Last Update: August 31st, 2022
DATA PROCESSING AGREEMENT
#1. PARTIES AND SUBJECT
1.1 This Data Processing Agreement (hereinafter "Agreement") is entered into between Altogic, Inc., a private company established at 1401 Pennsylvania Ave, Unit 105, Wilmington, 19806, County of New Castle, Delaware, USA (hereinafter "Altogic" or "Data Processor") and any person or organization that uses the https://www.altogic.com services as data processor under the scope of the General Data Protection Regulation or other applicable data protection laws (hereinafter "Data Processor" or "Client"). Hereinafter Altogic and Client may be individually referred to as "Party" and collectively as "Parties".
1.3.1. The Client acts as a Data Controller or is a data processor which processes data under the supervision and control of another Data Controller,
1.3.2. The Client uses the services of the "Data Processor", which imply the processing of personal data by the Parties.
1.3.3 The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework which may be applicable to the Client as a Data Controller - and consequently Altogic as the Data Processor - in relation to data processing
1.3.4. The Parties wish to lay down their rights and obligations with regards to the protection of natural persons vis a vis the processing of personal data and on the free movement of such data.
2.1. Data Protection Authority (DPA): the regulatory agency outlined in any applicable data protection regulation (e.g. Section 4.21 of the GDPR).
2.2. Data Protection Laws: means the data protection or privacy laws applicable to the Parties, including the GDPR.
2.3. GDPR: the European Union General Data Protection Regulation 2016/679. The GDPR, having become an international standard and beacon in personal data protection regulation, has been used as a standardizing regulation in this Agreement. Therefore any particular reference made to specific articles of the GDPR in the following paragraphs shall be taken to mean the corresponding provisions of any applicable Data Protection Laws.
2.4. Data Processor: Altogic which, as part of the services it provides to its Clients, processes Personal Data on behalf of its Client as part of the performance of the Agreement.
2.5. Data Processing Statement: a statement issued by the Data Processor in which it provides information on the intended use of its product or service, any security measures which have been implemented, sub-processors, data breach, certification and dealing with the rights of Data Subjects, among other things.
2.6. Data Subject: a natural person who can be identified, directly or indirectly.
2.7. Client or Member: the party on whose behalf the Data Processor processes Personal Data. The Client may be either the controller (the party who determines the purpose and means of the processing) or another data processor.
2.10. Services: means the services the Client provides in the https://www.altogic.com platform, including but not limited to database, authentication and Storage.
2.11. Contracted Processor or Sub-processor: means any person appointed by or on behalf of processor to process personal data on behalf of the Client in connection with the Agreement.
#3. SCOPE OF AGREEMENT
3.1. Data processed as per this Agreement includes data belonging to or controlled by the Client as the Data Controller and stored, read or processed in Altogic Services, databases and storages.
3.2. Altogic provides a backend application development and execution platform to its Clients. Therefore, front-end and other Client infrastructure not hosted by Altogic is outside the scope of this Agreement.
3.3. Client hereby instructs Data Processor to process Client Personal Data.
#4. GENERAL PROVISIONS
4.1. The present Agreement applies to all Personal Data processing operations carried out by the Data Processor in providing its Services, as well as to all other agreements and offers between the Parties. The applicability of the Client's data processing agreements is expressly rejected.
4.2. The Data Processing Statement, and particularly the security measures outlined in it, may be adapted from time to time to changing circumstances by the Data Processor. The Data Processor will notify the Client in the event of significant revisions. If the Client cannot reasonably agree to the revisions, the Client will be entitled to terminate the data processing agreement in writing, stating its reasons for doing so, within thirty days of having been served notice of the revisions.
4.3. The Data Processor will process the Personal Data on behalf of the Client, in accordance with the written instructions provided by the Client and accepted by the Data Processor.
4.4. The Client or its customer will serve as the controller within the meaning of Data Protection Laws (in particular the GDPR), will have control over the processing of the Personal Data and will determine the purpose and means of processing the Personal Data.
