Data Processing Agreement
v1.3 - Last revised on October 5, 2020
Agreement between Customer,
“Rspective” P. Rychlik Spółka jawna with its registered office in Katowice (40-246) at ul. Porcelanowa 23, entered in the register of entrepreneurs kept by the District Court Katowice-Wschód in Katowice, VIII Commercial Division of the National Court Register (KRS), under number KRS: 0000453920, Tax Identification Number NIP: 9542742375, represented by: Tomasz Pindel, Paweł Rychlik and Michał Sędzielewski, hereinafter referred to as Processor;
hereinafter referred to jointly as Parties and individually as Party.
Having in regard that the Parties are bound by the Subscription Agreement, the subject matter of which is the provision of services involving providing a software solution (“Voucherify”) as further specified on voucherify.io, that enables its customers to generate promotions, redeem them on mobile or web with client-side and backend Software Development Kits (SDKs), as well as fast-forward voucher functionality, having at the same time the security and scaling. Voucherify provides components to track and optimize customer’s digital promotion performance, gives access to redemption history, monitors acquisition channels, compares performance, allowing at the same time to automate campaign management with the simple UI as well as streamline data analytics with CSV import and export by the Processor to the benefit of the Transferor (hereinafter referred to as “ToS”), under which personal data are processed, the Parties mutually agreed as follows:
1. Subject matter
- By virtue of this Agreement the Customer transfers personal data to the Processor for processing in the scope and for the purpose as prescribed by this Agreement. The Processor shall process personal data in the scope and for the purpose as prescribed by this Agreement upon order of the Customer.
2. Representations and warranties
- The Customer declares that it is a personal data controller within the meaning of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”) which processes personal data in line with the applicable legal provisions, for a purpose directly connected with its business or professional activity.
- The Processor declares that it disposes of adequate funds, including adequate safeguards enabling the processing of personal data in accordance with the provisions of the GDPR and executory orders issued on its basis, in accordance with Article 28 of GDPR.
3. Scope and purpose of data processing
- The Processor may process personal data transferred by the Customer only in the scope and for the purpose as prescribed in this Agreement. Personal data shall be processed by the Processor only for the purpose of correct performance of the ToS.
- The data transfer shall comprise only those data which are essential for the Processor to properly co-operate with the Customer within the ToS, and which have been voluntarily provided to it by the Customer. The processing shall comprise the following personal data: surname and name; e-mail address; address; IP address; telephone number; and other personal data necessary for performance of the ToS if so instructed by the Customer separately in writing.
- The processed data indicated in paragraph 3.2 above shall refer to users of the software and Processor’s services.
- The processing of data shall be understood as any operation performed on personal data, such as collecting, fixing, storing, developing, altering, making available and erasing, in particular those performed in IT systems.
- Any change of the scope and purpose of the processing of personal data may only be introduced by means of amendment to this Agreement or the issuance of written instructions by the Customer.
4. Processor's obligations
- The Processor undertakes to abide by the provisions of the GDPR throughout the entire term of this Agreement.
- Only persons who are authorised by the Processor and who have been trained in the scope of methods of securing the processing of data may have access to the transferred personal data. Processor shall ensure that all such persons have executed written confidentiality agreements and that such confidentiality obligations survive the termination of the personnel engagement.
- The Processor shall provide the Customer with any information necessary to prove the fulfilment of the obligations prescribed by the generally applicable legal provisions in the scope of personal data protection and shall enable the Customer to carry out audits, including inspections, and shall contribute thereto where such audit is required for Customer’s compliance with the GDPR and is requested by Customer in accordance with the provisions of this Agreement. The Parties agree that an audit to be performed by the Customer shall remain an exception where the Processor is able to provide to the Customer all information for an appropriate assessment of the fulfilment of the Processor’s obligations under this Agreement such as industry-standard certifications confirming Processor’s compliance with the requirements of this Agreement including, but not limited to, ISO 27000 and SOCII type certificates. Where the Customer requests an audit to be performed by despite the Processor having provided all required documentation and certifications, such request shall be issued by the Customer to the Processor in writing specifying the reasons for such a request to be issued by the Customer.
- The Customer is obliged to notify the Processor on the date of the audit referred to in paragraph 4.3 above in a written statement sent to the address of the Processor’s registered office at least 4 (four) weeks before the planned audit date. The audit shall be carried out within the office working hours applicable at the Processor on business days, and the Customer shall reasonably ensure the audit is undertaken with minimal disruption to the Processor’s business and shall pay the other Party’s reasonable costs for assisting with the provision of information and allowing for and contributing to audits unless a material breach of the Agreement is determined to have occurred.
- The persons authorised to carry out the audit on behalf of the Customer are obliged, pursuant to a separate, written non-disclosure agreement, to keep confidential any information, documents, data, in particular of technical, commercial and financial character, pertaining to the Processor, or other received from the Processor of which they become advised or which they obtain in connection with the performance of the audit.
- The Processor taking into account the character of the processing, shall as far as possible support the Customer in fulfilling the obligation to respond to demands of a data subject within the frames of his/her rights by appropriate technical and organizational means. Upon Customer’s request, Processor shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Processor.
- Upon finishing the processing of data the Processor, depending on the Customer’s decision made in writing under the pain of nullity, is obliged to immediately erase or return the transferred data and to delete any existing copies, unless the generally applicable legal provisions require to store personal data. Upon each request of the Customer the Processor is obliged to present within 14 (in words: fourteen) days a written declaration confirming the fact that personal data have been destroyed.
