Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part
of the Spyne’s Terms of Service (“Agreement”) between Eventila
technologies pvt ltd and the User. The User entered into this DPA on
behalf of itself, the purpose of this DPA is to reflect the parties’
agreement regarding the processing of Personal Data in accordance
with the requirements of Data Protection Legislation as defined
below.
1. Definitions
- “Data Protection Legislation”
means all applicable legislation relating to data protection and
privacy including the EU Data Protection Directive 95/46/EC and
and 2002/58/EC and any regulations which amend or replace any of
them, including the General Data Protection Regulation (GDPR).
- “Data Processor”, “Data Controller”, and “Data
Subject” shall be interpreted in accordance with applicable Data
Protection Legislation.
- “Subprocessor”
means a third-party services engaged by Spyne to process personal
data.
- “Personal Data”
means information relating to an identified or identifiable
individual. This includes but not limited to information the User
provided in their account and information relating to Clients who
engages in a transaction through the User’s website.
- Terms not otherwise defined here shall have
the meaning as set forth in the Agreement.
2. Processing of Personal Data
- The parties agree that User is the Data Controller and
that Spyne is its Data Processor in relation to Personal Data that
is processed in the course of providing the Services. User shall
always comply with Data Protection Legislation in respect of all
personal data it provided to Spyne pursuant to the Agreement.
- Spyne will process the Personal Data as a
Data Processor, only for the purpose of providing the Services in
accordance with the Agreement or with instructions from the User
(including instructions provided through the User's Account).
- User agrees that the Personal Data will be
collected in compliance with Data Protection Legislation,
including all legally required consents, approvals and
authorizations. Upon Spyne’s request, User shall provide adequate
proof of having properly obtained all such necessary consents,
authorizations and required permissions.
- If Spyne is required by law to process the
Personal Data for any other purpose, Spyne will provide the User
with prior notice of this requirement, unless prohibited by law.
- Spyne may transfer Personal Data away from
the location it which it was originally collected (i.e. outside of
the EEA), in such case, Spyne will ensure the transfers will be
completed in compliance with mechanisms that is recognized under
the relevant Data Protection Legislation as providing an adequate
level of protection for data transfers.
- Following termination of the Agreement, on
the User’s request, Spyne will delete all Personal Data processed,
unless it is required by applicable law to retain the Personal
Data.
3. Security
- Spyne will implement and maintain appropriate technical
and organizational measures to protect the Personal Data against
accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to Personal Data. These measures shall be
appropriate to the harm which might result from any unauthorized
or unlawful processing, accidental loss, destruction, damage or
theft of Personal Data and appropriate to the nature of the
Personal Data which is to be protected.
- Spyne will ensure that all Spyne personnel
required to access the personal data are informed of the
confidential nature of the personal data and comply with the
obligations sets out in this DPA.
- Spyne will notify the User promptly upon
becoming aware of and confirming any accidental, unauthorized, or
unlawful processing of, disclosure of, or access to the Personal
Data. Spyne will also take action to investigate the incident and
reasonably prevent or mitigate the effects of the case.
4. Sub-processors
- Spyne may use Subprocessors to process the Personal Data.
The use of Subprocessor to process the Personal Data will follow
Data Protection Legislation and will be governed by a contract
between Spyne and Subprocessor.
- Sub processors will be permitted to process
personal data only to deliver the services Spyne has requested,
and they shall be prohibited from using Personal Data for any
other purpose. A list of our current Subprocessors is available
upon request by sending an email to hello@spyne.ai
- In the case where the sub-processor further
engages with other processor to process Personal Data, they will
respect the obligations set out in this DPA.
5. Information Requests and Audits
- Spyne will promptly notify the User of any complaints,
questions or requests received from Data Subjects regarding the
Personal Data.
- When applicable, Spyne will assist the User
in fulfilling your obligations in relation to Data Subject
requests under the applicable Data Protection Legislation, to the
extent that the information is available to Spyne and that you
cannot otherwise obtain the relevant information. User shall be
solely responsible for responding to any Data Subjects’ requests
and user shall reimburse Spyne for the costs arising from this
assistance.
- Upon request, Spyne will provide all
reasonable assistance to the User in respect to exercising its
audit rights. Given the purpose of the audit is to verify the
Processing of personal data in accordance with this DPA. Prior to
the audit, parties will agree on the duration and scope. The
request from Users in this aspect shall be reasonable to the
extent required by the Data Protection Legislation and Users will
be responsible for any cost incurred with regards to the resources
and time spent by Spyne.
- Upon your written request, Spyne will destroy
all Personal Data in its possession or return the Personal Data to
User, as requested. This requirement will not apply to the extent
Spyne is required by applicable law to retain some or all of the
User’s Data. User Data on backup servers is protected from any
further processing, except to the extent required by applicable
law.
Miscellaneous
- This DPA only applies where the Personal Data originates
from the EEA or is otherwise subject to the Data Protection
Legislation through the process of Personal Data during providing
Services to the User.
- The terms of this Addendum shall be governed
by and interpreted in accordance with the laws of Canada
applicable therein, without regard to principles of conflicts of
laws.
- In the event of any conflict or inconsistency
between the terms of the Agreement and this DPA, the provisions of
this DPA shall prevail. This DPA might be amended from time to
time. Any claims brought under this DPA will be subject to the
same terms and conditions, including the exclusions and
limitations of liability, as are set out in the Agreement.