4.5. The Data Processor will serve as the processor within the meaning of Data Protection Laws (in particular the GDPR) and will therefore not have control over the purpose and means of processing the Personal Data, and will not make any decisions on the use of the Personal Data and other such matters.
4.7. The Client will guarantee to the Data Processor that it acts in accordance with applicable Data Processing Laws, that it provides a high level of protection for its systems and infrastructure at all time, that the nature, use and/or processing of the Personal Data are not unlawful and that they do not violate any third party's rights.
4.8. Administrative fines imposed on the Client by any applicable Data Protection Authority will not be able to be recouped from the Data Processor, except in the event of willful misconduct on the part of the Data Processor's management team.
5.1. The Data Processor will implement the technical and organizational security measures outlined in its Data Processing Statement. In implementing the technical and organizational security measures, the Data Processor will take into account the state of the art and the costs of implementation, as well as the nature, scope, context and purposes of the processing operations and the intended use of its products and services, the risks inherent in processing the data and risks of various degrees of likelihood and severity to the rights and freedoms of Data Subjects that are to be expected considering the nature of the intended use of the Data Processor's products and services.
5.2. Unless explicitly stated otherwise in the Data Processing Statement, the product or service provided by the Data Processor will not be equipped to process special categories of personal data or data relating to criminal convictions and offences. Also, Altogic does not intend use of its Services to create obligations under the Health Insurance Portability and Accountability Act, as amended ("HIPAA"), and makes no representations that the Services thereof satisfy HIPAA requirements.
5.3. The Data Processor seeks to ensure that the security measures it will implement are appropriate for the manner in which the Data Processor intends to use the product or service.
5.4. In the Client's opinion, said security measures provide a level of security that is tailored to the risks inherent in the processing of the Personal Data used or provided by the Client, taking into account the factors referred to in Article 5.1.
5.5. The Data Processor will be entitled to adjust the security measures it has implemented if it feels that such is necessary for a continued provision of an appropriate level of security. The Data Processor will record any significant adjustments it chooses to make, e.g. in a revised Data Processing Statement, and will notify the Client of said adjustments where relevant.
5.6. The Client may request the Data Processor to implement further security measures. The Data Processor will not be obliged to honor such requests to adjust its security measures. If the Data Processor makes any adjustments to its security measures at the Client's request, the Data Processor will be allowed to invoice the Client for the costs associated with said adjustments. The Data Processor will not be required to actually implement these security measures until both Parties have agreed in writing and signed off on the security measures requested by the Client.
#6. DATA BREACHES
6.1. The Data Processor does not guarantee that its security measures will be effective under all conditions. If the Data Processor discovers a data breach within the meaning of Article 4.12 of the GDPR, it will notify the Client without undue delay. The "Data Breach Protocol" section of the Data Processing Statement outlines the way in which the Data Processor will notify the Client of data breaches.
6.2. It is up to the Controller (the Client or its customer) to assess whether the data breach of which the Data Processor has notified the Controller must be reported to any relevant Data Protection Authority or to the Data Subject(s) concerned. The Controller (the Client or its customer) will at all times remain responsible for reporting data breaches which must be reported to any relevant Data Protection Authority and/or Data Subjects pursuant to applicable Data Protection Laws. The Data Processor is not obliged to report data breaches to any relevant Data Protection Authority and/or to the Data Subject on behalf of the Client (or its customer).
6.3. Where necessary, the Data Processor will provide more information on the data breach and will help the Client meet its breach notification requirements within the meaning of applicable Data Protection Laws by making all reasonable efforts to provide all the necessary information it has access to.
6.4. If the Data Processor incurs any reasonable costs in doing so, it will be allowed to invoice the Client for these, at the rates applicable at the time.
7.1. The Data Processor will ensure that the persons processing Personal Data under its responsibility are subject to a duty of confidentiality.
7.2. The Data Processor will be entitled to furnish third parties with Personal Data if and insofar as such is necessary due to a court order, statutory provision or legal order to do so issued by a government agency.
