Effective Date May 25th, 2018
This DATA PROCESSING AGREEMENT (this “Agreement”) executed between:
- LetReach Technologies Private Limited (the parent company of “LetReach, Inc.”, “LetX” and all its subsidiary products including but not limited to LetReach, LetSpinio, LetConvert, etc.), registered in Delhi India with registered office address being 2A/3, Asaf Ali Road, Next to Delhi Stock Exchange, Delhi - 110002, India and corporate office located at LetX HQ, FA 45, Shivaji Enclave, Rajouri Garden, New Delhi 110027, India, hereby referred to as “Processor” and/or “LetX”;
- You, the payer or the recipient of LetX services or the organization signing up for the services of LetX via a free trial or a paid subscription. (“Controller”);
hereinafter collectively referred to as “Parties” and individually “Party”.
- This Agreement is applicable insofar as providing the Services (defined under Annexure I) and carrying out the processing of the Personal Data (as defined below).
- In performing the Services, the Processor will process data for which the Controller is and remains responsible. These data include personal data within the sense of the General Data Protection Regulation (EU 2016/679) (“GDPR”).
- Considering the provisions in Article 28 paragraph 3 of GDPR, the Parties want to lay down in this Agreement the conditions on which these Personal Data will be processed.
- This Agreement is applicable insofar as in providing the Services and consequently carrying out of one or more Processing Operations, as mentioned under in Annexure 1.
- The Processing Operations as mentioned under Annexure 1 which are carried out in providing the Services are further herein referred to as the “Processing Operations”. The personal data processed in this connection are the “Personal Data”.
- With regard to the Processing Operations the Controller is the party responsible for the Processing Operations and the Processor is the party processing them. The natural persons who are actually using the Services of the Processor and their representatives, if any, are further herein also referred to as the “End Users”.
- All concepts in this Agreement have the meaning given to them in the GDPR, unless defined otherwise under this agreement.
- If more and other Personal Data are processed on the instructions of the Controller or if they are processed otherwise than described in this clause, this Agreement applies as much as possible to those Processing Operations as well.
- The Annexures form part of this Agreement. They consist of:
- Annexure I: the Processing Operations, and the Personal Data
- Annexure II: the sub-processors and sub-processor categories which are approved by the Controller.
- The Processor shall be responsible for processing the Personal Data on behalf of the Controller on the written and explicit instructions of the Controller. Further provided that, the Controller has and shall retain full control of the Personal Data provided to the Process.
- The Processor, shall not transfer the Data outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law.
- The Processing Operations are only carried out in connection with the Services. The Processor shall not process Personal Data other than as required for the provision of the Services.
- The Processor will perform the Processing Operations in a proper way and with due care.
3. SECURITY MEASURES
- The Processor shall take all the technical and organizational security measures as maybe required subject to the provisions of the GDPR, including but not limited to Article 32 of the GDPR to ensure protection of the Personal Data to be processed subject to this Agreement.
- The Processor shall ensure that persons, not limited to employees, who participate in Processing Operations at the Processor are duly execute a confidentiality agreement with respect to the protection of Personal Data.
- The Processor has appointed an officer (“Officer”), to ensure its compliance with the GDPR and to further act as a point of contact with respect to all issues arising under GDPR. In case of any questions, the Controller may reach out to the Officer, at firstname.lastname@example.org
4. DATA LEAKS & PRIVACY IMPACT ASSESSMENT
- The Processor shall notify the Controller of any ‘personal data breach’ as defined in Article 4 of the GDPR. Such a breach shall hereafter be referred to as a “Data Leak”.
- The Processor will provide the Controller, within a reasonable time period, all the information in his possession and where such information is required to be provided to the Controller to fulfill the obligations under Article 33 of the GDPR. Such information shall be provided in a standard format, as may be determined by the Processor.
- The Processor shall not be under the obligation to inform the Controller of a Data Leak where the Processor, in good faith, determines that the Data Leak shall not pose a risk to the rights and freedoms of natural persons and/or Personal Data. In an event where a Data Leak may affect the rights and freedoms of the natural persons and/or Personal Data, the Processor shall inform the Controller. The Processor shall document all Data Leaks, also those which may not have been reported to the Controller, and provide the Controller with a written report mentioning such Data Leaks on a quarterly basis.
