Data Processing Agreement
This Data Processing Agreement "DPA" becomes effective upon the acceptance of the Terms of Service.
Customer shall make available to Neivi Innovación Tecnológica , S.L. (“TokenChannel”) and Customer authorizes Neivi Innovación Tecnológica, S.L. to process information including personal data for the provision of the Services under the Agreement. The parties have agreed to enter into this DPA to confirm the data protection provisions relating to their relationship and so as to meet the requirements of applicable Privacy Laws.
1. Definitions
1.1 For the purposes of this DPA: “Privacy Laws” mean any applicable law relating to data protection and security, including without limitation EU Data Protection Directive (EU Directive 95/46/EC of the European parliament and of the council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data), Directive on privacy in electronic communications (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector) and General Data Protection Regulation (Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 94/46/RC) (“GDPR”) and any amendments, replacements or renewals thereof (collectively the “EU LegiS.L.ation”), all binding national laws implementing the EU LegiS.L.ation and other binding data protection or data security directives, laws, regulations and rulings valid at the given time including any guidance and codes of practices issued by the applicable supervisory authority;
1.2 The terms “data controller“, “data processor“, “data subject“, “personal data” “processing” and “appropriate technical and organisational measures” shall have the meanings given to them under applicable Privacy Laws.
2. Role of the Parties
2.1 The Parties understand that for the provision of the Services a distinction is made between two types of processing of personal data: (i) the provision of platform services (i.e. the database of call data records and the logs created and managed by TokenChannel on behalf and under the supervision of Customer) for which TokenChannel will act as a data processor and agrees to comply with the respective obligations set out in Articles 3 – 11, and (ii) the transmission of A2P (application-to-person) messages by TokenChannel and other Service Providers for which TokenChannel will act as a data controller and agrees to comply with the respective obligations set out in Article 13.
3. Subject matter, nature and purpose of TokenChannel’s processing of personal data
3.1 TokenChannel shall process personal data originating from and sent to a country located in the EU/EEA or Switzerland solely in countries situated in the EU/EEA or Switzerland and not cause any cross border transfer of personal data from a country situated in the EU/EEA or Switzerland to any country situated outside the EU/EEA or Switzerland unless personal data is transferred to a country approved by the European Commission as providing an adequate level of protection for personal data, the transfer is made pursuant to European Commission approved standard contractual clauses for the transfer of Personal Data for which the Customer provides a power of attorney for TokenChannel to enter into any such European Commission approved standard contractual clauses with a Sub-processor approved as set out in clause 8 in the name and on behalf of the Customer.
3.2 Standard contractual clauses for the transfer of Personal Data for which the Customer provides a power of attorney for TokenChannel to enter into any such European Commission approved standard contractual clauses with a Sub-processor approved as set out in clause 9 in the name and on behalf of the Customer.
4. Duration
4.1 The processing of personal data will be carried out by TokenChannel for the duration of the Agreement unless otherwise agreed upon in writing.
5. Type of personal data processed
5.1 The Customer may submit Customer personal data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to the following categories of personal data:
- Contact information (email, phone, physical address, social network identities )
6. Type of data subjects
6.1 The Customer may submit personal data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subject:
- Customers, business partners and vendors of the Customer (who are natural persons)
- Employees of contact persons of the Customer’s customers, business partners and vendors
- Employees, agents, advisors, freelancers of the Customer (who are natural persons)
- Customer’s Service user including any user of the Services, which Customer permits using the Services
7. Technical and organisational measures
7.1 TokenChannel has implemented and maintains appropriate technical and organizational measures in accordance with Article 28, 3 (c) and Article 32 in particular in relation with Article 5, 1 and 2 GDPR. Such measures include but not limited to physical and IT measures, and organizational measures to protect personal data processed against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. Such measures, as described in the Security Directives, and provide a level of security that is appropriate to the risks of the processing having regard to:
i) the state of the art technology;
ii) the costs of implementation;
iii) the nature, scope, context and purposes of processing, including the type of personal data; and
iv) risk for the rights and freedoms of natural persons that personal data relate to.
7.2 The Technical and Organisational Measures are subject to technical progress and further development. In this respect TokenChannel may implement alternative adequate measure, however, the security level of the defined measures must never be reduced. Major changes must be documented.