7.3. Any and all access and/or identification codes, certificates, information regarding access and/or password policies provided by the Data Processor to the Client, and any and all information provided by the Data Processor to the Client which gives effect to the technical and organizational security measures included in the Data Processing Statement are confidential and will be treated as such by the Client and will only be disclosed to authorized employees of the Client. The Client will ensure that its employees comply with the requirements outlined in this article.
#8. TERM AND TERMINATION
8.3. If the data processing agreement is terminated, the Data Processor will delete all Personal Data it currently stores and which it has obtained from the Client within the timeframe laid down in the Data Processing Statement, in such a way that the Personal Data will no longer be able to be used and will have been rendered inaccessible. Alternatively, if such has been agreed, the Data Processor will return the Personal Data to the Client in a machine-readable format.
8.4. Agreement between the Client and Data Processor associated with the provisions of Article 8.3 shall include compensation for any costs incurred by Data Processor in providing such machine-readable format, which shall be invoiced to the Client at the rates applicable at the time. Further arrangements relating to this subject can be laid down in the Data Processing Statement.
8.5. The provisions of Article 8.3 do not apply if the Data Processor is prevented from removing or returning the Personal Data in full or in part by a statutory provision. In such cases, the Data Processor will only continue to process the Personal Data insofar as such is necessary by virtue of its statutory obligations. Furthermore, the provisions of Article 8.3 will not apply if the Data Processor is the Controller of the Personal Data within the meaning of the GDPR.
#9. THE RIGHTS OF DATA SUBJECTS, DATA PROTECTION IMPACT ASSESSMENTS (DPIA) AND AUDITING RIGHTS
9.1. Client is under the obligation to provide obligatory information and documentation to be made in accordance with any applicable legislation or to be obtained from relevant persons such as but not limited to Personal Data Processing Policy, Personal Data Clarification Text, Related Person Explicit Consent Form which are used to inform personal data subject persons on the nature of the data processed while interacting with the services hosted by Client in the Data Processor's services. All kinds of legal, administrative and criminal liability which may arise due to Client's failure to fulfilled such notification and documentation obligations belongs exclusively to Client.
9.2. Where possible, the Data Processor will cooperate with reasonable requests made by the Client relating to Data Subjects claiming alleged rights from the Client. If the Data Processor is directly approached by a Data Subject, it will refer the Data Subject to the Client where possible.
9.3. If the Client is required to carry out a Data Protection Impact Assessment or a subsequent consultation within the meaning of Articles 35 and 36 of the GDPR (or similar legislation), the Data Processor will cooperate with such, following a reasonable request to do so.
9.4. In case of a Data Protection Impact Assessment request, the Data Processor will be able to demonstrate its compliance with its requirements under the data processing agreement by means of a valid Data Processing Certificate or an equivalent certificate or audit report (third-party memorandum) issued by an independent expert.
9.5. Data Processor will be allowed to invoice the Client for the costs associated with said this Article 9. Data Processor will not be required to actually implement any measures contained herein until both Parties have agreed in writing and signed off on the requests made by the Client under this Article 9.
10.1. The Data Processor has outlined in the Data Processing Statement whether the Data Processor uses any third parties (sub-processors) to help it process the Personal Data, and if so, which third parties.
10.2. The Client authorizes the Data Processor to hire other sub-processors to meet its obligations under the Agreement.
10.3. The Data Processor will notify the Client if there is a change with regard to the third parties hired by the Data Processor, e.g. through a revised Data Processing Statement. The Data Processor will ensure that any third parties it hires will commit to ensuring the same level of Personal Data protection as the security level the Data Processor is bound to provide to the Client pursuant to the Data Processing Statement.
#11. OTHER PROVISIONS
11.2. Altogic will alert the Client about any changes to Data Processing Statement by updating the "Last updated" date of the Data Processing Statement posted and available at https://www.altogic.com/dpa and Client hereby waives any right to receive specific notice of each such change. It is the Client's responsibility to periodically review the Data Processing Statement to stay informed of updates. Client will be subject to and will be deemed to have been made aware of and to have accepted, the changes in any revised Data Processing Statement by continued use of the Services after the date such revisions are posted.
