09.12.2022
4611

DATA PROCESSING AGREEMENT

Publication: 12/09/2022.

BETWEEN:

Apicom Solutions OÜ, a limited liability company registered under the laws of Estonia registration number: 16182813
legal address: Harju maakond, Kuusalu vald, Pudisoo küla, Männimäe/1, 74626
(the “Data Processor”)

AND

Each individual Apicom Solutions OÜ Customer that ApiX-Drive processes data for and that has not otherwise entered into a valid data processor agreement with Apicom Solutions OÜ(the “Data Controller”)

(hereinafter referred to individually as a “Party” or together as the “Parties”)

Terms and definitions not defined in this document are defined in the ApiX-Drive Terms of Use.

GDPR” means Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and the free movement of such data.

Personal data, processor and controller have the meaning given to them in Article 4 of the GDPR.

1. INTRODUCTION 

1.1. This Data Processing Agreement (“DPA”) specifies the Parties’ data protection obligations, which arise from the Data Processor’s processing of personal data on behalf of the Data Controller under the Plans, Privacy Policy, Terms of Use or other agreement between the Parties (“the Agreement”).

1.2. The DPA is adopted as an appendix to the Agreement. In the event that any provision of this DPA is inconsistent with any term(s) of the Agreement, the DPA will prevail.

2. PURPOSE, SCOPE AND RESPONSIBILITIES

2.1. The processing of your data by the Data Processor is carried out on the basis of the GDPR, namely:

  • based on your consent, if you have given us such consent (Art. 6 para. 1 lit. a) GDPR;
  • for the conclusion or performance of a contract with you (Art. 6 para. 1 lit. b) GDPR;
  • to fulfill legal obligations (Art. 6 para. 1 lit. c) GDPR;
  • within the framework of a legitimate interest (Art. 6 para. 1 lit. f) GDPR.

The Data Processor only process personal data that you provide to us for use in connection with the use of our Service.

2.2. The purposes of data processing are:

  • Providing access to the Service and organizing its use by Users;
  • Communication between the Company and the User;
  • Advertising purposes, including advertising mailing;
  • Consideration of your application, including with regards to participation in the Affiliate program;
  • Improving our Service;
  • Fulfillment of the contract with you;
  • Company accounting;
  • The legitimate interest of the Company, including within the framework of statistics, marketing purposes and the protection of the Service from unlawful use.

2.3. The Data Processor shall only process personal data in accordance with the terms of this DPA.

2.4. The Data Processor shall process personal data for the limited purpose of performing the obligations set out under the Agreement. Data may, for that purpose, be processed by any of the Data Processor’s entities.

2.5. Data processing by the Data Processor shall include such actions as may be specified in the Agreement.

2.6. The term of this DPA shall continue until the latter of the following: the termination of the Agreement, or the date at which the Data Processor ceases to process personal data for the Data Controller.

2.7. The personal data to be processed by the Supplier concerns the categories of data, the categories of data subjects and the purposes of the processing set out in Privacy Policy (Part 2).

2.8. With the exception of the data described in Privacy Policy (Part 2), in no event will the data processed by the Data Processor include (examples are not exhaustive):

  • Personal data as set out in art. 9 or 10 in Regulation 2016/679 of 27 April 2016;
  • Financial data;
  • Personal data regarding criminal offenses, or
  • Data regarding persons’ economy, taxes, debt, sick days, family relations, residential circumstances, car, personality tests, exams or CVs.

3. TEMPLAFY DESKTOP

3.1. ApiX-Drive is provided on the terms of SAAS and provides Data Controller with the ability, tools and functions to integrate and automate various third-party applications, websites and services with each other. The Data Controller agrees and accepts that the main purpose of creating ApiX-Drive is to facilitate and simplify the processes of automating the transfer of information between applications and services.

