This Data Processing Agreement (hereinafter: “DPA”) forms an integral and inseparable part of the Agreement concluded between Booqable, (hereinafter: “Processor”) and the Customer (hereinafter: “Controller”) regarding the use of the Services;
hereinafter jointly referred to as “Parties” and separately “Party”;
taking into account that:
- Controller has access to the personal data of various individuals (hereinafter: “Data Subjects”);
- Controller wants Processor to execute certain types of processing in accordance with the Agreement;
- Parties in this DPA the meaning of the definitions as described in the General Data Protection Regulation (hereinafter: “GDPR”) assume;
- during the execution of the Agreement, Processor may process personal data within the meaning of article 4.1 of the GDPR at the Controller’s behest;
- Controller is considered to be a controller within the meaning of article 4.7 of the GDPR;
- Processor is considered to be a processor within the meaning of article 4.8 of the GDPR;
- the GDPR an obligation on the Controller imposes to ensure that the Processor provides sufficient guarantees with regard to the technical and organizational security measures with regard to the processing to be carried out;
- in addition, the GDPR an obligation on Controller imposes to ensure compliance with these measures; Parties wish to set out their rights and obligations in writing by means of this DPA with due observance of the requirements of article 28.3 of the GDPR.
1. Purpose of processing
1.1. Processor agrees, under the terms of this Data Processing Agreement, to process personal data on behalf of Controller. Processing shall be done solely for the purpose of the Agreement and all purposes compatible therewith or as determined jointly. Moreover, processing may be done on the basis of a legal obligation.
1.2. The processing sees on the purposes as determined by Controller, in regard to the categories of personal data and Data Subjects as set out in Appendix A to this Data Processing Agreement.
2. Processor obligations
2.1. Processor shall only process the personal data for the purposes as mentioned in article 1 of this Data Processing Agreement.
2.2. Regarding the processing operations as referred to in article 1, Processor shall comply with the GDPR.
2.3. Processor shall inform Controller if in its opinion an instruction of Controller would violate the applicable legislation regarding the processing of personal data or is otherwise unreasonable.
2.4. Processor shall, for as far as this is within his control and as far as necessary, provide assistance to Controller to fulfill Controller’s legal obligations under the GDPR. This concerns the provision of assistance in the fulfillment of its obligations under Articles 32 to 36 of the GDPR.
2.5. All obligations of Processor under this Data Processing Agreement shall apply equally to any persons processing personal data under the supervision of Processor, including but not limited to employees.
3. Confidentiality obligations
3.1. Processor shall maintain the confidentiality of personal data provided by Controller. Processor ensures that the persons who are authorized to process the personal data, are contractually obliged to maintain the confidentiality of the personal data of which he or she is handling.
3.2. The confidentiality obligation shall not apply to the extent Controller has granted explicit permission to provide the information to third parties, the provision to third parties is reasonably necessary considering the nature of the assignment to Processor or the provision is legally required.
4. Notification and communication
4.1. Controller is responsible at all times for notification of any personal data breaches, as referred to in Article 4 paragraph 12 of the GDPR (hereinafter: “Personal Data Breach”), to the competent supervisory authority, and for possible communication about the Personal Data Breach to Data Subjects.
4.2. In order to enable Controller to comply with this legal requirement, Processor shall notify Controller without undue delay and, in any case, within a maximum period of 48 hours, after discovering a Personal Data Breach. Processor will take reasonable measures to limit the consequences of the Personal Data Breach and to prevent further and future Personal Data Breaches.
4.3. A notification under the previous clause shall be made at all times, but only for actual Personal Data Breaches.
4.4. If necessary and reasonable, Processor will provide assistance to Controller, taking into account the reasonableness of the request, nature of the processing, and the information available to him, in regard to (new developments about) the Personal Data Breach.
4.5. The notification to Controller shall include, as far as known at that moment, at least:
a. the nature of the Personal Data Breach;
b. the (likely) consequences of the Personal Data Breach;
c. the categories of personal data concerned;
d. if and which security measures have been taken to protect the personal data;
e. the measures taken or proposed to be taken to address the Personal Data Breach and prevent future Personal the categories of Data Subjects concerned;
f. the categories of Data Subjects concerned;
g. approximate number of Data Subjects concerned; and
h. where necessary the deviating contact details to address the notification.
5. Rights of Data Subjects
5.1. In the event a Data Subject makes a request to exercise his or her legal rights under the GDPR (Articles 15-22) to Processor, Processor shall pass on such request to Controller within a maximum period of three working days after the request was received. Processor may inform the Data Subject of such request being forwarded. Controller will then further process the request independently.
5.2. In the event that a Data Subject makes a request to exercise his or her legal rights to Controller, Processor will, if Controller requires this, cooperate as far as possible and reasonable.
6. Security measures
6.1. Processor shall use reasonable efforts to implement appropriate technical and organizational measures to secure the processing operations involved, against loss or any form of unlawful processing (in particular against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed).
6.2. Processor shall use best efforts to ensure a level of security appropriate to the risk taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
6.3. Controller shall only provide personal data to Processor for processing if it has ensured that the required security measures have been taken.
