Data Processing Agreement

Last updated: 2023-03-26

for SaaS First, provided by GBD Software as a Service Private Limited Company

 

Definitions

Background of Data Processing

Obligations of the Controller

Nature and purpose of Data Processing

Types of Personal Data, subjects of processing

Duration of processing

Use of processors

Returning or deletion of personal data

Security of the processing

Assistance

Personal Data breach

Liability

General Rules

 

entered into on (date) by and between

 

GBD Software as a Service Private Limited Company, a company incorporated under the laws of Hungary, seated: Szikra tanya 93., Lakitelek, 6065, Hungary. Tax number: HU27325162, Company Reg. Number: 03-10-100682 (collectively referred to as: “Processor”, “Provider”, „we”, or „us”), and

 

Company name (address) (collectively referred to as: “Controller”, or „you”).

 

Controller and Processor are hereinafter also jointly referred to as “Parties” and each separately as a “Party”.

 

The Data Processing Agreement (collectively referred to as: „Agreement”) forms part of the Terms of Service (collectively referred to as: „Terms of Service”) by and between the Parties and it’s subject to the Terms of Service. In the event of any discrepancies between Terms of Service and this Agreement, the provision of this Agreement in relation to personal data protection shall prevail.

 

The service provided by Provider to the Controller may require Provider to process Personal Data (as defined below), the Parties wish to ensure that the Personal Data processing is in conformity with the applicable laws, in particular with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) – from the moment it shall apply – and with other applicable personal data protection laws.

 

For the purposes of this Agreement, the Controller is the controller of the Personal Data and Provider is the processor of such data, except when the Controller acts as a processor of the Controller’s Personal Data, in which case Provider is a sub-processor. The detailed scope of Personal Data and the categories of data subjects are as defined below.

 

It is agreed that by signing (accepting) this Data Protection Agreement any previous Data Processing Agreements between the Controller and Processor are terminated with immediate effect. Nothing within this agreement relieves the Processor nor the Controller of its own direct responsibilities and liabilities under the GDPR.

 

Entering into this Data Processing Agreement and by using our Service you engage Processor in processing of the personal data necessary to provide you with the Service on terms and conditions stipulated in the Terms and Conditions and Privacy Policy including its Annexes, which constitute an integral part of this Agreement. 

 

Definitions

As per our Terms of Service.

 

Background of Data Processing

This Data Processing Agreement applies exclusively to the processing of Personal Data that is subject to EU Data Protection Law in the scope of the Terms of Service and this Data Processing Agreement of even date hereof between the parties for the provision of the Service.

 

Pursuant to Article 28 (3) of the GDPR, the Controller engages Provider in processing the Personal Data and Provider hereby accepts the processing. This Agreement sets out certain information regarding the processing of the Personal Data as required by the GDPR.

 

The Parties have entered into this Data Processing Agreement in order to benefit from the expertise of the Processor in processing the Personal Data for the purposes set out below and in the Terms of Service. The Processor shall be allowed to exercise its own discretion as it considers necessary to pursue those purposes, subject to the requirements of this Data Processing Agreement and the Terms of Service.

 

The Processor provides the Controller with whatever information it needs to ensure they both meet the obligations under GDPR. The Controller is responsible for maintaining Data Subjects’ rights. The Processor assists the Controller allowing Data Subjects to exercise their rights.

 

Obligations of the Controller 

  • The Controller warrants that it has all necessary rights to provide the Personal Data to the Processor for the Processing to be performed in relation to the Services. 

 

  • To the extent required by applicable data protection law, Controller is responsible for ensuring that any necessary data subject consents to this processing are obtained, and for ensuring that a record of such consents are maintained. Should such a consent be revoked by the data subject, the Controller is responsible for communicating the fact of such revocation to the Processor, and the Processor remains responsible for implementing any Controller instruction with respect to the further processing of that Personal Data.

 

  • The Controller hereby warrants that it has provided clear and transparent information to its clients (in the Terms of Controller, named „Customers”) about the purposes and legal basis of processing their personal data, the categories of data processed, the recipients of the data, the retention period of the data, and the rights of the clients under the GDPR. 

 

    • This processing includes:
  • transferring Customers Personal Data to the United States
  • transferring Personal Sata to OpenAI (ChatGPT) for analysis based on customer behavior and interactions with the chatbot, in order to create more detailed user profiles
  • running a Javascript on the website of the Controller, which collects Personal Data about the visitors of the site

 

  • The Controller also warrants that it has informed its clients about the usage of this processing service and obtained their consent or other lawful basis for sharing their personal data with this service. The Controller acknowledges that it is liable for complying with the GDPR obligations regarding informing and protecting its clients’ personal data.

 

  • The Controller must have a legal basis before beginning processing and should document it. The Processor reserves the right to ask the Controller for their documented lawful basis for processing. If requested the Controller must present their documented lawful basis for processing immediately but not later than 48 hours.