11.3. Parties hereby AGREE TO THE USE OF ELECTRONIC SIGNATURES OR OTHER FORMS OF ELECTRONIC APPROVAL (e.g. checkbox) for the execution and conclusion of this Agreement and waive any and all defenses based on the electronic form of this Agreement and the lack of signing by the parties hereto to execute this Agreement. In case of any dispute between the Parties regarding the execution and conclusion of this Agreement, Data Processors electronic records shall prevail.
#12. APPLICABLE LAW AND JURISDICTION
12.1. These terms and conditions are governed by and construed in accordance with the laws of the State of Delaware, USA and you irrevocably submit to the exclusive jurisdiction of the courts in that State or location, without prejudice to the right of consumers to submit to the court of their domicile (if applicable).
DATA PROCESSING STATEMENT
This Data Processing Statement is an annex of the DATA PROCESSING AGREEMENT between the Data Controller and Altogic, the Data Processor.
1.1. This Data Processing Statement (hereinafter "Statement”) is entered into between Altogic, Inc., a private company established at 1401 Pennsylvania Ave, Unit 105, Wilmington, 19806, County of New Castle, Delaware, USA (hereinafter “Altogic” or “Data Processor”) and any person or organization that uses the https://www.altogic.com services as data controller under the scope of the General Data Protection Regulation or other applicable data protection laws (hereinafter “Data Controller”, “Client” or “Member”). Hereinafter Altogic and Client may be individually referred to as “Party” and collectively as “Parties”.
#2. TECHNICAL CONTACT PERSON
2.1. Upon the conclusion of the Agreement, Client shall appoint a Technical Contact Person, who shall act as the contact person for any issues related to personal data protection.
2.2. Within a week of the conclusion of the Agreement, Client shall provide certain personal information pertaining to the Technical Contact Person to Altogic in order to facilitate the uninterrupted flow of information between the Parties.
2.3. For the purposes of this article, Client is required to inform Altogic of the Name, Surname, Postal Address, Email Address, Telephone Number information of its Technical Contact Person.
2.4. Client's Technical Contact Person shall act as the contact person responsible for the personal data protection issues between the Client as a Data Controller and Altogic as the Data Processor.
2.5. Any change in the Client's Technical Person shall not bind Altogic unless and until the Client informs Altogic of the relevant change as well as the contact information of the newly appointed Technical Contact Person.
#3. SECURITY MEASURES IN PLACE
3.1. The security of all data and especially any personal data is important to Altogic. We use commercially reasonable efforts to store and maintain personal data in a secure environment. We also take technical, contractual, administrative, and physical security steps designed to protect any and all personal data provided to Altogic as Data Processor. We have implemented procedures designed to limit access to personal data provided by the Data Controller so as to ensure that only designated staff as are reasonably necessary to carry out the Agreement between the Parties have access thereof.
3.3. TIn order to ensure this end, Data Processor has security measures in place to identify any unauthorized access to your Data Controller's account. The " Account Security" tab allows the Data Controller to view a list of devices that have logged into its account. Data Controller can sign out any sessions that it does not recognize. If the Data Controller loses access to any phone/device it uses to access data stored by Data Processor, the Account Security tab enables them to sign out everywhere except their current session. The " Security Log" tab allows the Data Controller to view a historical set of records that provide information on the sequence of activities that have affected their account. and profile information in Altogic. Using security logs, the Data Controller you can view all changes that have been made to their account and profile.
3.4. TData Processor is not liable for disclosure of data due to errors in transmission, unauthorized access or acts by third parties, or omissions or acts beyond the Data Processor's reasonable control. Although the Data Processor employs commercially reasonable measures of security, it also cannot guarantee that any personal data may not be accessed, disclosed, altered, or destroyed by breach of any of its physical, technical, or managerial safeguards by persons or systems with malicious intent.
3.5. TIn the event we become aware of a security breach that could result in personal data being disclosed in a manner that is not authorized under this Statement or the Agreement, Data Processor shall notify the Data Controller via the Technical Contact Person as per the provision of the article titled "Data Breach Protocol" below.