3.2. The Data Processor undertakes no responsibility for data uploaded by the Data Controller in ApiX-Drive.

3.3. To the extent that such upload of data constitutes processing of personal data, the Data Controller warrants:

  • that the Data Controller has the relevant legal basis for having and processing the personal data, including, if applicable, the relevant permissions from the data subject; and
  • that, if the transfer involves sensitive categories of data, cf. Part 2 of Privacy Policy, the data subject has been informed or will be informed before the transfer, or as soon as possible after, that its data could be transmitted to a third country not providing adequate protection within the meaning of the Data Protection Legislation.

4. OBLIGATIONS OF THE DATA PROCESSOR

4.1. The Data Processor warrants that the Data Processor will:

  • comply with the Data Protection Legislation from time to time applicable to the Data Processor’s obligations under the Agreement (“Data Protection Legislation”),
  • process any personal data transferred to or collected by the Data Processor only as a ‘processor’, as such terms are defined in the Data Protection Legislation, on behalf of the Data Controller,
  • implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the applicable Data Protection Legislation and ensure the protection of the rights of the data subjects,
  • ensure that Sub-processors undertakes to process personal data in accordance with the Data Protection Legislation,
  • taking into account the nature of the processing, assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Data Controller's obligation to respond to requests for exercising the data subject's rights according to the Data Protection Legislation,
  • to a relevant extent assist the Data Controller in ensuring compliance with the requirements for security of personal data,
  • make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits.

5.  TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

5.1. The Data Processor will implement and maintain throughout the term of the DPA and will procure its Sub-processors to implement and maintain through the term of the DPA, the appropriate technical and organizational security measures to protect personal data against accidental or unlawful destruction, loss, damage or alteration and against unauthorized disclosure, abuse or other processing in violation of the requirements of Data Protection Legislation.

5.2. The Data Processor will ensure that it and its Sub-processors involved in the processing of personal data at all times comply with the minimum data security requirements set out in Exhibit 1. 

5.3. The Data Processor ensures security by pseudonymizing and encrypting personal data and Content of the Data Controller, regularly testing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing. The Data Processor implements and maintains various security measures designed to protect the ApiX-Drive and the Data Controller`s data from unauthorized access, unauthorized processing or disclosure to unauthorized third parties.

5.4. The Data Processor undertakes to notify the Data Controller of any breach of the security of data processing and storage and/or data leakage by the method and within the time frame provided for by applicable law.

6.  PERSONNEL

6.1. The Data Processor will procure that any personnel of the Data Processor required to access personal data have committed themselves to the obligation of confidentiality set out in the Agreement or are under a statutory obligation of confidentiality.

6.2. The Data Processor will procure that all personnel of the Data Processor required to access personal data are informed of the confidential nature of the personal data and the security procedures applicable to the processing of or access to the personal data.

6.3. The Data Processor’s personnel’s undertaking to abide by such confidentiality requirements will continue after the end term of this DPA.

7.  ASSISTANCE TO THE DATA CONTROLLER

7.1. The Data Processor shall provide reasonable and timely assistance to Data Controller to enable Data Controller to respond to:

  • any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and
  • any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, inquiry or complaint is made directly to Data Processor, Data Processor shall promptly inform Data Controller providing full details of the same.

7.2. The Data Processor shall provide Data Controller with reasonable cooperation to enable Data Controller to conduct any data protection impact assessment that it is required to undertake under Applicable Data Protection Law.

8.  SUB-PROCESSORS

8.1. The Data Processor shall meet the requirements specified in Article 28(2) and (4) GDPR in order to engage another processor (a Sub-processor).

8.2. With this DPA, the Data Processor has the Data Controller’s general authorization for the engagement of Sub-processors for the purpose of performing the obligations set out under the Agreement. The Sub-processors, approved by the Data Controller by the signing of this DPA, are listed in Exhibit 2. The Data Processor shall update with details of any change in Sub-processors at least 30 days prior to any such change (except to the extent a 30 days’ notice is not possible due to an emergency) and notify the Data Controller of such change via the Data Processor’s usual e-mail notification process.

