1. Introduction.
1.1 This Data Processing Agreement forms part of and is integrated into the Agreement between You and Us governing Our provision of Services to You. If and to the extent We Process Your Personal Data within the scope of the Agreement, this Data Processing Agreement including its Annexes (collectively, the "DPA") shall apply to such Processing activities.
1.2 "Controller", "Processor", "Data Subject", "Commercial Purpose", "Sell", and “Process/Processing/Processed" shall have the meanings given in applicable Data Protection Laws. If and as may be defined under applicable Data Protection Laws: the term "Personal Data" shall be deemed to include concepts of "Personal Information" or "Personally Identifiable Information"; the Term "Data Subject" shall be deemed to include concepts of "Principal" or "Consumer"; the Term "Controller" shall be deemed to include "Personal Information Handling Business Operator"; and the term "Processor" shall be deemed to include "Service Provider". Any capitalized terms not otherwise defined herein shall have the meaning ascribed to them in the Agreement.
1.3 By entering into the Agreement, You also enter into this DPA on behalf of Yourself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of Your Affiliates, employees and any third parties whose Personal Data You may provide Us in the context of the Services. You hereby authorize Us to Process such Personal Data in accordance with this DPA.
1.4 In case of any conflict, individual terms of this DPA shall take precedence over individual terms of the Agreement. Where individual terms of this DPA are invalid or unenforceable, the validity and enforceability of the other terms of this DPA shall not be affected.
2. Purpose and Scope.
2.1 With regard to the Processing of Personal Data, You are the Controller and determine the purposes and means of Processing of Personal Data. You appoint Us as a Processor. We shall Process Personal Data on Your behalf only for the purposes detailed in Annex I, unless we receive further documented instructions from You.
2.2 You shall be solely responsible for compliance with Your obligations as Controller under applicable Data Protection Laws, including, but not limited to, the lawful disclosure and transfer of Personal Data to Us.
2.3 Processing by Us shall only take place for the duration of the Services as specified in the Agreement.
3. Obligations of Processor.
3.1 We shall Process Your Personal Data only as set forth herein, unless otherwise required to do so under applicable Data Protection Laws. In such case, we shall inform You of the legal requirement before Processing, unless such law prohibits Us from doing so. Subsequent instructions may also be given by You throughout the duration of the Processing of Your Personal Data, provided that such instructions are in the scope of the Agreement and documented.
3.2 We shall promptly inform You if, in Our opinion, instructions given by You infringe applicable Data Protection Laws. We shall be entitled to suspend performance against such instruction until You confirm or modify such instruction in accordance with all applicable Data Protection Laws.
3.3 We shall correct or erase Your Personal Data if instructed by You and where included in the scope of the instructions. Within thirty (30) days of the expiry of Your Subscription Term or termination of the Agreement for any reason, and at Your request, We will either (i) securely destroy or render unreadable, undecipherable, or unrecoverable or (ii) deliver to You or Your designees all Personal Data in Our possession, custody, or control, and certify such deletion upon Your request. This obligation shall not apply to the extent applicable Data Protection Laws or competent authority requires retention for a specified period, in which event We shall isolate and protect the Personal Data from any further Processing except and to the extent required by such law.
3.4 To the extent We receive data that cannot be associated with an identified or identifiable individual from or on Your behalf, We shall take reasonable measures to ensure that the data continues not to be associated with an identified or identifiable individual and shall not attempt to reidentify the data unless expressly directed otherwise by You.
3.5 We shall notify you if We are not able to comply with our obligations as set forth herein or under applicable Data Protection Laws.
3.6 When acting as Processor for the Personal Data, we shall not (i) Sell the Personal Data, (ii) retain, use or disclose the Personal Data for any Commercial Purpose, or (iii) combine the Personal Data with information received from another source.
3.7 Unless prohibited by applicable law, We shall promptly notify you on becoming aware of any notice, inquiry, investigation, audit, administrative sanction or fine by a supervisory authority, related to the Personal Data we Process on your behalf.