8. Sub-processors
9.1 The Customer agrees that TokenChannel may engage third parties to process personal data in order to assist TokenChannel to deliver the Services on behalf of the Customer (“Sub-processors”). TokenChannel has or will enter into written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA to the extent applicable to the nature of the Services provided by such Sub-processor. If the Sub-processor processes the Services outside the EU/EEA, TokenChannel shall ensure that the transfer is made pursuant to European Commission approved standard contractual clauses for the transfer of Personal Data which the Customer authorizes TokenChannel to enter into on its behalf, or that other appropriate legal data transfer mechanisms are used.
9.2 The current Sub-processors for the Services are set out at https://tokenchannel.io/docs/subprocessors/ (“Sub-processor List”) and the Customer agrees and approves that TokenChannel has engaged such Sub-processors to process personal data as set out in the list. TokenChannel shall provide notification of a new Sub-processor(s) before authorising any new Sub-processor(s) to process personal data in connection with the provision of the applicable Service.
9.3 For the avoidance of doubt, where any Sub-processor fails to fulfil its obligations under any sub-processing agreement or under applicable law TokenChannel will remain fully liable to the Customer for the fulfilment of its obligations under this DPA.
10. Audits and inspections
10.1 In the event that the Customer, a regulator or data protection authority requires additional information or an audit related to the Services, then, TokenChannel agrees to submit its data processing facilities, data files and documentation needed for processing personal data to audit by the Customer (or any third party such as inspection agents or auditors, selected by Customer) to ascertain compliance with this DPA, subject to being given reasonable notice and compliance with TokenChannel’s Security Directives and the auditor entering into a non-disclosure agreement directly with TokenChannel. TokenChannel agrees to provide reasonable cooperation to Customer in the course of such operations including providing all relevant information and access to all equipment, software, data, files, information systems, etc. used for the performance of Services, including processing of personal data. Such audits shall be carried out at the Customer’s cost and expense.
11. Notification of a data breach
11.1 In the event of TokenChannel aware of any breach of security that results in the accidental, unauthorised or unlawful destruction or unauthorised disclosure of or access to personal data TokenChannel shall, among other things:
a) Notify the Customer in writing immediately but not later than 36 hours after becoming aware of the breach of security
b) Assist the Customer with regard to the Customers obligation to provide information to the data subject and to provide the Customer with relevant information in this regard
c) Support the Customer in consultations with data protection authority.
11.2 To the extent legally possible, TokenChannel may claim compensation for support services under this clause 10 which are not attributable to failures on the part of TokenChannel.
11.3 Customer shall retain all rights, copyright or other intellectual property rights, title and interest to any and all personal data, including all rights relating to databases. TokenChannel understands and agrees that such personal data constitutes Customer proprietary and Confidential Information.
11.4 TokenChannel understands and agrees that such personal data constitutes Customer proprietary and Confidential information.
12. Deletion and return of personal data
12.1 Upon expiration of the Agreement or in the event of early termination for any reason whatsoever, TokenChannel and its subcontractors shall promptly provide to Customer all personal data held by them for the duration of the Agreement for the performance of the Services. Upon Customer’s request, TokenChannel will destroy copies of personal data held in its systems and confirm this to Customer in writing unless required to keep certain personal data in order to comply with applicable laws.
13. TokenChannel’s obligations as Data Controller
13.1 In situations where TokenChannel will act as a Data Controller, it undertakes to comply with its obligations under applicable Privacy Laws in respect of any Personal Data processed under the Agreement. It shall process such Personal Data in connection with the transmission of messages and to fulfil its associated obligations under the Agreement or as may be required by law, court order or any government or regulatory authority and in accordance with its Privacy Policy.
14. Customer’s obligations
14.1 The Customer shall comply at all times with applicable Privacy Laws in relation to the processing of personal data in connection with the Agreement and the Services.
15. Governing Law and Jurisdiction
15.1 This Agreement is governed by Spanish law. 15.2 Any dispute arising in connection with this Agreement, which the parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Spain.
Schedule 1: Service Description and Pricing
The Service offered by Neivi Innovación Tecnológica , S.L. is tokenchannel.io ("TokenChannel").
TokenChannel offers a rest API for customer verification by different contact channels.
Plans:
Sandbox plan provides the ability to try TokenChannel model creating verification workflows with limited and restricted usage. Business Plan provides full access to create verification workflows.
Changelog
Jan 13, 2020: Initial version