8.3. The Data Controller’s data may be transferred to providers and contractors in countries outside the European Economic Area (EEA). The Data Processor only transfers personal data to third countries in countries where the EU Commission has confirmed an adequate level of protection or where the Data Processor and contractors can ensure that personal data is treated with care.

8.4. Data processing by individual entrepreneurs: some of the personal data of the Data Controller can be transferred for processing to individual entrepreneurs registered in accordance with the legislation of Ukraine. Such individual entrepreneurs provide services to the Data Processor in accordance with agreements between the Data Processor and such individual entrepreneurs and process such data in the interests and on behalf of the Data Processor. Such individual entrepreneurs process the personal data of the Data Controller in accordance with this DPA, Privacy Policy and the legislation applicable to the Data Processor on the processing of personal data. 

8.5. The Data Controller may object to such new Sub-processor for justified reasons relating to data protection. In the case of a justified objection, the Parties shall negotiate in good faith to find an alternative solution. If such alternative solution cannot be found and the Data Processor decides to proceed with such Sub-processor, the Data Controller can terminate the Agreement with a notice of 30 days. Neither of the Parties shall be considered in breach of contract in the event of such termination.

9. TRANSFER OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS

9.1. Any transfer of personal data to third countries or international organizations by the Data Processor shall only occur on the basis of documented instructions from the Data Controller and shall always take place in compliance with Chapter V GDPR.

9.2. If any Data Controller Data originates from any country (other than an EEA country) with one or more laws imposing data transfer restrictions or prohibitions and Data Controller has informed Data Processor of such data transfer restrictions or prohibitions, Data Controller and Data Processor shall ensure appropriate transfer mechanism (satisfying the country’s data transfer requirement(s)) is in place, as reasonably requested by Data Controller and mutually agreed upon by both Parties, before transferring or accessing Data Controller’s Data outside of such country. For the avoidance of doubt, this transfer restriction does not pertain to Data Controller or its Affiliates’ Authorized Users who have access to the Software and Data Controller Data, and Data Processor shall not be held responsible for actions of Data Controller or its Affiliates’ Authorized Users. Neither Data Controller nor its Authorized Users shall be entitled to use the ApiX-Drive in any country with data localization laws that would require Data Controller’s environment to be hosted in said country.

10.  OBLIGATIONS OF THE DATA CONTROLLER

10.1. The Data Controller and the Data Processor will be separately responsible for conforming with the Data Protection Legislation as applicable to them.

10.2. The Data Controller shall be responsible, among others, for ensuring that the processing of personal data, which the Data Processor is instructed to perform, has a legal basis.

10.3. The Data Controller will inform the Data Processor in writing without undue delay following the Data Controller’s discovery of a failure to comply with Data Protection Legislation with respect to processing of personal data in accordance with this DPA. 

10.4. The Data Controller shall be responsible for providing accurate and relevant contact details after entering into the Agreement and thereafter to assist in Data Processor’s notification obligations. 

11. RIGHTS OF DATA SUBJECTS

11.1. As a data subject under the GDPR, you have the following rights:

  • request access to information about the processing and personal data processed by us about you and receive a copy of such data;
  • request correction, deletion or blocking of your personal data;
  • request the restriction of the processing of your personal data;
  • object to the processing of your personal data;
  • the right to the portability of your personal data;
  • the right not to subject the data to automation, including profiling;
  • withdraw your consent at any time if you have given your consent to the processing of your personal data;
  • the right to report a violation of the rules for the processing of personal data;
  • the right to lodge a complaint with the competent supervisory authority about a violation of applicable data processing legislation.

11.2. In addition to making a request to the Service support service, you can partially exercise your rights as a data subject in the ApiX-Drive using the tools in your Personal Account. For example, you have the opportunity to ask the support service to delete your personal data or independently change the data in your Personal Account. In the event that we are required to keep records of some of your personal data, for example, for accounting purposes, this information is stored. All other information, including personal data, we delete within 5 calendar days from the date of your request to do so.

