Data Processing Agreement
Parties
Client, hereby also referred as ”Controller”, Doctave Oy (Business ID: 3215500-7), Susitie 3 A 4, 00800 Helsinki (”Processor”) referred to collectively as the “Parties” and each individually as “Party”.
Background And Purpose
This Data Processing Agreement (“DPA”) sets out the terms and conditions for the processing of Controller’s personal data (“Personal Data”) by Processor on behalf of Controller on the basis of the agreement (“Agreement”) signed by the parties. The target, duration, nature, and purpose of the processing as well as the types of personal data to be processed and the categories of the data subjects are defined in Appendix 1.
“Data Protection Legislation” shall in this DPA mean any applicable data protection legislation as amended from time to time (including but not limited to the General Data Protection Regulation, “GDPR” (2016/679/EU) and the Finnish data protection legislation.
Client shall serve as the Controller and Doctave Oy as the Processor of the personal data. A person whose personal data is processed by the Processor pursuant to this DPA and the Agreement is a data subject. These definitions are specified in Data Protection Legislation.
The Parties understand and agree that if the supervisory authorities issue binding instructions related to the matter following the signature of this DPA, this DPA may have to be amended. The Parties will agree on such amendments jointly in writing.
The Controller’s Rights And Obligations
The Controller:
- processes personal data in accordance with Data Protection Legislation and good processing practice;
- is responsible for having the necessary rights and consents to the processing of personal data in accordance with the Agreement and this Data Processing Agreement and has informed the data subjects in the manner required by the Data Protection Legislation; and
- is entitled to provide the Processor with written further instructions on the processing of personal data when necessary. The Client shall be liable for any additional costs incurred by the Processor as a result of complying with the Client's new or amended written instructions.
The Processor’S Obligations
The Processor:
- processes the personal data only as agreed in the Agreement and the DPA and in accordance with any separate instructions provided by the Controller in writing, unless otherwise required by applicable legislation. In such a case, the Processor informs the Controller of the requirement in question, unless the provision of such information is prohibited under the applicable law. For the avoidance of doubt it is noted that the Controller is considered to have instructed the Processor in writing to carry out processing pursuant to the DPA and the Processor shall be responsible for the lawfulness of the processing operations carried out;
- assists the Controller with the appropriate technical and organisational measures to fulfil the Controller’s obligation to respond to requests concerning the exercise of the rights of the data subject provided in Chapter III of the GDPR or the equivalent rights provided in Data Protection Legislation. The Processor is entitled to charge for such assistance.
- takes all measures required in Article 32 of the GDPR; and
- helps the Controller to ensure compliance with the obligations provided in Articles 32–36 of the GDPR or equivalent obligations in Data Protection Legislation, considering the nature of the processing and the information available to the Processor. The Processor is entitled to charge for such assistance.
Data Security
The Processor undertakes to adopt the technical and organisational measures generally employed in the industry to protect personal data against unauthorised or unlawful processing or access.
The Processor must ensure that the people with access to personal data process said personal data only in accordance with the DPA and instructions provided by the Controller, unless otherwise required by Data Protection Legislation. The Processor must furthermore ensure that the persons with the right to process personal data have signed a confidentiality undertaking or that they are bound by an appropriate statutory secrecy obligation.
Notification Obligation
If the data subjects or a competent authority make a request concerning personal data, including a request concerning the restriction, erasure or alteration of personal data, the provision of data or the performance of other measures, the Processor must, without undue delay, inform the Controller of the request in question prior to responding to the request or any measure aimed at the personal data or as soon as reasonably possible after having responded to such a request, whenever the applicable legislation requires an immediate response to such a request. The Processor may correct, erase, alter or restrict only the personal data it processes on behalf of the Controller in accordance with the applicable instructions of the Controller or when Data Protection Legislation so requires.
Communication Concerning Personal Data Breach
The Processor must communicate to the Controller via email and by phone or, should these be out of order, in some other applicable way, without undue delay, a personal data breach that has come to its attention, i.e. a breach which results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The personal data breach notification shall contain at least the following information:
- description of the personal data breach, including, where possible, the categories and estimated numbers of data subjects concerned and the categories and estimated numbers of categories of personal data;
- communicate the Processor's contact point from which additional information can be obtained;
- describe the probable and / or actual consequences of the personal data breach; and
- describe the measures taken as a result of the personal data breach and mitigate its possible adverse effects.
The Processor must document all personal data breaches in its area of responsibility and keep the documentation available to the Client upon request.
Each Party shall make in its own area of responsibility all necessary measures to protect personal data after becoming aware of the breach.
The Parties will cooperate with each other and with any third parties designated by the Client to respond to the personal data breach. The purpose of responding to a breach is to restore the confidentiality, integrity and availability of the services, to identify the underlying causes and remedies of the breach, and to minimize any harm occurred to the Parties or data subjects.
Cessation Of Personal Data Processing
The Processor must either erase all personal data, including log data, or return the data to the Controller or a third party named by the Controller pursuant to a written request by the Controller when this DPA ends, the provision of services pursuant to the Agreement comes to an end or when the Controller presents a written request on the matter, unless otherwise provided in the applicable legislation. The Processor shall provide the Client with proof that the deletion or recovery of the data has been carried out and upon receipt of the Client's written request to that effect, provide the Client with a written confirmation that the personal data and any copies thereof may have been permanently destroyed.
