This Data Processing Agreement (“DPA“) forms part of the Terms of Service (“TOS“) between the entity accepting this agreement in its capacity as Data Controller (the “Company” or “you”) and
The company Xdroid International NV in its capacity as Data Processor (the “Data Processor”) (together as the “Parties”). This DPA reflects the parties’ agreement with respect to the terms governing the processing of Personal Data under Xdroids Terms of Service.
The Data Processing Agreement forms part of the Terms of Service or other written agreement between you and Xdroid and Customer where Xdroid processes Personal Data on Customer’s behalf. By accepting the Terms of Service and/or using the Services in a manner that involves the processing of Personal Data, you accept the terms of this DPA.
1. Definitions and Interpretation
Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1. “Agreement” means this Data Processing Agreement and all Schedules;
1.2. “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Company pursuant to or in connection with the Services;
1.3. “Contracted Processor” means a Subprocessor;
1.4. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.5. “EEA” means the European Economic Area;
1.6. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.7. “GDPR” means EU General Data Protection Regulation 2016/679;
1.8. “Data Transfer” means:
1.8.1. a transfer of Company Personal Data from the Company to a Contracted Processor; or
1.8.2. an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
1.9. “Services” shall have the same meaning as in the Terms of Service.
1.10. “Subprocessor” means any person appointed by or on behalf of the Processor to process Personal Data on behalf of the Company in connection with the Agreement.
The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. Application
2.1. All Data sent from the date of this agreement by the Customer to Xdroid for Processing;
2.2. All Data accessed by the Xdroid on the authority of the Customer for Processing from the date of this agreement; and
2.3. All Data otherwise received by Xdroid for Processing on the Customer’s behalf;in relation to the Services.
3. Categories of Personal Data and purpose of the Personal Data Processing
In order to execute the Agreement, and in particular to perform the Services on behalf of Customer, Customer authorizes and requests that Xdroid process the following Personal Data:
3.1. Customer Information: information that we may collect from your use of the Xdroid websites and your interactions with us offline such as:
3.2. Contact information: name, home address, telephone or mobile number, email address, and passwords.
3.3. Financial information: credit card’s number and billing information (tax id, number of the payer VAT, billing address, billing email, where invoices are sent); Credit card number are handled by our payment gateway, by Paypal, or other types of payment; Xdroid only charges your credit card for payments.
3.4. Employment contact details, including: employer name, job title and function, business contact details; Xdroid deals with customer information according to the terms of our general privacy policy.
3.5. Services Data: data that resides on Xdroid, customer or third-party systems to which Xdroid has provided access to perform services.
3.6. Data stored and processed by users, such as: source code for the application, databases that the applications use, files generated by applications, the history of operations performed by users.
3.7. Log File Information: Three types of logs are saved by Xdroid’s system : Connection logs which are essentially logs from each request to each application. These connection logs may include information such as the web request, Internet Protocol (“IP”) address, browser type, referring/exit pages and URLs, number of clicks, domain names, landing pages, pages viewed and other such information. The second type of logs are application logs, which are produced by each application of our customers. Xdroid does not have the control on the content of these logs. The control of application logs as Personal Data remains with the Customer. Timeline event logs which are a record of alerts and notifications that can help Xdroid to identify and diagnose the source of current system problems and help predict future problems.
3.8. Other contact information about the customer and employees, for example through its websites, as part of that interaction.
Xdroid processes Customer information according to the terms of its Privacy policy, and treats services data as confidential in accordance with the terms of your order for services.
Categories of Data Subjects: Data subjects include Customer’s representatives and end users, such as employees, job applicants, contractors, collaborators, partners, and customers of the Customer. Data subjects also may include individuals attempting to communicate or transfer Personal Data to users of the Services.
4. Processing of Company Personal Data
Processor shall:
4.1. comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
4.2. not Process Company Personal Data other than on the relevant Company’s documented instructions.
4.3. The Company instructs the Processor to process Company Personal Data.
5. Processor Personnel
Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Company Personal Data, as strictly necessary for the purposes of the Services, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
6. Security
6.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
6.2. In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
7. Subprocessing
7.1. Processor appoints, and the Controller accepts, Xdroid Kft. as a Subprocessor to process Personal Data on behalf of the Controller.
8. Data Subject Rights
8.1. Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
8.2. Processor shall:
8.2.1. promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
8.2.2. ensure that it does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Contracted Processor responds to the request.
9. Personal Data Breach
9.1. Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
9.2. Processor shall co-operate with the Company and take reasonable commercial steps as directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
10. Data Protection Impact Assessment and Prior Consultation
Processor shall provide reasonable assistance to Controller with data protection impact assessments and prior consultations with Supervisory Authorities or other competent data protection authorities, in each case to the extent required by Articles 35 or 36 of the GDPR or equivalent provisions of applicable Data Protection Law. Such assistance shall be limited to the Processing of Controller Personal Data by Processor and its Subprocessors, and shall take into account the nature of the Processing and the information available to Processor. Controller remains responsible for determining whether a data protection impact assessment or prior consultation is required. Processor may charge Controller for reasonable assistance provided under this Section, except to the extent such assistance is required due to Processor’s breach of this DPA.
11. Deletion or return of Company Personal Data
11.1 Subject to this section 11 Processor shall promptly and in any event within 10 business days of the date of cessation of the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data.
12. Audit rights
12.1. Subject to this Section 12, Processor shall make available to Controller, upon reasonable written request, information reasonably necessary to demonstrate Processor’s compliance with this DPA and applicable Data Protection Laws in relation to the Processing of Controller Personal Data.
12.2. To the extent Processor makes available current third-party certifications, audit reports, security documentation, written responses, or other information that reasonably demonstrates such compliance, Controller shall first rely on those materials before requesting any further audit or inspection.
12.3. If the information made available by Processor is insufficient to demonstrate compliance with applicable Data Protection Laws, Processor shall allow for and reasonably contribute to an audit, including an inspection, conducted by Controller or an independent auditor mandated by Controller, provided that such audit: (a) is limited to Processor’s Processing of Controller Personal Data; (b) is conducted no more than once in any twelve-month period, unless required by a competent supervisory authority or following a confirmed Security Incident affecting Controller Personal Data; (c) is subject to at least thirty days’ prior written notice, except where shorter notice is required by Data Protection Law or a competent supervisory authority; (d) is conducted during normal business hours and in a manner that does not unreasonably interfere with Processor’s business operations; and (e) is subject to appropriate confidentiality, security, and access restrictions.
12.4. Processor shall not be required to disclose or provide access to information relating to other customers, source code, trade secrets, privileged materials, internal security-sensitive information, or information that would compromise the security, confidentiality, or integrity of Processor’s systems or services.
12.5. Controller shall bear its own costs of any audit and shall reimburse Processor for Processor’s reasonable and documented costs incurred in supporting the audit, including reasonable personnel time, unless the audit identifies a material breach of this DPA by Processor, in which case Processor shall bear its own costs of audit support.
13. Data Transfer
13.1. The Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the consent of the Company. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall rely on EU approved standard contractual clauses for the transfer of personal data.
14. General Terms
14.1. Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.
14.2. Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.
15. Governing Law and Jurisdiction
15.1. This Agreement is governed by the laws of Belgium.
15.2. For any disputes arising in connection with this DPA, which the Parties will not be able to settle amicably, including with respect to the interpretation, validity, effectiveness and/or execution, the Court of Antwerp shall have exclusive and irrevocable jurisdiction.