12.  NOTIFICATION OF DATA BREACH

12.1. The Data Processor shall without undue delay, and no later than 36 hours, in writing, notify the Data Controller in case of any identified or potential breach of personal data processed under the DPA.

12.2. The notification referred to in section 12.1. must, to the extent possible:

  • describe the nature of the personal data breach including where possible (e.g., loss, theft, copying), the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned, 
  • communicate the name and contact details of the person with the Data Processor where more information can be obtained, 
  • describe the likely consequences of the personal data breach, and 
  • describe the measures taken or proposed to be taken by the Data Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. 

13.  ADDITIONAL ASSIGNMENTS

13.1. The Data Processor shall carry all costs associated with compliance of this DPA in its capacity as the Data Processor. 

13.2. The Data Controller shall carry all costs associated with compliance of this DPA in its capacity as the Data Controller. 

13.3. In respect of tasks of the Data Processor, that are not an obligation under this DPA, cf. the sections above, the Data Processor shall be entitled to charge the Data Controller for the additional resources, time and material necessary to fulfill the required task(s), unless such services are already included in the services rendered under the Agreement. 

13.4. The Data Processor will notify the Data Controller in advance of such additional charges and, to the extent possible, provide the Data Controller with a quote of the expected costs.

13.5. If the Data Controller cannot agree to the costs, the Data Processor shall be entitled not to perform the additional assignment and to terminate the Agreement with a notice of 30 days. The Data Processor shall not be considered in breach of contract in this event. 

14. PERIOD OF DATA PROCESSING AND STORAGE

14.1. The Data Processor stores personal data of the Data Controller and the Data Controller`s User Content only as long as it is necessary for the purposes for which they are processed, including to provide you with services, that is, as long as the Controller keeps Account on the Service. The Data Processor will also retain some personal and other information of the Data Controller as needed to comply with our legal obligations, resolve disputes, and ensure our legitimate interests are respected.

14.2. The Data Processor will delete the Data Controller`s personal data and User Content stored by us as soon as the Data Processor no longer needs to process them for the purposes specified in this DPA and Privacy Policy. If it is permissible, the Data Processor will also delete the Data Controller`s personal data upon the Data Controller written request to the Service support service.

14.3. The Data Processor stores data:

  • if you have consented to the processing until you withdraw your consent;
  • if we need the data to fulfill a contractual obligation as long as there is a contractual relationship with you or a legal storage period;
  • if we use the data based on a legitimate interest, then no longer than until your interest in deletion or anonymization prevails;
  • if there is a legal storage obligation, until the end of those storage obligations;
  • as indicated in Part 2 of Privacy Policy for different types of information.

15. CONTACTS FOR ALL DATA PROTECTION ISSUES

If you have any questions regarding our data protection measures, the processing of your personal data or the protection of your rights, please contact us as follows:

Apicom Solutions OÜ, location: Harju county, Kuusalu parish, Pudisoo village, Männimäe/1, 74626.

Email address: [email protected] 

If you have particularly sensitive questions, please contact our data protection officer or our support by mail, as there can always be security issues when communicating by e-mail.

EXHIBIT 1: DESCRIPTION OF MINIMUM DATA SECURITY

The Data Processor has implemented and will maintain appropriate administrative, technical and organizational safeguards to protect personal data.

Technical and organizational measures baseline 

1. System Access Controls

Data Processor shall take reasonable measures to prevent personal data from being used without authorization. These controls shall vary based on the nature of the processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes and/or, logging of access on several levels. 

2. Data Access Controls

Data Processor shall take reasonable measures to provide that personal data is accessible and manageable only Data Processor shall take reasonable measures to provide that personal data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the personal data to which they have privilege of access; and, that personal data cannot be read, copied, modified or removed without authorization in the course of processing. The Data Processor shall take reasonable measures to implement an access policy under which access to its system environment, to personal data and other data by authorized personnel only.

3. Transmission Controls 

Data Processor shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of personal data by means of data transmission facilities is envisaged so personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.

