an Instruction issued by Customer on a case-by-case basis. Where Customer so decides, Provider shall hand over such material to Customer or store it on Customer’s behalf.

Provider shall provide reasonable assistance to the Customer with any data protection impact assessment which the Customer is required to undertake in order to comply with GDPR, in each case solely in relation to the processing of Personal Data and taking into account the nature of the Processing and information available to Provider and shall make available to Customer on request such information as is reasonably necessary to demonstrate its compliance with this DPA and its obligations under GDPR and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer for the purpose of demonstrating compliance by Provider with its obligations under Data Protection Laws in respect of the Personal Data. Provider may object to the deployment of a specific auditor if such auditor (i) is not subject to confidentiality regarding the results of such audit (except vis-a-vis Provider and Customer), (ii) is a competitor of Provider, (iii) is affiliated with a competitor of Provider.

Customer shall be separately responsible for conforming with such statutory data protection regulations including the Data Protection Laws as are applicable to it and shall ensure that the Personal Data may lawfully be processed by Provider under this Agreement.

Customer shall inform Provider without undue delay and comprehensively about any errors or irregularities related to statutory provisions on the Processing of Personal Data detected during a verification of the results of such Processing or otherwise arising following the date of this DPA.

If GDPR is applicable, Customer shall be obliged to maintain the register as defined in GDPR

If GDPR is applicable, Customer shall be responsible for fulfilling the duties to inform resulting from GDPR.

Customer shall promptly notify Provider of the exercise of any rights by Data Subjects affecting the Processing of Personal Data by Provider.

5.6 Customer shall, upon termination or expiration of the Agreement and by way of issuing an Instruction, stipulate, within a period set by Provider, the measures to return data carrier media or to delete stored data.

Any additional cost arising out of Provider’s performance under Instructions outside the Agreement’s scope of work or otherwise not contemplated by this DPA shall be borne by Customer.

Provider shall provide a copy of its most current security report upon Customer’s written request and subject to the confidentiality provisions of the Agreement. If Customer requires additional audit it may request an on- audit of the architecture, systems and procedures that are controlled by Provider relevant to the protection of Customer Personal Data. Notwithstanding of the above, if an audit is excessive or unreasonably burdensome for Provider, then Customer shall reimburse Provider for such excessive or unreasonably burdensome audit at Provider ‘s then-current services rates, which shall be made available to Customer upon request. Before the commencement of any such audit, Customer and Provider will mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. Customer shall promptly notify Provider with information regarding any non-compliance discovered during the course of an audit.

Customer agrees that Provider may engage Provider’s Affiliates and third-party sub-processors (collectively, “Sub-processors”) to Process the Personal Data on Provider ‘s behalf. Customer acknowledges that Provider’s contractual obligations hereunder, or the parts of the Cloud Services, will be performed by Sub-processors and consents to use of Sub-processors to fulfil its contractual obligations under the Agreement. Provider Sub-processors are:

Provider undertakes to enter into a written agreement with its Sub­-processors and will contain data protection obligations that are no less protective than those contained in this DPA. Provider will remain responsible for its compliance with the obligations stated herein and for any acts or omissions of the Sub-processors.

Provider may, by giving no less than thirty (30) days’ notice to Customer via publishing list of Sub-processors at the dedicated webpage, add the Sub-processors. Customer may object to the appointment of an additional Sub-processor within fourteen (14) calendar days of such notice on reasonable grounds relating to the protection of the Personal Data, in which case Provider shall have the right to cure the objection through one of the following options (to be selected at Provider’s sole discretion):

If none of the above options are reasonably available and the objection has not been resolved to the mutual satisfaction of the parties within 30 days after Provider ‘s receipt of Customer’s objection, either party may terminate the Agreement.

Provider may replace a Sub-processor if the need for the change is urgent and necessary to fulfil its obligations under the Agreement and the reason for the change is beyond Provider’s reasonable control. In such instance, Provider shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Sub-processor pursuant to the abovementioned.

Provider will without undue delay notify Customer if it becomes aware of any Personal Data Breach in accordance with applicable Data Protection Laws.

Immediately following any Personal Data Breach, the parties will coordinate with each other to investigate the matter.

Provider will reasonably co-operate with Customer in Customer’s handling of the matter.Provider will not inform any third party of any Personal Data Breach without first obtaining Customer’s prior written consent, except when required to do so by Data Protection Laws or any other applicable Union or Member State laws.

Provider will cover all reasonable expenses associated with the performance of the obligations under this section 8 unless the matter arose from Customer’s specific instructions, negligence, willful default or breach of this Agreement, in which case Customer will cover all reasonable expenses.

Provider will also reimburse Customer for actual reasonable expenses that Customer incurs when responding to a Personal Data Breach to the extent that Provider caused such a Personal Data Breach, including all costs of notice and any remedy.

Where Customer’s Personal Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while being Processed, Provider shall inform Customer without undue delay. Provider shall, without undue delay, notify to all pertinent parties in such action, that any Personal Data affected thereby is in Customer’s sole property and area of responsibility that Personal Data is at Customer’s sole disposition.

To the extent required by applicable Data Protection Laws, this DPA shall be governed by the law of the applicable jurisdiction. In all other cases, this DPA shall be governed by the laws of the same jurisdiction stated in the Agreement for governing the Agreement.

The term of this DPA shall follow the term of the Agreement. Upon termination or expiration of the Agreement, if requested by Customer in writing and to the extent technically feasible, Provider will delete or de-identify Personal Data within the reasonable amount of time save to the extent Provider is required by any applicable Data Protection Laws to retain some or all of the Personal Data.

Provider may act as a Data Controller in the following cases:

Provider is authorized to process Personal Data itself as well as including its engagement of Sub-processors in accordance with this DPA outside the country in which the Customer is located including countries where the data protection may not be as stringent in the country of Customer’s domicile or registered address or the EEA, Switzerland or UK.

If GDPR is applicable, Provider shall process Personal Data outside of the EEA, Switzerland or UK as permitted under the Data Protection Laws as follows:

Purpose of the processing: for the purpose of performance of the Agreement.

Nature of the processing (includes, but not limited to): Compute, storage and such other actions as described in the Documentation and required to provide cloud Services to Customer.

Data types/categories that may be processed by Provider (not closed list, excluding special categories of data):

Data Subjects categories that may be processed by Provider (not closed list):