Data processing agreement
This Data Processing Agreement (“DPA”) reflects the parties’ agreement with respect to the terms governing the Processing of Personal Data under TrustFeed terms of service (the “Agreement”) between you (“Controller“) and TrustFeed (“Processor“) (“Terms of Service“).
71-75 Shelton Street
This DPA is an amendment to the Agreement and is effective upon its incorporation into the Agreement, which incorporation may be specified in the Agreement, an Order or an executed amendment to the Agreement. Upon its incorporation into the Agreement, the DPA will form a part of the Agreement.
Controller’s instructions for processing of PII shall comply with all applicable privacy and data protection laws and regulations, including the GDPR.
Controller shall have sole responsibility for the quality, accuracy and legality of PII and the way by which Controller acquired PII.
The details of the processing activities to be carried out by Processor in respect of the Services are specified in Appendix I
Processor shall assist Controller, by using appropriate technical and organizational measures, in the fulfillment of Controller’s obligations to respond to requests by data subjects in exercising their rights under applicable data protection laws and regulations.
Processor shall ensure that any personnel whom Processor authorizes to process Personal Data on its behalf is subject to confidentiality obligations with respect to that Personal Data. The undertaking to confidentiality shall continue after the termination of the above-entitled activities.
Processor will notify the Controller as soon as practicable after it becomes aware of any Personal Data Breach affecting any Personal Data. At the Controller’s request, Processor will promptly provide the Controller with all reasonable assistance necessary to enable the Controller to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Controller is required to do so under the Data Protection Law
Processor will maintain written records of its data processing activities. For instance, Processor’s and Controller’s contact details, details of data protection officers (where applicable), the categories of processing, transfers of PII across borders and the technical and organizational security measures implemented by the Processor. Upon request, Processor will provide an up-to-date copy of these records to Controller.
Controller acknowledges and agrees to (a) the engagement as sub-Processors of Processor’s affiliated companies and the third parties listed in Appendix II, and (b) that Processor and Processor’s affiliated companies respectively may engage third-party sub-Processors in connection with the provision of the Subscription Service, which Processor may update from time to time, subject to Controller’s prior notification. Such sub-processors shall be bound by data protection obligations no less protective than those in this Agreement to the extent applicable to the nature of the Services provided by such sub-processor.
Processor will assist Controller in ensuring compliance with Controller’s obligations related to the security of the processing, notification and communication of Data Breaches, conduct of data protection impact assessments and any inquiry, investigation or other request by a supervisory authority.
Processor shall notify the Controller where Processor believes that an instruction would result in a violation of any applicable data protection laws and regulations.
Processor will make available to Controller, upon request, information necessary to demonstrate compliance with the obligations mentioned in this Agreement.
Audits. Processor shall, in accordance with Data Protection Laws and in response to a reasonable written request by Controller, make available to Controller such information in Processor’s possession or control related to Processor’s compliance with the obligations of data processors under Data Protection Law in relation to its Processing of Personal Data. Controller may, upon written request and at least 30 days’ notice to Processor, during regular business hours and without interrupting Processor’s business operations, conduct an inspection of Processor’s business operations or have the same conducted by a qualified third party auditor subject to Processor’s approval, which shall not be unreasonably withheld. Processor shall, upon Controller’s written request and on at least 30 days’ notice to the Processor, provide Controller with all information necessary for such audit, to the extent that such information is within Processor’s control and Processor is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.
Processor shall implement and maintain all technical and organizational measures that are required for protection of the PII and ensure an appropriate level of security for dealing with and protecting against any risks to the rights and freedoms of the data subjects, and as required in order to avoid accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access ,to PII and/or as otherwise required pursuant to the GDPR including, among other things, the measures set forth in Appendix III. When complying with this Section 12.1, Processor shall take into consideration the state of technological development existing at the time and the nature, scope, context and purposes of processing as well as the aforementioned risks.
Processor shall regularly monitor its compliance with this Agreement and will provide Controller, upon request, with evidence that will enable verification of such monitoring activities. Processor shall promptly implement all changes to Appendix III, as requested by Controller. Processor shall ensure that all persons acting under its authority or on its behalf and having access to the PII, do not process the PII except as instructed by Controller and permitted herein.
Controller acknowledges and agrees that, in connection with the performance of the services under the Agreement, Personal Data will not be transferred to a recipient located in a country that is not a Member State of the European Union or European Economic Area, unless that country is considered by the European Commission to have an adequate level of protection or pursuant to an EU standard contractual clauses for the transfer of personal data to processors established in third countries (Commission Decision 2010/87/EC), before such transfer.
On the Controller’s request, Processor shall return or destroy PII to the extent allowed by applicable law.
- Nature, purpose and subject matter of the Processing. The nature, purpose and subject matter of the Processing is the provision of TrustFeed Services mentioned in the Terms of Service.
- Categories of Data Subjects. Users that purchased products and/or services from Controller or submitted a review via the TrustFeed widget that is installed on the Controller website.
- Email address, Full (first and last) name and IP address.
Microsoft Azure, SendGrid.
- The pseudonymisation and encryption of PII.
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- The ability to restore the availability and access to PII in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.