 

  • The Controller represents and warrants, that while using the Service it will not upload to the website – or into any omnichannel surfaces provided by the Processor – any kind of special categories of personal data or any personal data that the Controller has no lawful basis to process. Special categories of personal data are covered by Article 9 (1) of the GDPR and included but not limited to any government-issued identification number; credit or debit card details or financial account number, with or without any code or password that would permit access to the account; or information on race, religion, ethnicity, sex life or practices or sexual orientation, medical or health information, genetic or biometric information, biometric templates, political or philosophical beliefs, political party or trade union membership, or information on any judicial or administrative proceedings.

 

  • The Controller warrants that it is its responsibility to maintain and promptly keep the account and Customer information true, accurate, current, and complete, and also to maintain the security of your account and the API key assigned to you.  

 

  • The Controller warrants keeping its securely complex password and API key confidential and maintaining a safe interval of changing passwords in order to avoid any possibility of data breaches.

 

Nature and purpose of Data Processing

 

The purpose of processing Personal Data is the performance of the Service as set in Terms of Service, includes following processing activities: collection, recording, storage, adaptation, alteration and back-upping Personal Data, as well as other activities as required to provide the Service.

 

Types of Personal Data, subjects of processing

Please see our Privacy Policy for details.

 

Duration of processing

 

The Processor will only process the Personal Data according to the Service as set in Terms of Service and during the duration of Terms of Service, except as required to comply with a legal obligation to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal obligation before processing, unless that law explicitly prohibits the furnishing of such information to the Controller.

 

Processor will keep the Account Data and Personal Data you provided for up to 12 months following we stopped providing our Users with our services, and will delete all these records or Personal Data permanently after this period.

 

1 month before the deletion of the account, we are sending a reminder in email, asking you whether you wish to continue using our services.

 

Please see our Privacy Policy for details.

 

Use of processors

 

To ensure proper provision of the Service, Controller authorizes Processor to engage other processors for carrying out processing activities.

 

For the avoidance of doubt and without limiting the general authorization granted to Processor in the preceding sentence, the Controller agrees to the sub-processors listed currently in our Privacy Policy.

 

Processor may obtain further sub-processor and disclose the Personal Data to a sub-processor with the prior consent of the Controller. It is considered a valid consent if the Processor updates its Terms of Service, or Privacy Policy and the Controller continues using the Service.

 

In the event of sub-processing, Processor warrants that the processing activity is carried out in accordance with this Data Processing Agreement by a written agreement with the sub-processor providing at least the same level of protection and confidentiality for the Personal Data and the rights of data subject as the Processor under these clauses.

 

Please see our Privacy Policy for details.

 

 

Returning or deletion of personal data

 

In line with Recital 81 GDPR, after the completion of the processing on behalf of the Controller, the Processor should, at the choice of the Controller, return or delete the Personal Data, unless there is a requirement to store the personal data under Union or Member State law to which the Processor is subject.

 

Upon termination of this Data Processing Agreement, upon the Controller’s written request, or upon fulfillment of all purposes agreed in the context of the Service whereby no further processing is required, the Processor shall, at the discretion of the Controller, either delete, destroy, or return all Personal Data to the Controller and destroy or return any existing copies.

 

The Processor shall notify all third parties supporting its own processing of the Personal Data of the termination of the Data Processing Agreement and shall ensure that all such third parties shall either destroy the Personal Data or return the Personal Data to the Controller, at the discretion of the Controller.

  

Controller has the right to delete personal data and files at any time. In order to ensure the proper functionality of Processor’s systems the files are stored in back-ups for 5 further days after deletion.

 

The Processor may be allowed to retain Personal Data for a longer period, and the Processor may be obliged to retain Personal Data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority.

 

Once the retention period expires, Personal Data shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.

 

Please see our Privacy Policy for details.

 

 

Security of the processing

 

The Processor takes appropriate measures to ensure the security of Data Processing. In order to avoid unauthorized use of Personal Data and to avoid misuse of such data, Processor has taken comprehensive technical and operational safety measures. The Processor undertakes that its safety procedures have regularly been controlled and improved in harmony with technological development and in harmony with the Article 32 of the GDPR, such as:

  • The Processor protects the security of the Personal Data while it is being transmitted by using secure connection,
  • The data is processed automatically on the Processor’s servers, without human interaction. If the Controller requests, or in certain cases when Processor requires to review user activities, the Processor’s colleagues have the right to review files uploaded and result files provided on the Processor’s Website. In case the Processor needs to investigate a complaint, the Processor has the right to process or re-process data in its system.
  • All contractors of the Processor accessing Personal Data are required to sign a non-disclosure agreement and data processing agreement.
  • Without prejudice to any existing contractual arrangements between the Parties, the Processor shall treat all Personal Data as strictly confidential and it shall inform all its employees, agents and/or sub-processors engaged in processing the Personal Data of the confidential nature of the Personal Data. The Processor shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
  • The Processor regularly monitors its systems for possible vulnerabilities and attacks and carries out penetration testing to identify ways to further strengthen security.
  • The Processor completes data protection impact assessments at least once a year and takes necessary actions to improve data security if any improvement areas are found.