Transfers Of Personal Data
The Processor is entitled to transfer personal data to a third country outside the EU or the EEA in compliance with the Data Protection Legislation. The Processor shall implement applicable safeguards to ensure a high level of data protection in such transfers, comparable with the level of protection afforded to personal data in the European Union in accordance with Data Protection Legislation. The Processor shall notify to the Controller in writing without undue delay the locations where personal data is stored, accessed or otherwise processed on behalf of the Controller.
Subcontractor | Location of data | Safeguard mechanism for processing of personal data |
---|---|---|
Stripe |
Stripe Technology Europe, Limited (Ireland) and Stripe Payments Europe, Limited (Ireland) Stripe, Inc Registered office: Corporation Trust Center, 1209 Orange Street, Wilmington, New Castle, DE 19801, USA Contact details: Stripe Privacy Team, privacy@stripe.com |
EU-US Data Privacy Framework Program Data Processing Agreement between Stripe and Stripe User |
WorkOS |
WorkOS Inc. (US) Contact details: support@workos.com |
Standard Contractual Clauses Data Processing Addendum (workos.com) |
Subcontractors
The Processor has the right to use subcontractors in the processing pursuant to this DPA. The Processor shall inform in writing of the subcontractors it uses including the subcontractors’ contact details and each location where the personal data is processed.
Before changing any subcontractors participating in the processing of personal data or engaging new subcontractors, the Processor shall notify the Controller of any intended changes of subcontractors. If the Controller does not object by terminating the Agreement within sixty (60) days from the date on which the Processor informed the Controller, then the Controller is deemed to have accepted the change.
The Processor shall monitor the activities of its subcontractors. The Processor shall ensure that the subcontractors comply with the same data protection obligations as the obligations of the Processor under this DPA and Data Protection Legislation.
Right To Audit
The Processor is obligated to make all information necessary to show compliance with the obligations set out in this DPA and in Data Protection Legislation available to the Controller. The Processor must inform the Controller immediately if the Processor deems the Controller’s instructions to violate Data Protection Legislation.
The Controller and/or an independent expert with sufficient expertise and procedures appointed by the Controller has the right, once a year during the validity of this DPA at the maximum, to audit the technical and organizational security measures as well as compliance with other data protection obligations agreed under the DPA. The Processor must always be informed of the audit and the designated auditor in writing no later than sixty (60) calendar days in advance.
If a competent supervisory authority presents an inspection request concerning either Party, the other Party must help in the inspection in question.
Each Party is responsible for its part for the audit costs or costs due to the inspection of the authority.Responsibilities, Claims Made By Data Subjects And Liability For Administrative Fines
The Parties agree that the apportionment of liability between the Parties with regard to any administrative fines imposed by a competent supervisory authority and based on any claims for damages presented by a data subject is based on the principle that the Parties are responsible for fulfilling their respective obligations pursuant to Data Protection Legislation, and that any administrative fines imposed by an authority or damages paid to a data subject are to be paid by the Party which has failed to fulfil its legal obligations based on Data Protection Legislation.
In case any administrative fines or damages are a result of or influenced by the previous or current negligence of the other Party, such Party shall be liable for fines or damages for its part.
The Processor shall be liable for the direct damage caused to the Client by the breach of this Data Processing Agreement for a maximum amount corresponding to the sales prices charged for the services under the Agreement during the 12 months preceding the breach of contract.
Neither Party shall be liable to indemnify the other Party for consequential damages such as lost operating profit or reputational damage.
Confidentiality
The Processor undertakes to keep all personal data processed on the basis of the Agreement and DPA confidential.
Communications And Notifications
A communication concerning a personal data breach must be sent to the email address and phone number stated in Appendix 1 or an email address and phone number indicated by the Controller at a later date.
All other notifications related to this DPA are considered as having been delivered validly if they are delivered as a registered letter or via courier or email the ad or the addresses indicated by a Party at a later date.
Inconsistencies
In the event of inconsistencies between the Agreement or its appendices and this DPA, the provisions of this DPA shall prevail.
Term Of Agreement And Termination Of Agreement
This DPA applies upon the provision of Doctave’s services defined in the Agreement.
This DPA remains in force for as long as the Agreement is valid, after which this DPA and the processing of personal data shall cease automatically.
If either Party is in material breach of this DPA and fails to execute the necessary remedial measures (provided that the breach can be remedied) within thirty (30) days of having received a written notification thereof, with an express reference to this DPA, the other Party has the right to terminate the Agreement with immediate effect.
Obligations which, due to their nature, are meant to remain valid despite the termination of this DPA shall remain in force following the termination of the DPA.
Duration Of The Processing Of Personal Data
The Processor processes personal data on behalf of the Controller for as long as the Data Processing Agreement is valid.
Applicable Law And Settlement Of Disputes
This DPA is governed by Finnish law, excluding its conflict of laws rules.
Any disputes are settled at the venue agreed in the Agreement.
Appendix 1 To The Data Processing Agreement
The Target, Nature And Purpose Of The Processing
Personal data is processed by the Processor in order to provide Docs-as-code software services to the Controller.
Duration Of The Processing
The Processor processes personal data as long as the DPA is in force.
Categories Of The Data Subjects
Customers of Controller
Types Of The Personal Data
- Contact information, such as name, address, e-mail
- IP address
Contact Information For Notifying Personal Data Breaches
Controller: The Controller shall provide their contact information separately.
Processor: Doctave Oy, info@doctave.com , phone: +358405772541