7.1. Controller has the right to verify compliance by Processor, of all points under this Data Processing Agreement, by means of an audit performed by an independent third party, who is bound by confidentiality obligations. The audit may only be performed in case of a reasonable and well-founded suspicion of violation of this Data Processing Agreement, which is communicated in writing to Processor, and may be carried out once a year.
7.2. If an independent third party has already carried out an audit in the past year, Processor can fulfill its obligation by giving access to the relevant parts of the audit report of that year, only if a verification of compliance of the obligations of Processor in this Data Processing Agreement is requested within the same year.
7.3. Processor and Controller jointly decide a date, time and scope of the audit.
7.4. Processor shall give its full cooperation to the audit and shall make available any employees and all reasonably relevant information, including supporting data such as system logs.
7.5. The audit findings shall be assessed by the Parties in joint consultation and may or may not be implemented by either Party or jointly.
7.6. The costs of the audit shall be borne by Processor in case the audit reveals discrepancies in the compliance of Processor to this Data Processing Agreement, which are directly attributable to Processor. In all other cases the costs of the audit shall be borne by Controller.
7.7. The audit and the results thereof will be treated confidentially by Controller.
8. Involvement of subprocessors
8.1. Controller authorizes Processor to involve subprocessors in providing the services under this Data Processing Agreement.
8.2. A list of the subprocessors engaged by Processor at the time of entering into this Data Processing Agreement is set out in Appendix B of this Data Processing Agreement.
8.3. An up-to-date list of the subprocessors engaged by Processor is available on https://booqable.com/security/ . In addition, Processor will notify Controller of any update.
8.4 Controller is entitled to object in writing on reasonable grounds to a specific new, or changing of, subprocessor(s) within two weeks after Processor has sent the notification. If Controller makes an objection, the Parties will consult to reach a solution.
8.5. Processor imposes at least the same obligations on the engaged subprocessor(s) as agreed between Controller and Processor in this Data Processing Agreement.
8.6. Processor shall ensure that these third parties shall comply with the obligations under this Data Processing Agreement and is liable for any damages caused by violations by these third parties as if it committed the violation itself.
9. Transfer of personal data
9.1. Processor may process the personal data in any country within the European Economic Area (EEA).
9.2. In addition, Processor may transfer the personal data to a country outside the EEA, provided that country ensures an adequate level of protection of personal data and complies with other obligations imposed on it under this Data Processing Agreement and the GDPR, including the availability of appropriate safeguards and enforceable Data Subject rights and effective legal remedies for Data Subjects.
9.3. Controller hereby authorizes Processor to, where necessary, enter into a model contract in name of Controller concerning the transfer of personal data from a controller located within the European Union to a processor in a third country, in accordance with the Commission Decision of 5 February 2010 (2010/87/EU) or the current law in each moment.
9.4. A list of the processing locations at the time of entering into this Data Processing Agreement is set out in Appendix B to this Data Processing Agreement.
9.5. An up-to-date list of the processing locations is available on https://booqable.com/security/.
10.1. Parties explicitly agree that regarding liability, the provisions as laid down in the Terms and Conditions apply.
11. Term and termination
11.1. This Data Processing Agreement is entered into for the duration set out in the Agreement.
11.2. Derogations from this Data Processing Agreement shall be binding only if they have been expressly agreed in writing between the Parties.
11.3. If changes in legislation or regulations give cause for changes, this shall be assessed by the Parties in joint consultation and may or may not be implemented.
11.4. This Data Processing Agreement may be changed in the same manner as the Agreement.
11.5. Upon termination of the Data Processing Agreement Booqable shall, at the request, and at the expense, of Controller:
a. return to Controller in original format all personal data available to it; or
b. destroy all personal data available to it.
The following appendices have been added to the Data Processing Agreement:
- Appendix 1A: Specification of personal data and Data Subjects
- Appendix 1B: Subprocessors
Appendix 1A | Specification of personal data and Data Subjects
Processor shall process the following types of personal data, under the supervision of Controller, for the performance of the Agreement:
- Any kind of data stored in custom fields
- Any kind of data stored in notes
Of the following categories of Data Subjects:
Controller represents and warrants that the description of personal data and categories of Data Subjects in this Appendix 1A is complete and accurate and shall indemnify and hold harmless Processor for all faults and claims that may arise from a violation of this representation and warranty.
Appendix 1B | Subprocessors
The following Subprocessors are engaged by Booqable at the time of entering into this Data Processing Agreement:
- Heroku (hosting provider) – United States of America
- AWS EMEA SARL - Luxembourg
- Elasticsearch B.V. - Netherlands
- Coralogix – Israel – adequacy decision by the Commission
- Stripe - Ireland
- MemCachier – United States of America
- Pusher - England and Wales
- Redis Cloud - United States of America
- Segment - United States of America
- Intercom - Ireland
- Typeform - Spain
- Hotjar Limited - Malta
- Vitally - United States of America
- Postmark - United States of America
- LogRocket - United States of America
- Appsignal - The Netherlands
- Pusher Limited - United Kingdom
- NewRelic - United States of America
- Rollbar - United States of America
- Paypal - United States of America
- Apple - United States of America
An up-to-date list of Subprocessors engaged by Booqable is available on https://booqable.com/security/ or can be requested via firstname.lastname@example.org.