Agreement between Customer,
“Rspective” P. Rychlik Spółka jawna with its registered office in Katowice (40-246) at ul. Porcelanowa 23, entered in the register of entrepreneurs kept by the District Court Katowice-Wschód in Katowice, VIII Commercial Division of the National Court Register (KRS), under number KRS: 0000453920, Tax Identification Number NIP: 9542742375, represented by: Tomasz Pindel, Paweł Rychlik and Michał Sędzielewski, hereinafter referred to as Processor;
hereinafter referred to jointly as Parties and individually as Party.
Having in regard that the Parties are bound by the Subscription Agreement, the subject matter of which is the provision of services involving providing a software solution (“Voucherify”) as further specified on voucherify.io, that enables its customers to generate promotions, redeem them on mobile or web with client-side and backend Software Development Kits (SDKs), as well as fast-forward voucher functionality, having at the same time the security and scaling. Voucherify provides components to track and optimize customer’s digital promotion performance, gives access to redemption history, monitors acquisition channels, compares performance, allowing at the same time to automate campaign management with the simple UI as well as streamline data analytics with CSV import and export by the Processor to the benefit of the Transferor (hereinafter referred to as “ToS”), under which personal data are processed, the Parties mutually agreed as follows:
1. Purpose and Scope
- The purpose of this Agreement is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
- The controllers and processors listed in Annex 1 have agreed to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679.
- This Agreement applies to the processing of personal data as specified in Annex 2.
- Annexes 1 to 4 are an integral part of the Agreement. Annex 5 applies only if and as long as the controller is based in a country outside of the EEA and not subject to the GDPR.
- This Agreement is without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679.
- Where the following provisions use the terms defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
- This Agreement shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
- This Agreement shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 or in a way that prejudices the fundamental rights or freedoms of the data subjects.
- In the event of a contradiction between this Agreement and the provisions of related agreements between the Parties existing at the time when this Agreement is agreed or entered into thereafter, this Agreement shall prevail.
4. Docking Clause
- Any entity that is not a Party to this Agreement may, with the agreement of all the Parties, accede to this Agreement at any time as a controller or a processor by completing the Annexes and signing Annex 1.
- Once the Annexes in (a) are completed and signed, the acceding entity shall be treated as a Party to this Agreement and have the rights and obligations of a controller or a processor, in accordance with its designation in Annex 1.
- The acceding entity shall have no rights or obligations resulting from this Agreement from the period prior to becoming a Party.
5. Description of Processing(s)
- The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex 2.
6. Obligations of the Parties
- The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.
- If the controller issues subsequent instructions regarding the processing of personal data that exceed the scope of services agreed to by the parties, the costs shall be borne by the controller.
- The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or the applicable Union or Member State data protection provisions.
6.2. Purpose Limitation
- The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex 2, unless it receives further instructions from the controller.
6.3. Duration of the processing of personal data
- Processing by the processor shall only take place for the duration specified in Annex 2.
6.4. Security of Processing
- The processor shall at least implement the technical and organisational measures specified in Annex 3 to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
- The processor shall be entitled to implement alternative and adequate measures, provided that they do not fall below the security level of the measures specified in Annex 3. The Processor shall document such changes. Material changes to the measures shall require the prior information of the controller.
- The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.5. Documentation and Compliance
- The Parties shall be able to demonstrate compliance with this Agreement.
- The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with this Agreement within the scope of what is reasonable and necessary. Where an inquiry exceeds the obligations of a processor under Regulation (EU) 2016/679, the processor is entitled to reimbursement of the expenses and costs incurred as a result thereof from the controller.
- The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in this Agreement and stem directly from Regulation (EU) 2016/679. At the controller’s request, the processor shall also permit and contribute to audits of the processing activities covered by this Agreement, at reasonable intervals of 1 year or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.
- The processor is permitted, to not disclose information that is sensitive with regard to the processor's business or if the processor would breach statutory or contractual obligations with the disclosure, where the proof of compliance can be provided by certifications in accordance with Article 42 of the GDPR; current certificates, reports or report extracts from independent instances (e.g. auditors, revision, data protection officer, IT security department, data protection auditors, quality auditors); suitable certification by an IT security or data protection audit.
- The controller may choose to conduct the audit by itself or mandate an independent auditor. The Controller must not instruct a competitor of the Processor with conducting an Audit. Audits may also include inspections at the premises or physical facilities of the processor. The Controller shall inform the Processor sufficiently in advance (usually at least four weeks) about all circumstances in relation to the carrying out of an inspection.