 

The Processor will keep all Personal Data confidential and not disclose such data to third parties except as expressly provided herein, unless it has been authorized by the Controller or is required by law. Processor undertakes to make Personal Data known only to those who need to know it and at the same time undertake that the above persons are fully aware of the obligations of Processor arising from the present agreement and that they assume the same obligations as those set out in this agreement. Processor recognizes that its obligations regarding Personal Data, non-disclosure and non-use of such information will continue to apply if this agreement or the Terms of Service expire or are replaced for any reason.

 

Assistance

 

The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to request for exercising the data subject’s rights under the GDPR.

 

The Processor shall assist the Controller in replying to requests received from data subjects. By receiving a complaint, inquiry or request related to the Controller’s Personal Data directly from data subjects, the Processor will notify the Controller within 15 days from the receipt of the complaint, inquiry or request.

 

The Processor shall make available to the Controller on reasonable request, information that is reasonably necessary to demonstrate the Controller's compliance with this Agreement and shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the processing of the Controller's Personal Data. The Controller shall be responsible for any costs and expenses of the Processor arising from the provision of such information and audit rights.

 

The Processor shall assist the Controller in ensuring compliance with its obligations and prior consultations with supervisory authorities required under Article 36 of the GDPR taking into account the nature of processing and the information available to the Processor.

 

Personal Data Breach

 

The Processor will notify the Controller about any Personal Data breaches – including but not limited to accidental or unlawful access or disclosure – within 48 hours of becoming aware of the breach.

 

When the Processor becomes aware of an incident that impacts the processing of the Personal Data that is the subject of this Data Processing Agreement, it shall promptly notify the Controller about the incident, shall at all times cooperate with the Controller, and shall follow the Controller’s instructions with regard to such incidents, in order to enable the Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.

 

The term “breach” and “incident” used in the above section shall be understood to mean including but not limited in the following cases:

  • a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law;
  • an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent;
  • any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data;
  • any breach of the security and/or confidentiality of this Data Processing Agreement leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place;
  • where, in the opinion of the Processor, implementing an instruction received from the Controller would violate applicable laws to which the Controller or the Processor are subject.

Liability

 

Controller represents and warrants that all data provided by it (a) comply with all applicable laws and regulations with respect to its activities under the Terms of Service comply with the Controllers national law; (b) obtain and maintain all necessary licenses, consents, permits necessary for Processor, its contractors, affiliates, to use the data that Controller supplies in accordance with the Terms of Service and with this Agreement; (c) assume sole responsibility for its and its users/contacts’ use of Process Data obtained from the use of the Service, and for conclusions drawn from such use.

 

The Processor shall not be liable for any of the Controller’s claims, damages, losses, expenses, costs or other liability in the event of Personal Data breach or loss under any circumstances.

 

Controller agrees to indemnify, defend, and hold the Processor harmless from and against any and all claims of Personal Data subjects in connection with any damage arising from improper processing of Personal Data. The Controller shall unconditionally indemnify the Processor and hold it harmless in respect of any claims filed by the entities whose Personal Data has processed based on the Agreement, and in connection with the processing of such data. If action is brought against the Processor, the Controller shall, if so required by the Processor, join the proceedings as a party and assume full liability for the claim.

 

General Rules

 

This Data Processing Agreement shall come into effect on the date the Controller electronically accepts this Data Processing Agreement. If both parties agree to the Agreement, it is effective immediately after signature.

 

Either party may terminate this agreement by giving each other 1 week notice in writing.

 

The Parties may amend the Agreement from time to time, as the Parties may reasonably consider necessary to meet the requirements of the GDPR.

 

In the event of any dispute, claim, question, or disagreement arising from or relating to this Agreement, whether arising in contract, tort or otherwise, the parties shall first use their best efforts to resolve the Dispute. If a Dispute arises, the complaining party shall provide written notice to the other party in a document, specifically setting forth the precise nature of the dispute. If a notice is being sent to Provider it must be emailed to [email protected] and sent via mail to: GBD Consulting and Services Private limited company by shares at: Szikra tanya 93., Lakitelek, 6065, Hungary.

 

In the event that a dispute between the parties cannot be settled, the parties agree to submit the dispute to binding arbitration according to Hungarian law and the Hungarian Courts, the language to be used in the arbitral proceedings shall be English.

 

Effective upon acceptance.