- In connection with the processing of data, the Processor is obliged to immediately notify the Data Controller on each incident related to infringement of the security of the rules regulating the processing of the transferred data.
- In accordance with Art. 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of process, the Processor shall implement and maintain appropriate technical and organizational security measures to protect personal data from security incidents and to preserve the security and confidentiality of the Customer Data, in accordance with Rspective's security standards described in Annex A ("Security Measures").
- The Processor may engage another processor for the purpose of performing the ToS and within the frames of internal processes of service of the Controller by Rspective. The Sub-processors currently engaged by Rspective and authorized by Customer are listed in Annex A ("Sub-processors"). Customer will be given the opportunity to subscribe to notifications of new Sub-processors, and if Customer subscribes, Processor shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the services under the ToS.
- Processor has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this Agreement with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub-processor.
- Customer may object to Processor’s use of a new Sub-processor by notifying Processor promptly in writing within ten (10) business days after receipt of Processor’s notice of a new Sub-processor. In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, Processor will use reasonable efforts to make available to Customer a change in the services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid processing of personal data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Processor is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the agreement under the ToS by providing written notice to Processor.
- To the extent that there is a transfer of personal data from Processor to a Sub-processor outside the EEA, Processor will ensure, at its sole discretion, that any data export to a country outside the EEA is conducted in accordance with the requirements of the GDPR. As a consequence, such transfer shall be either covered by a decision of an EU body confirming that the respective country provides an adequate level of protection for personal data or is protected by adequate transfer mechanisms in compliance with the GDPR, including by certification in the Privacy Shield programs in the United States, Binding Corporate Rules and/or the then-current EU Standard Contractual Clauses.
6. Term of agreement
- This Agreement shall be concluded for the term of the agreement concluded by the Parties based on and in accordance to the ToS, in order to avoid doubt, termination of such agreement shall result in termination of this Agreement.
- The Processor shall be held liable for damage caused to third persons or the Customer which arose in connection with non-performance or improper performance of this Agreement by the Processor, in particular with the processing of personal data in violation of the Agreement, within the limits of actual damage incurred by the Customer or third persons, whereby the Processor shall not be held liable for damage caused by unintentional fault.
- The Customer shall be held liable on general terms for damage caused to the Processor in connection with the performance of this Agreement, in particular during the audit referred to in paragraph 4.3 above or other control activities.
- The Parties undertake to keep secret, within the term of this Agreement and for the period of 2 (in words: two) years upon its termination or expiration, in particular not to disclose to third persons and to exercise special care in order to secure, any information, documents, data, in particular of technical, commercial and financial character pertaining to the other Party, or other received from the other Party of which they were advised or which they obtained in connection with the conclusion or performance of this Agreement, irrespective of their form, including oral or written forms or a computer record, in particular information pertaining to the given Party’s technologies, work organisation, the method of pursuing business activity, legal or commercial relations, as well as provisions of the Agreement (hereinafter referred to as “Confidential Information”). The Confidential Information obtained by the given Party is each time regarded the Confidential Information, unless it is described as non-confidential by the other Party.
- The Parties shall exercise special care in order to secure the Confidential Information, irrespective of the form of the Confidential Information, including oral or written forms or a computer record.
9. Entire agreement
- Any amendment to this Agreement require written form, or otherwise shall be null and void.
- If any provision of this Agreement proves invalid entirely or in part, then the other provisions shall remain effective, whereas the Parties undertake, upon a request of either Party, to replace such invalid provisions with provisions whose legal effect and economic implications to the highest extent correspond to those of the replaced provisions.
- This Agreement shall be concluded in compliance with the law of the Republic of Poland.
- The Agreement shall become effective as of the day of its being signed by both Parties, whereby if the Parties fail to place their signatures in the same place and on the same time, the day on which the last of the Parties places its signature shall be deemed the date of signing the Agreement.
10. Final provisions
- None of the Parties may transfer its rights or delegate obligations arising out of this Agreement to any third person without a written consent of the other Party.
- Any dispute resulting from this Agreement shall be subject to Polish law and Polish common courts. The Parties shall make every effort to settle any dispute resulting from or related to this Agreement in an amicable way. If it is not possible for the Parties to settle a dispute amicably within one month, then such dispute shall be referred for final settlement to the common court with the jurisdiction over the registered office of the Processor.
- This Agreement was drawn up in two copies, one for each Party
Annex A to the Data Processing Agreement
Rspective uses a range of third party Sub-processors to assist it in providing the Services (as described in the ToS). These Sub-processors set out below provide cloud hosting and storage services; content delivery and review services; assist in providing customer support; as well as incident tracking, response, diagnosis and resolution services.
- The company under business name Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxemburg
- The company under business name salesforce.com EMEA Limited, Route de la Longeraie 9, Morges, 1110, Switzerland;
- The company under business name LogEntries brand of Rapid7 Ireland Ltd., The One Building, 2nd Floor, 1 Grand Canal Street Lower, Dublin 2, Ireland;
The Security Measures applicable to the Services are described here https://voucherify.io/legal/security-policy (as updated from time to time in accordance with Section 4.9 of this DPA).
For an executable copy of this DPA, please visit this page.