- The Parties shall make the information referred to in this Section, including the results of any audits, available to each other and the competent supervisory authority/ies on request.
6.6. Use of Sub-Processors
- The processor has the controller’s general authorisation for the engagement of sub-processors from an agreed list. The processor shall specifically inform the controller by email of any intended changes of that list through the addition or replacement of sub-processors at least two weeks in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object. The controller may object if there is any compelling reason under data protection laws and where this has been communicated to the processor in writing or text format.
- Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with this Agreement. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to this Agreement and to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
- The controller agrees that where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679.
- At the controller’s request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secrets or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.
- The processor shall remain responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub- processor to fulfil its contractual obligations.
6.7. Assistance to the Controller
- The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the controller against reimbursements of costs.
- The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with 6.7(a) and (b), the processor shall comply with the controller’s instructions.
- In addition to the processor’s obligation to assist the controller pursuant to Section 6.7(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor against reimbursement of costs:
1. the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons.
2. the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
3. the obligations in Article 32 of Regulation (EU) 2016/679.
- The Parties shall set out in Annex 3 the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this Section as well as the scope and the extent of the assistance required.
6.8. Notification of Personal Data Breach
- In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679, where applicable, taking into account the nature of processing and the information available to the processor.
- In the event of a personal data breach concerning data processed by the processor on behalf of the controller, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:
1. a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned).
2. its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
- Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
- The Parties shall set out in Annex 3 all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.
- The liability of the Parties is subject to Article 82 of the GDPR. This does not affect the liability for breach of obligations under the Service Level Agreement.
- The Parties agree that inter partes the controller alone is liable for any loss or damage suffered by a data subject due to an inadmissible or incorrect processing of controller data within the scope of this data processing agreement, the controller’s instructions and the applicable data protection laws.
- The controller shall indemnify the processor on first demand in full within 30 days of having received a written notice against liability unless and insofar as the controller proves that the processor alone is responsible in any respect for the circumstance that caused the loss or damage to a data subject.
- Section 7.3 shall apply mutatis mutandis in the event of a fine imposed on the processor, whereby the indemnity shall be limited to the amount of the processor's proportionate responsibility for the infringement sanctioned by the fine.
- Unlimited liability: The Processor shall assume unlimited liability for intent and gross negligence and for breach of a contractually assured guarantee. In cases of negligence, the Processor shall assume liability for any damage or injury to life, limb or health. In all other cases the following limited liability shall apply: In cases of negligence the Processor shall only be liable for breaches of material duties or obligations of the main Agreement, the fulfilment of which is prerequisite for the proper execution of the main Agreement and on which the Controller may reasonably rely (cardinal obligation). In cases of negligence described in the previous sentence, liability shall be limited to the amount of loss or damage incurred by the Controller as well as the benefits which the Controller could have obtained if he would not have suffered the loss or damage.
8. Non-compliance with this Agreement and termination
- Without prejudice to any provisions of Regulation (EU) 2016/679, in the event that the processor is in breach of its obligations under this Agreement, the controller may instruct the processor to suspend the processing of personal data until the latter complies with this Agreement or the contract is terminated. The processor shall promptly inform the controller in case it is unable to comply with this Agreement, for whatever reason.
- The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with this Agreement if:
1. the processing of personal data by the processor has been suspended by the controller pursuant to point 7.1 and if compliance with this Agreement is not restored within a reasonable time and in any event within one month following suspension.
2. the processor is in substantial or persistent breach of this Agreement or its obligations under Regulation (EU) 2016/679.
3. the processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to this Agreement or to Regulation (EU) 2016/679.
- The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under this Agreement where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Section 6.1(c), the controller insists on compliance with the instructions.
- Following termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with this Agreement.
List of Appendices
- Annex 1: List of Parties
- Annex 2: Description of the Processing
- Annex 3: Technical and Organisational Measures including Technical and Organisational Measures to ensure the Security of the Data
- Annex 4: List of Sub-Processors
- Annex 5: European Commission standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council Brussels, 4.6.2021 C(2021) 3972. This Annex is applicable only if and as long as the controller is based in a country outside of the EEA and not subject to the GDPR.
List of parties
Controller(s): [Identity and contact details of the controller(s), and, where applicable, of the controller’s data protection officer]
Contact person’s name, position and contact details:
Signature and accession date:
Name: Rspective P. Rychlik Spółka jawna
Address: Katowice (40-246) at ul. Porcelanowa 23
Contact person’s name, position and contact details: Tomasz Pindel, Michał Sędzielewski
Signature and accession date:
Description of the processing
1. Categories of data subjects whose personal data is processed
- The data subjects could include Customer’s customers, potentially employees and suppliers.