3.8 Taking into account the nature of the Processing and the information available to Us, if You request, We shall reasonably assist You in carrying out a data protection impact assessment in cases where the Processing is likely to result in a high risk to the rights and freedoms of natural persons, and shall reasonably assist You in any required consultations with a supervisory authority.
4. Security of the Processing.
4.1 We shall implement the technical and organizational measures specified at https://www.bloomfilter.ai/terms-and-conditions/. We reserve the right to update the measures and safeguards implemented, provided, however, that the level of security shall not materially decrease during Your Subscription Term.
4.2 In assessing the appropriate level of security, We shall take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing and the risks involved for the Data Subjects, as well as the likelihood and likely severity of any breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to the Personal Data ("Personal Data Breach").
4.3 Access to the Personal Data by Our personnel shall be strictly limited to those individuals who need such access to implement, manage and monitor the Services. Any personnel authorized to access the Personal Data have committed themselves to confidentiality obligations similar to the confidentiality terms of the Agreement or are under an appropriate statutory obligation of confidentiality.
5. Documentation and Audits.
5.1 We shall document Our compliance with the obligations agreed in this DPA.
5.2 Upon Your request, and subject to the confidentiality obligations set forth in the Agreement, We shall make available to You or Your independent third-party auditor information regarding Our compliance with the obligations set forth in this DPA in the form of the third-party certifications and audits.
5.3 If and only to the extent that the information made available to You, as per Clause 4 (b) above, cannot reasonably demonstrate Our compliance with the provisions of this DPA, You may request an on-site audit of the procedures relevant to the Processing activities by contacting isms@bloomfilter.ai. Such audit will be conducted upon 30 days' prior written notice, at most once per calendar year, during regular business hours, without interfering with Our operations, and subject to the execution of a confidentiality agreement. You may request more frequent audits only in the event We notify You of a Personal Data Breach that concerns your Personal Data or when a supervisory authority requires such an audit. Such an audit will be conducted by an independent third-party auditor reasonably acceptable to Us. Each party shall bear its own costs related to any audit. Before the commencement of an on-site audit, the parties shall mutually agree upon the scope, timing, and duration of the audit. You shall promptly provide Us with information regarding any noncompliance discovered during the course of an audit.
6. Use of Sub-Processors.
6.1 You hereby consent to the use of (i) BFilter, Inc. Affiliates and (ii) the sub-processors listed at https://www.bloomfilter.ai/terms and-conditions/ in connection with Our performance under the Agreement, provided that (i) We are liable for the sub-processors' compliance with the obligations of this DPA, and (ii) where We engage a sub-processor, We shall do so by way of a binding contract which imposes on the sub-processor, in substance, the same data protection obligations as those contained in this DPA.
6.2 We shall notify You at least four (4) weeks before engaging any new sub-processor(s) under this DPA. You may object to any new sub-processor(s) on reasonable grounds related to applicable Data Protection Laws by providing written notice to Us within fourteen (14) days after having received such notice ("Objection Period''). If You do not object within the Objection Period, You shall be deemed to have consented to the new sub-processor. If You do object within the Objection Period, the parties will work together in good faith to find a functionally-equivalent and commercially-reasonable alternative to the new sub-processor. If a solution is not agreed between the parties within the Objection Period, You shall have the right to terminate the relevant Service by providing thirty days' prior written notice. In such event, We will refund You (or, in the case Your Subscription is purchased through an Authorized Reseller, arrange through such Authorized Reseller, the refund of) any prepaid Fees covering the remainder of the applicable Subscription Term and terminate Your access to and use of the affected Service for which You have received the refund.
7. International Transfers.
7.1 We will only transfer Personal Data outside the European Economic Area, Switzerland and the United Kingdom where We have complied with Our obligations under applicable Data Protection Laws, e.g. by implementing Standard Contractual Clauses in accordance with the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("Transfer Requirement"). In the event of any conflict or inconsistency between this DPA and any potential Transfer Requirement, the Transfer Requirement shall prevail.
7.2 In the event that applicable Data Protection Laws require additional terms between the parties related to a cross-border transfer of Personal Data, the parties will work together in good faith to execute such additional terms.
