Data Processing Agreement
v1.1 - Last revised on May 23, 2018
Agreement between Transferor,
“Rspective” P. Rychlik Spółka jawna with its registered office in Katowice (40-246) at ul. Porcelanowa 23, entered in the register of entrepreneurs kept by the District Court Katowice-Wschód in Katowice, VIII Commercial Division of the National Court Register (KRS), under number KRS: 0000453920, Tax Identification Number NIP: 9542742375, represented by: Tomasz Pindel, Paweł Rychlik and Michał Sędzielewski, hereinafter referred to as Processor;
hereinafter referred to jointly as Parties and individually as Party.
Having in regard that the Parties are bound by the Terms of Service, the subject matter of which is the provision of services involving providing a software solution (“Voucherify”) as further specified on voucherify.io, that enables its customers to generate promotions, redeem them on mobile or web with client-side and backend Software Development Kits (SDKs), as well as fast-forward voucher functionality, having at the same time the security and scaling. Voucherify provides components to track and optimize customer’s digital promotion performance, gives access to redemption history, monitors acquisition channels, compares performance, allowing at the same time to automate campaign management with the simple UI as well as streamline data analytics with CSV import and export by the Processor to the benefit of the Transferor (hereinafter referred to as “ToS”), under which personal data are processed, the Parties mutually agreed as follows:
1. Subject matter
- By virtue of this Agreement the Transferor transfers personal data to the Processor for processing in the scope and for the purpose as prescribed by this Agreement. The Processor shall process personal data in the scope and for the purpose as prescribed by this Agreement upon order of the Transferor.
2. Representations and warranties
- The Transferor declares that it is a personal data controller within the meaning of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”) which processes personal data in line with the applicable legal provisions, for a purpose directly connected with its business or professional activity.
- The Processor declares that it disposes of adequate funds, including adequate safeguards enabling the processing of personal data in accordance with the provisions of the Act and executory orders issued on its basis, in accordance with Article 28 of GDPR.
3. Scope and purpose of data processing
- The Processor may process personal data transferred by the Transferor only in the scope and for the purpose as prescribed in this Agreement. Personal data shall be processed by the Processor only for the purpose of correct performance of the ToS.
- The data transfer shall comprise only those data which are essential for the Processor to properly co-operate with the Transferor within the ToS, and which have been voluntarily provided to it by the Transferor. The processing shall comprise the following personal data: surname and name; e-mail address; address; IP address; telephone number; and other personal data necessary for performance of the ToS.
- The processed data indicated in paragraph 3.2 above shall refer to users of the software and Processor’s services.
- The processing of data shall be understood as any operation performed on personal data, such as collecting, fixing, storing, developing, altering, making available and erasing, in particular those performed in IT systems.
- Any change of the scope and purpose of the processing of personal data may only be introduced by means of amendment to this Agreement.
4. Processor's obligations
- The Processor undertakes to abide by the provisions of the Act throughout the entire term of this Agreement.
- Only persons who are authorised by the Processor and who have been trained in the scope of methods of securing the processing of data may have access to the transferred personal data.
- The Processor shall provide the Transferor with any information necessary to prove the fulfilment of the obligations prescribed by the generally applicable legal provisions in the scope of personal data protection and shall enable the Transferor to carry out audits, including inspections, and shall contribute thereto.
- The Transferor is obliged to notify the Processor on the date of the audit referred to in paragraph 4.3 above in a written statement sent to the address of the Processor’s registered office at least 4 (four) weeks before the planned audit date. The audit shall be carried out within the office working hours applicable at the Processor on business days, and its performance shall not affect correct and timely pursue of the current business activity by the Processor.
- The persons authorised to carry out the audit on behalf of the Transferor are obliged, pursuant to a separate, written non-disclosure agreement, to keep confidential any information, documents, data, in particular of technical, commercial and financial character, pertaining to the Processor, or other received from the Processor of which they become advised or which they obtain in connection with the performance of the audit.
- The Processor taking into account the character of the processing, shall as far as possible support the Transferor in fulfilling the obligation to respond to demands of a data subject within the frames of his/her rights by appropriate technical and organizational means.
- Upon finishing the processing of data the Processor, depending on the Transferor’s decision made in writing under the pain of nullity, is obliged to immediately erase or return the transferred data and to delete any existing copies, unless the generally applicable legal provisions require to store personal data. Upon each request of the Transferor the Processor is obliged to present within 14 (in words: fourteen) days a written declaration confirming the fact that personal data have been destroyed.
- In connection with the processing of data, the Processor is obliged to immediately notify the Data Controller on each incident related to infringement of the security of the rules regulating the processing of the transferred data.