2. Categories of personal data processed
- Customer Data uploaded to the Services under Customer’s Voucherify accounts:
1. contact data (surname and name; user name; e-mail address; address; telephone number;),
2. user data (e.g., customer lifetime value),
3. potentially upon request GPS data showing current location,
4. and other personal data necessary for providing the Voucherify Services, including IP address, Customer’s Customers unique IDs.
3. Nature of the processing
- Voucherify collects and uses Customer Data in order to host promotions, loyalty programs, and such other features as described in the Documentation and initiated by the Customer from time to time.
- In the typical campaign flow, Voucherify enables its Customers to generate promotions, redeem them on mobile or web with client-side and backend Software Development Kits (SDKs), as well as fast-forward voucher functionality, having at the same time the security and scaling. Voucherify provides components to track and optimize Customer’s digital promotion performance, gives access to redemption history, monitors acquisition channels, compares performance, allowing at the same time to automate campaign management with the simple UI as well as streamline data analytics with CSV import and export to the benefit of the Customer.
- The Customer's Customers Data can be transferred to Voucherify to verify customer-oriented promotion rules.
4. Purpose(s) for which the personal data is processed on behalf of the controller
- The purpose of the data processing under this DPA is the provision of the Voucherify Services initiated by the Customer from time to time.
6. Duration of the processing
- As between Voucherify and Customer, the duration of the data processing under this DPA is determined by the main Agreement.
- If not requested by Customer, the Customer Data will be retained until 12 months after termination and expiry of the Agreement. Back-up copies will remain stored for 7 days or be removed immediately after they cease to be useful.
Technical and organisational measures including technical and organisational measures to ensure the security of the data.
The Security Measures applicable to the Services are described here (as updated from time to time in accordance with Section 6.4.1 above).
1. Measures of pseudonymisation and encryption of personal data
- The majority of Voucherify’s features do not require clear data, but can be operated with unique IDs. If Customer wants to leverage the coupons distribution function, either email addresses or phone numbers have to be stored. If Customer wishes to leverage discount validation rules based on address information, corresponding data will be transferred through API.
- Voucherify is a cloud-based Software as a Service platform that leverages Amazon AWS to host the Services. Voucherify uses strong encryption techniques for data security and fine-grained authorization to control access to data.
- Most Voucherify services operate on Amazon Web Services. All Voucherify components run within a secure AWS VPC and implement secure SSL-protected access, encryption at rest using an AES256 algorithm.
- Managing encryption keys effectively is vital for Voucherify Services. Therefore, Voucherify leverages the Key Management Service (KMS) from Amazon Web Services. AWS KMS is integrated with most other AWS services that encrypt collected data with encryption keys that Voucherify manages.
2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
- Amazon’s data centers employ a set of advanced physical, network and software security measures to ensure the integrity and safety of customers’ data.
3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- Voucherify ensures that enterprises are provided with service around the clock. This involves making architectural changes at the application and infrastructural levels to add scalability and high availability. Our multi-tier architecture is adopted, supported by a load-balanced farm of application instances, running on a variable number of servers. Resiliency to hardware/software failures, as well as to denial of service attacks, is built from the ground up within the application.
- At the same time, an appropriate action plan for business continuity and disaster recovery is considered for any unplanned emergencies. This is essential to ensure the safety of the enterprise data and minimal downtime for enterprises.
- With AWS Voucherify Services are hosted on the Internet-scale, world-class infrastructure. Standard Distributed Denial of Service mitigation techniques such as syn cookies and connection limiting are used. To further mitigate the effect of potential DDoS attacks, Voucherify maintains internal bandwidth by implementing proper rate limiters.
- Voucherify ensures that all sensitive enterprise data is regularly backed up to facilitate quick recovery in case of disasters. Also, the use of strong encryption schemes to protect the backup data is recommended to prevent accidental leakage of sensitive information.
4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
- The Voucherify platform is regularly a subject of penetration tests performed by a third-party vendor. In the course of the audit, particular emphasis is placed on the tests that had or could have had a negative impact on confidentiality, integrity, or availability of the data. The security tests are conducted in accordance with the best practices including OWASP Top 10 as well as internal methodologies of security testing prepared by a third-party vendor. The approach for tests includes manual tests based on methods listed previously and auditors’ experience as well as automatic tests using various tools, including Burp Suite Pro.