8. Data Subject Requests.
8.1 We shall promptly notify You of any request we receive from a Data Subject, provided We are able to correlate that Data Subject to You based on the information provided by the Data Subject. We shall not respond to the request, unless authorized to do so by You or required by Data Protection Laws.
8.2 Taking into account the nature of the Processing, We will reasonably assist You to fulfill Your obligations as Controller to respond to Data Subject requests.
8.3 Notwithstanding the foregoing, if a User of the BFilter, Inc. Online Training Cloud submits a Data Subject request, You agree that we can at Our option fulfill such request without Your further approval.
8.4 We shall not be liable in cases where You fail to respond to a Data Subject's request completely, correctly, in a timely manner, or otherwise in accordance with Data Protection Laws.
9. Personal Data Breach.
9.1 You shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Your Personal Data.
9.2 In the event of a Personal Data Breach, we shall cooperate with and reasonably assist You to comply with Your obligations under applicable Data Protection Laws, taking into account the nature of Processing and the information available to Us.
9.3 In the event of a Personal Data Breach by Us, We shall notify You without undue delay after becoming aware of the breach. Such notification shall contain, to the extent known: (a) a description of the nature of the breach (including, where possible, the categories and approximate number of Data Subjects and data records concerned); (b) the details of a contact point where more information can be obtained; (c) its likely consequences and the measures taken to address the breach.
9.4 You shall send the contact details of the person to notify in case of Personal Data Breaches to security-incident@bloomfilter.ai.
9.5 Where, and insofar as, it is not possible to provide all of the information specified in (b) above at the same time, the initial notification shall contain the information then-available and further information shall, as it becomes available, subsequently be provided without undue delay.
10. Final Provisions.
10.1 Each party's and all of its Affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the 'Limitation of Liability' section of the Agreement.
10.2 This DPA constitutes the entire agreement between the parties regarding Our Processing activities, and supersedes all prior and contemporaneous agreements, proposals and representations, whether written or oral, concerning the subject matter hereof. We may update this DPA from time-to-time. Any revised version shall become effective upon renewal of Your Subscription under the Agreement.
10.3 If You are domiciled in the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom, this DPA is subject to the laws of the country in which You are domiciled. For all other cases, this DPA is subject to the laws applicable to the Agreement. For any disputes arising out of or in connection with this DPA, the parties submit to the exclusive jurisdiction of the courts established in the country whose laws govern this DPA.
Annex 1
Description of the Processing
Categories of Data Subjects whose Personal Data is Processed
- Employees of the Controller.
- Further categories of Data Subjects, depending on the Controller's use of the Services.
Categories of Personal Data Processed
- User Account related data such as name, username/ID, contact details, log and protocol data.
- Further categories of Personal Data, depending on the Controller's use of the Services.
Nature of the Processing
- Provision of the Cloud Service: The Cloud Service provides the tools to analyze Processes based on data from IT systems of the Controller. Personal Data is primarily used to provide access to the Service by the Processor. If Personal Data is used for application-related usage analysis, the data will be anonymized.
- Support Services: Personal Data of Controller's employees issuing Support Services requests ("tickets") may be Processed by Processor for the - purposes of administering the Support Services. Processor's personnel may access Controller's instance on a case-by-case basis if requested by the Controller.
- Online Training Cloud: Controller's employees may participate in training provided by the Processor. In such cases, contact details and participation information, including training outcomes, will be Processed and used for interaction with the training participant as well as for reporting to the Controller.
- Professional Services: In the context of consulting, Processor's personnel may access Controller's instance on a case-by-case basis if requested by the Controller.
Purpose(s) for which the Personal Data is Processed on behalf of the Controller
- Rendering of the Services by the Processor to the Controller, as agreed in the Agreement between the parties
- Processing initiated by Users in the course of their use of or access to the Services
- Processing to comply with other reasonable and documented instructions provided by the Controller that are consistent with the terms of the Agreement.
Duration of the Processing
The duration of the Processing equals the applicable Subscription Term.