- The Processor shall implement and maintain appropriate technical and organizational security measures to protect Transferor Data from Security Incidents and to preserve the security and confidentiality of the Transferor Data, in accordance with Rspective's security standards described in Annex A ("Security Measures").
- The Processor may engage another processor for the purpose of performing the ToS and within the frames of internal processes of service of the Controller by Rspective. The Sub-processors currently engaged by Rspective and authorized by Transferor are listed in Annex A ("Sub-processors").
- The Processor may transfer the processing of personal data transferred thereto by the Transferor to entities other than that mentioned in paragraph 5.1 above only upon written consent of the Transferor.
6. Term of agreement
- This Agreement shall be concluded for the term of the agreement concluded by the Parties based on and in accordance to the ToS, in order to avoid doubt, termination of such agreement shall result in termination of this Agreement.
- The Processor shall be held liable for damage caused to third persons or the Transferor which arose in connection with non-performance or improper performance of this Agreement by the Processor, in particular with the processing of personal data in violation of the Agreement, within the limits of actual damage incurred by the Transferor or third persons, whereby the Processor shall not be held liable for damage caused by unintentional fault.
- The Transferor shall be held liable on general terms for damage caused to the Processor in connection with the performance of this Agreement, in particular during the audit referred to in paragraph 4.3 above or other control activities.
- The Parties undertake to keep secret, within the term of this Agreement and for the period of 2 (in words: two) years upon its termination or expiration, in particular not to disclose to third persons and to exercise special care in order to secure, any information, documents, data, in particular of technical, commercial and financial character pertaining to the other Party, or other received from the other Party of which they were advised or which they obtained in connection with the conclusion or performance of this Agreement, irrespective of their form, including oral or written forms or a computer record, in particular information pertaining to the given Party’s technologies, work organisation, the method of pursuing business activity, legal or commercial relations, as well as provisions of the Agreement (hereinafter referred to as “Confidential Information”). The Confidential Information obtained by the given Party is each time regarded the Confidential Information, unless it is described as non-confidential by the other Party.
- The Parties shall exercise special care in order to secure the Confidential Information, irrespective of the form of the Confidential Information, including oral or written forms or a computer record.
9. Entire agreement
- Any amendment to this Agreement require written form, or otherwise shall be null and void.
- If any provision of this Agreement proves invalid entirely or in part, then the other provisions shall remain effective, whereas the Parties undertake, upon a request of either Party, to replace such invalid provisions with provisions whose legal effect and economic implications to the highest extent correspond to those of the replaced provisions.
- This Agreement shall be concluded in compliance with the law of the Republic of Poland.
- The Agreement shall become effective as of the day of its being signed by both Parties, whereby if the Parties fail to place their signatures in the same place and on the same time, the day on which the last of the Parties places its signature shall be deemed the date of signing the Agreement.
10. Final provisions
- None of the Parties may transfer its rights or delegate obligations arising out of this Agreement to any third person without a written consent of the other Party.
- Any dispute resulting from this Agreement shall be subject to Polish law and Polish common courts. The Parties shall make every effort to settle any dispute resulting from or related to this Agreement in an amicable way. If it is not possible for the Parties to settle a dispute amicably within one month, then such dispute shall be referred for final settlement to the common court with the jurisdiction over the registered office of the Processor.
- This Agreement was drawn up in two copies, one for each Party.
Annex A to the Data Processing Agreement
Rspective uses a range of third party Sub-processors to assist it in providing the Services (as described in the ToS). These Sub-processors set out below provide cloud hosting and storage services; content delivery and review services; assist in providing customer support; as well as incident tracking, response, diagnosis and resolution services.
- The company under business name Amazon Web Services, Inc., P.O. Box 81226 Seattle, WA 98108-1226, USA;
- The company under business name salesforce.com EMEA Limited, Route de la Longeraie 9, Morges, 1110, Switzerland;
- The company under business name LogEntries brand of Rapid7 Ireland Ltd., The One Building, 2nd Floor, 1 Grand Canal Street Lower, Dublin 2, Ireland;
- The company under business name Bandro Solutions Błażej Andraszyk, ul. Kapitana Janiego 8D/2, 44-200 Rybnik, Poland;
- The company under business name IMVANZEN Jakub Reczko, ul. Wita Stwosza 6/3, 41-506 Chorzów, Poland;
The Security Measures applicable to the Services are described here https://voucherify.io/legal/security-policy (as updated from time to time in accordance with Section 4.9 of this DPA).
For an executable copy of this DPA, please visit this page.