#4. DATA BREACH PROTOCOL
4.1. Altogic is committed to the protection of the personal data processes as per the Agreement between Altogic and the Client. However, in case of any data leak or breach which occurs on the part of Altogic, the data processor will follow the following data breach protocol to ensure that Clients are notified of incidents.
4.2. A relevant internal data breach procedure is in place. Data processor will set up a team in order to analyze the cause, the impact and the affected customers. Depending on the outcome of this analysis, Clients will be notified by means of an e-mail that is sent to the technical contact person within 24 hours.
4.3. Altogic will provide highly detailed information about:
4.3.1. The nature of the breach, including a description of the incident, the nature of the personal data or categories of affected data subjects, an estimate of the number of affected data subjects and databases that may be affected, as well as an indication of when the incident occurred;
4.3.2. Any measures already taken by Altogic in order to stop the breach;
4.3.3. Any measures to be taken by the controller or the affected data subjects (what can the affected data subjects themselves do, such as "keep an eye on your e-mails, change your passwords");
4.3.4. Any measures to be taken by Altogic in order to prevent a future breach.
4.4. Clients shall be notified within 24 hours of Altogic learning of any data breach, if possible. Altogic does not own the data and cannot notify any applicable Data Protection Authority or data subjects. The data processor will support the Client or the controller during the notification process, if so required.
4.5. Nothing contained in this Article shall prejudice the Parties' rights and obligations under Articles 5 and 6 of the Agreement.
4.6. We have implemented the following security measures
4.6.1. The data centers, where Altogic has servers, are equipped with camera surveillance and visitor registration systems and are ISO:27001:2013 certified. Please be advised that unless otherwise stated, the Site and all its contents (including any content generated by Member applications) is hosted in servers located primarily in the United States of America.
4.6.2. If as Data Controller you are collecting personal data from data subjects in any other region of the world with laws or other requirements governing personal data collection, use, or disclosure that differ from applicable laws in the United States of America, then through your continued use of the Site, you agree that to have the authority to transfer the personal data of such data subjects to the United States of America. Please be advised that Altogic may also store data in reputable third-party data centers in different locations around the world, and this provision shall apply equally if your data is stored in such data centers.
4.6.3. The (database) servers can be accessed only via Altogic's trusted network locations.
4.6.4. Procedures are in place, which means only authorized personnel have access to the personal data. A non-disclosure and confidentiality agreement ensures this still applies when a member of staff leaves the company.
4.6.5. Our web servers and database servers are firewall-protected.
4.6.6. All data shall be stored as securely as possible.
4.6.7. Encryption will be used when possible.
4.6.8. All data will be transmitted with the highest possible form of encryption that is supported.
4.7. We regularly revise our security measures outlined above to ensure that we are always fully prepared and up to date with regard to data protection
#5. PRIVACY BY DESIGN APPROACH
5.1. When Altogic, as data processor designed the product or service in the Site, it applied the privacy by-design approach in the following manner:
5.1.1. Data Controller Members upload their own data and can edit and remove it. As data processor Altogic does not check the data and will only view the data at the Member's request. This may be necessary in order to respond to a question from the Member, for instance.
5.1.2. A number of fields needed for the correct performance of the service are saved.
5.1.3. As Data Processor Altogic adheres to the Data Processing Agreement concluded between Altogic its Members.
#6. DATA PROCESSOR'S SUB-PROCESSORS
6.1. 6.1. Altogic as the data processor uses the following sub-processors: Google Cloud Platform (“GCP”), leveraging GCP data centers which are (unless otherwise stated) located within the continental United States in order to process the information collected by the Data Controller.
#7. DATA SUBJECT REQUESTS
7.1. As data processor Altogic will support its Data Controller Members in the following way when they receive requests from data subjects:
7.1.1. Requests to inspect, correct or remove data should be sent to [email protected].
7.1.2. After receiving the request, we will process and confirm it within five (5) working days.
#8. TERMINATION OF DATA PROCESSING
8.1. After termination of the agreement with the Data Controller Data Processor, in principle, removes the personal data that it processes for the Member in such a way that it can no longer be used and is no longer accessible (it is rendered inaccessible).