- Furthermore, Voucherify runs a PCI scan every quarter to maintain ongoing PCI compliance, adhering to stringent industry standards for storing, processing, and transmitting credit card information online. In addition, Voucherify ensures that customer payment information is encrypted at all times. Any uncovered vulnerability is prioritized, resolved, and deployed as soon as possible following discovery.
- As a system, Voucherify is built upon other third-party software components, sub-systems, services, open-source libraries, dependencies, packages, modules, operating systems, etc. Occasionally, a security vulnerability in such a third-party component is discovered and publicly disclosed, typically in the Common Vulnerabilities and Exposures registry (CVE), together with a severity score and potential impact information. In certain conditions, such vulnerabilities may also affect our servers. Therefore a solid and established process for managing vulnerabilities is vital for our company.
- To mitigate the risks of running a system that is out of date, on a periodic basis Voucherify runs an internal audit over all third-party software components, incl.
1. open-source libraries.
2. runtime environments.
3. Docker images.
4. AWS Services.
that are in use at Voucherify.
- Moreover, automated scans are incorporated into our release build process. Voucherify also has automatic alerts and security-related notifications in place whenever a new vulnerability is detected among third-party components that our systems rely on.
- Once detected and confirmed, Voucherify strives to remediate the issues and patch the affected systems within a reasonable timeframe, depending on the issue's severity score. Issues that are considered critical, Voucherify addresses as soon as possible, within 30 days following discovery.
5. Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage
- To ensure compliance with internal and external data security standards of our organization, with user-level data security, Voucherify adds protective layers. Voucherify cloud service vendors provide role-based access control (RBAC) features, allowing user-specific access and editing permissions for Customers’ data. This system enables an access control-based, fine-grained, enforced segregation of duties within an organization. The access to data centers is limited with granular roles provided by AWS IAM (and a Salesforce counterpart). Two-factor authentication provides an extra layer of security to both identity access managers.
6. Measures for ensuring physical security of locations at which personal data are processed Measures for ensuring events logging
- AWS provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.
- Voucherify does not maintain physical infrastructure to process data transferred by Customers. The entrusted data are not stored in physical form in Voucherify’s premises.
- Access to the system is available only from a closed VPN which is available only to the limited list of support staff and administrators. The Voucherify team uses a single-host-to-server VPN model for getting a connection with a secured IT system. Support staff and administrators use secured computers and follow policies for rotating private access keys to VPN. They use the Mac OS operating system and installed antivirus software. Moreover, they follow internal security policy and leverage disk encryption.
- Access via VPN is tracked in a dedicated logs repository (AWS CloudWatch) and can be audited by the management team.
- In particular cases, following Customer’s approval, support staff can access his account on Voucherify platform to perform maintenance or support checks. The access to the account is being granted case by case, for the minimum required time, following all security measures described above. The access is revoked once the support case is solved.
7. Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products
- Voucherify uses a Linux based operating system for the application environment with a centrally managed configuration. Voucherify has established a policy to keep systems up to date with necessary security updates.
- The operations team maintains hardened standard server configurations. Systems are deployed and configured in a uniform manner using configuration management systems.
- All team members use the Mac OS operating system and installed antivirus software as well as disk encryption. Voucherify’s internal internet network is secured, there is a separate guest network.
- Voucherify follows change control procedures for all system and software configuration changes. These controls include, at a minimum, a documented impact for each change, change review, testing of operational functionality, and back-out procedures.
8. Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability
- Voucherify designs and implements REST API interfaces for transferring personal data to make them adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
- Regarding consumers’ data, there is no need of storing them in Voucherify. This is optional and not required for using the vast majority of features. If Customer wants to leverage the coupons distribution function, either email addresses or phone numbers have to be stored. If Customer wishes to leverage discount validation rules based on address information, corresponding data will be transferred through API.
9. Measures for allowing data portability and ensuring erasure
- Voucherify introduced proper features to stay in line with data regulations for the right of portability, to be forgotten, and to rectification, see the section below for details and tutorials.
- Voucherify API and UI enable operators to export Data in CSV format.
10. Description of the specific technical and organisational measures to be taken by the processor to be able to provide assistance to the controller.
- Voucherify maintains an incident response process that includes direct participation and cooperation between support, security, and operations teams.