4. Input Controls

Data Processor shall take reasonable measures to provide that it is possible to check and establish whether and by whom personal data has been entered into data processing systems, modified or removed. Data Processor shall take reasonable measures to ensure that (i) the personal data source is under the control of data exporter; and (ii) personal data integrated into Data Processor’s systems is managed by secured file transfer from the Data Processor and data subject.

EXHIBIT 2: AUTHORIZED SUB-PROCESSORS

The Data Processor may use the following Sub-processors, as applicable, in connection with providing related services to the Data Controller.

Title: Google Analytics  (Google LLC, 1600 Amphitheatre Parkway
Mountain View, California, 94043, США)  
Address : https://analytics.google.com
Provides us with the following services: Analytics of user behavior on the site.
Purpose of data transfer: Analytics of user interaction with the site and personal account to improve usability
Link to privacy policy :  
https://policies.google.com/privacy

Name: Facebook (Facebook, Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA)
Address : https://www.facebook.com
Provides us with the following services: Targeted advertising Facebook ADS.
Purpose of data transmission: Display of targeted advertisements for users who have already been on the site (remarketing)
Link to privacy policy :  
https://www.facebook.com/about/privacy/previous

Name: Gmail (Google LLC, 1600 Amphitheatre Parkway
Mountain View, California, 94043, США)  
Address : https://gmail.com
Provides us with the following services: Sending emails.
Purpose of data transmission: Sending a notification of the need for payment and receiving support requests via e-mail
Link to privacy policy :  
https://policies.google.com/privacy

Name: Google ADS (Google LLC, 1600 Amphitheatre Parkway
Mountain View, California, 94043, США)  
Address : https://ads.google.com
Provides us with services: Google ADS Contextual Advertising.
Purpose of data transfer: Display of contextual advertising for users who have already been on the site (remarketing)
Link to privacy policy :  
https://policies.google.com/privacy

Title: Google Recaptcha (Google LLC, 1600 Amphitheatre Parkway
Mountain View, California, 94043, США)  
Address : https://www.google.com/recaptcha/about
Provides us with the following services: Protection against massive registrations of bots on the site.
Purpose of data transfer: Protection against registrations created in automatic mode through a network of bots
Link to privacy policy :  
https://policies.google.com/privacy

Title: DigitallOcean (DigitalOcean LLC, 101 Avenue of the Americas, 10th Floor, New York, NY 10013 USA)
Address : http://digitallocean.com
Provides us with services: Hosting.
Purpose of data transfer: Processing of data by servers at the time of transfer of data from one system to another
Link to privacy policy :  
https://www.digitalocean.com/legal/privacy-policy/

Title: OVH (OVH Hosting Limited, Enterprise House, O'Brien Road, Co. Carlow, Carlow, R93Y0Y3, Ireland)
Address : http://ovh.com
Provides us with services: Hosting.
Purpose of data transfer: Processing of data by servers at the time of transfer of data from one system to another
Link to privacy policy :  
https://www.ovh.com/ca/en/support/privacy-policy.xml

Title: Stripe (Stripe, Inc., 354 Oyster Point Boulevard, South San Francisco, California, 94080)
Address : https://stripe.com
Provides us with the following services: Acceptance of payments.
Purpose of data transfer: Acceptance of payments from users, the payment provider receives data for making payments from the user's card
Link to privacy policy :  
https://stripe.com/privacy

Name: SendPulse (SendPulse Inc, 220 E 23rd St #401, New York, NY 10010)
Address : https://sendpulse.ua
Provides us with the following services: Email mailing to users.
Purpose of data transmission: Sending a digest with the news of our service, notification of the need for payment
Link to privacy policy :  
https://sendpulse.com/legal/pp

Title: MeisterTask (MeisterLabs GmbH, Zugspitzstrasse 2, 85591 Vaterstetten, Germany)
Address : https://www.meistertask.com
Provides us with the following services: Task scheduling and team communication.
Purpose of data transfer: Processing bugs received from users. Data may be needed in the process of investigating the causes of bugs
Link to privacy policy :  
https://www.meisterlabs.com/privacy