- It is exclusively up to the Controller to determine whether a Data Leak established at the Processor is to be reported to the supervisory authority for Personal Data and/or to the persons involved.
- The Processor will assist the Controller – insofar as is reasonably possible and taking into account the nature of the Processing Operations and the latest technology, in fulfilling the obligations under Articles 35 and 36 GDPR.
5. ENGAGEMENT OF SUB-PROCESSORS
- In performing the Processing Operations, the Processor is not entitled to engage a third party as the sub-processor with the prior written consent of the Controller. The consent of the Controller can also relate to a certain type of third parties.
- If the Controller gives his consent, the Processor must ensure that the respective third party enters into an agreement in which he at least observes the same legal obligations and any additional obligations as those the Processor has under this Agreement. If a sub-processor does not want to accept the additional obligations under this Agreement, the Controller can decide to release the Processor from the additional obligations for the respective Processing Operations so that the Processor can nevertheless enter into the sub-processing agreement.
- In the event that the consent relates to a certain type of third party, the Processor shall inform the Controller about the sub-processors engaged by him. The Controller can then object to the additions or replacements with regard to the sub-processors of the Processor.
- The Controller hereby gives his consent to engage the sub-processors and/or categories of sub-processors included in Annexure 2.
6. CONFIDENTIALITY OBLIGATION
- The Processor shall keep the Personal Data confidential. The Processor shall further ensure that the Personal Data shall not, directly or indirectly, become available to any third parties. The term third parties also includes the personnel of the Processor, insofar as it is not necessary for such personnel do not play a role, direct or indirect, in the processing of the Personal Data. This prohibition does not apply if provisions to the contrary are laid down in this Agreement and/or insofar as a statutory regulation or judgment requires any disclosure.
- The Processor shall inform the Controller of any request for access to, provision of or other form of requesting and communicating Personal Data contrary to the confidentiality obligation included in this clause.
7. RETENTION PERIODS AND DELETION
- The Controller shall be responsible for determining the retention periods with regard to the Personal Data to be processed by the Processor, and shall inform the Processor of such retention periods in writing at each instance of the sharing of the Personal Data.
- The Processor shall delete the Personal Data within thirty days of the Controller making a written request to delete the Personal Data, unless the Personal Data shall have to be retained longer subject to the statutory obligations of the Processor, or at the request of the Controller that Personal Data may to be retained longer for a longer period of time, subject to the a mutual agreement between the Parties for such longer retention of Personal Data in writing, subject statutory retention periods mentioned under the GDPR. Any transfer to the Controller takes place at the expense of the Controller.
- The Processor will state at the request of the Controller that the deletion meant in the aforementioned Clause has taken place. The Controller may have the same verified at his own expense subject to the provisions of Clause 10 of this Agreement. In so far as this is necessary, the Processor shall inform all sub-processors involved in processing the Personal Data of any termination of the Agreement and shall instruct them to act as provided for therein.
- Unless otherwise agreed by the Parties in writing, the Controller shall be responsible for all back-up of the Personal Data.
8. RIGHTS OF PERSONS INVOLVED
- In event of the Controller having access to the Personal Data, the Controller shall be responsible for complying with all requests by the natural persons with respect to the Personal Data. The Processor shall immediately pass on to the Controller any requests received by the Processor.
- In the event, that the Parties are unable to comply with the provisions of Clause 8.1, the Processor shall provide its full cooperation to the Controller to:
- provide the natural persons with access to their respective Personal Data after approval from and on the instructions of the Controller,
- remove or correct Personal Data,
- demonstrate that Personal Data has been removed or corrected (or, in the event where the Controller does not agree that the Personal Data are incorrect, the Controller shall record that the natural person considered its Personal Data to be incorrect),
- provide the Controller or the third party appointed by the Controller with the respective Personal Data in a structured, usual and machine-readable form, and
- enable the Controller otherwise to comply with his obligations under the GDPR or other applicable legislation in the area of processing Personal Data.
- The costs of and requirements, to enable compliance with the aforementioned Section 8.2, shall be jointly determined by the Parties. However, in the absence of any agreements to this respect, the costs will be borne by the Controller.
- Each Party warrants to the other that it will process the Personal Data in compliance with this Agreement and in accordance with the GDPR.