- The Voucherify incident response process includes notification, escalation, and reporting. When required, Customer notification is initiated through the Voucherify status page, Voucherify initiated reporting tickets, or direct email/phone communication to account contacts.
- Internally, Voucherify maintains an incident response plan that is tested on a regular basis. The plan addresses specific incident response procedures, data backup procedures, roles and responsibilities, customer communication, contact strategies, and legal and shareholder information flow.
- Voucherify maintains relationships with law enforcement to assist during incidents with criminal intent.
- Voucherify has relationships with third-party vendors to assist with forensics and investigations, as necessary.
- Each employee is required to take part in security and data protection training during the onboarding process. Employees and associates have specific data security responsibilities and authorizations specified in work regulations and employment contracts. The contracts contain confidentiality and general data security clauses as well as information on the personal data processed.
- The Customer can access and browse his customer’s data using Voucherify’s dashboard and access the data using Voucherify’s API calls.
- The Customer, at his own discretion, may decide to execute the following data processing procedures in his account in Voucherify:
1. Removing his account permanently from Voucherify.
2. Removing a team member permanently from Voucherify.
- The Customer may decide to use the following features of Voucherify, using the Dashboard or API calls, to address data subject’s requests:
1. Removing a customer permanently from Voucherify.
2. Removing customer’s data from Voucherify.
3. Updating customer’s data in Voucherify.
List of sub-processors
This Annex needs to be completed in case of specific authorisation of sub-processors (Section 6.6.1, Option 1). The controller has authorised the use of the following sub-processors:
The current list will be always published here under Annex 4: https://www.voucherify.io/legal/data-processing-agreement
1. Name: Amazon Web Services EMEA SARL
Address: 38 Avenue John F. Kennedy, L-1855 Luxembourg
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Cloud Hosting and Storage, Servers based in region selected by Customer
2. Name: salesforce.com EMEA Limited
Address: Route de la Longeraie 9, Morges, 1110, Switzerland
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Cloud Hosting and CRM services, Servers based in Europe
3. Name: LogEntries brand of Rapid7 Ireland Ltd
Address: The One Building, 2nd Floor, 1 Grand Canal Street Lower, Dublin 2, Ireland
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Logs Storage and Incidents Tracking, Servers based in Europe
EUROPEAN COMMISSION COMMISSION IMPLEMENTING DECISION
on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council
C(2021) 3972 final ANNEX
Processor to Controller
Purpose and scope
- The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)1 for the transfer of personal data to a third country.
- The Parties:
1. the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
2. the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
- These Clauses apply with respect to the transfer of personal data as specified in Annex I. B.
- The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Effect and invariability of the Clauses
- These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
- These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
- Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
1. Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
2. Clause 8 - Clause 8.1 (b) and Clause 8.3(b);
3. Clause 13;
4. Clause 15.1(c), (d) and (e);
5. Clause 16(e);
6. Clause 18.
- Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
- Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
- These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
- These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7 - Optional
- An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
- Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
- The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.
SECTION II – OBLIGATIONS OF THE PARTIES
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
MODULE FOUR: Transfer processor to controller
- The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.
- The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.
- The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.
- After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.
8.2 Security of processing
- The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data7, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.
- The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.
- The data exporter shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
8.3 Documentation and compliance
- The Parties shall be able to demonstrate compliance with these Clauses.
- The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.
Use of sub-processors
Data subject rights
MODULE FOUR: Transfer processor to controller
The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679.
- The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
MODULE FOUR: Transfer processor to controller
- Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
- Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.
- Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
- The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
- The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Local laws and practices affecting compliance with the Clauses
MODULE FOUR: Transfer processor to controller (where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)
- The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
- The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
1. the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
2. the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
3. any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
- The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
- The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
- The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
- Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed bythe competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Obligations of the data importer in case of access by public authorities
MODULE FOUR: Transfer processor to controller (where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)
- The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
1. receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
2. becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
- If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
- Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
- The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
- Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
- The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
- The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
- The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Non-compliance with the Clauses and termination
- The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
- In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
- The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
1. the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
2. the data importer is in substantial or persistent breach of these Clauses; or
3. the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
- Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
- Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Transfer processor to controller
These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Poland.
Choice of forum and jurisdiction
Transfer processor to controller
Any dispute arising from these Clauses shall be resolved by the courts of Poland.
It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can [be] achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.
A. LIST OF PARTIES
See Annex 1 above
B. DESCRIPTION OF TRANSFER
See Annex 2 above
This Agreement has been entered into on the date stated at the beginning.
For an executable copy of this DPA, please visit this page.