- The Controller will indemnify the Processor in respect of all direct liabilities, costs and expenses suffered or incurred by the Processor in its capacity as the processor of the data of the controller, arising from any security breach in the terms of this agreement, or any negligent act or omission by the controller in the exercise of the rights granted to it under the applicable law provided:
- The Processor within reasonable time, notifies the Controller of any actions, claims or demands brought or made against it concerning any security breach;
- The Processor will not compound, settler or admit to any actions, claims or demi settle of demands without the consent of the Controller except by the order of a court of competent jurisdiction;
- The Controller will be entitled at its own cost to defend or settle any proceedings;
- The Processor shall not have acted on its own accord and independently of the instructions given to it by the Controller in its role as a data processor in accordance with the provisions of this Agreement;
- This indemnity shall exclude any loss that has arisen out of negligence or willful act, default or omission of the Processor, its employees, contractors, or sub-contractors;
- Nothing in this agreement shall restrict or interfere with the Controller’s rights against the Processor or any person in respect of contributory negligence.
- The Processor’s right to claim damages shall be forfeited if the Processor fails to give written notice of any damages that may be sustained as aforesaid within 10 business days, from the occurrence thereof or commences to make good such damages before written notice is given as aforesaid.
- The Processor will indemnify the Controller in respect of all direct liabilities, costs and expenses suffered or incurred by the Controller in its capacity as controller of the data of the processor arising from any security breach in terms of this agreement or negligent act or omission by the Processor in the exercise of the rights granted to it under the Applicable Law provided that:
- The Controller within reasonable time notifies the Processor of any actions, claims or demands brought or made against it concerning any alleged security breach;
- The Processor shall be entitled at its own cost to defend or settle any proceedings; and
- Nothing in this agreement shall restrict or interfere with the Processors rights against the Controller or any other person in respect of contributory negligence.
10. RIGHTS OF PERSONS INVOLVED
- The Controller shall be entitled to verify the compliance with the provisions of this Agreement once every year at his own expense or to have them verified by an independent registered auditor or registered informatics professional.
- The Processor shall provide the Controller with all the information necessary to demonstrate that the obligations in Article 28 GDPR have been complied with. If the third party engaged by the Controller gives an instruction which in the opinion of the Processor constitutes an infringement of the GDPR, the Processor shall inform the Controller of this immediately.
- The investigation of the Controller shall always be limited to the systems of the Processor being used for the Processing Operations. The information obtained during the verification shall be dealt with confidentially by the Controller and only be used to verify the compliance of the Processor with the obligations under this Agreement and the information or parts of it will be deleted as soon as possible. The Controller warrants that any third parties engaged will also undertake these obligations.
- Before the commencement of any such audit, Controller and Processor shall mutually agree upon the scope, timing, and duration of the audit, in addition to the reimbursement rate for which Controller shall be responsible.
11. OTHER PROVISIONS
- Any amendments to this Agreement are only valid if they have been agreed by the parties in writing.
- Neither Party shall assign any part of this Agreement, without the prior written consent of the other Party
- The Processor shall not sub-contract to any third party any of its rights or obligations under this Agreement save for where permitted by the Parties under this Agreement.
- Except as expressly provided in this agreement, the rights and remedies provided under this agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
1. SERVICES or Processing Operations
The services that we offer to our controller comprise of several services to help the controller market online - including but not limited to web push notifications platform, lead generation, social media marketing, web engagement, conversion optimization, etc. (“Services”).
The Controller uses these Services for several purposes, including marketing its products/services.
2. DATA PROCESSED
Depending on how the controller chooses to use the service, the subject matter of processing of personal data may include, but not limited to, the following types of data:
- Email ID
- Web Push Device Token – A pseudonymous data element (in case of using web push services).
- Browser Type of the User
- Country, State and City of the subscriber / end user.
- Any other extra information like visitor tracking on the website, pages browsed, etc.,
- Cookies – Used to improve the user experience of your data subject, example - not showing them the product end deployment again if they have already subscribed; and
- Any other data points that the controller may have configured the LetX products to capture
When any Party registers on our site, we typically gather the following (but not limited to) info:
- Email Address
- Website URL
- Phone Number
- IP Address from where the party signs up
List of Sub-processors:
Sub-processors used by us when working as a processor