Data Processing Addendum
Last update: 01/04/2022
The Aqurate Data Processing Addendum is an Annex to the Aqurate Standard Service Terms agreement between Aqurate, henceforth called the Company,
and You, the user of the analysis and prediction services, henceforth called the Customer, (each called a “party” and together, the “parties”).
BY CLICKING ON THE “I AGREE” BUTTON, REGISTERING TO USE THE SERVICE, OR USING THE SERVICE, (1) YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTAND, AND AGREE TO BE BOUND BY THESE TERMS, AND (2) YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO ENTER INTO THESE TERMS, PERSONALLY AND ON BEHALF OF THE COMPANY YOU HAVE NAMED AS THE CUSTOMER, AND TO BIND THAT COMPANY TO THESE TERMS. IF YOU DO NOT AGREE TO THESE TERMS, OR IF YOU DO NOT HAVE SUCH AUTHORITY, YOU SHOULD NOT USE THE SERVICE.
1.1. Agreement: the Aqurate Standard Service Terms.
1.2. Aqurate: means MACHINE LEARNING SOLUTIONS SRL, with its registered office in Romania, 2-4 Calea Circumvalatiunii, Timisoara, Timis county, Office 413, VIES (VAT) code RO40330105, EUID ROONRC.J35/4631/2018.
1.3. Breach of personal data security: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
1.4. Data controller: the natural or legal person, organization, public authority, agency or body that, alone or jointly with others, determines the purposes and means of processing personal data.
1.5. Data processor: the natural or legal person, organization, public authority, agency or body that processes the data on behalf of the data controller.
1.6. End Users: a natural/legal person that is a client or website visitor of the Customer’s and whose data and interaction with the Customer may be provided to the Company through one or more Integrations.
1.7. Integration: a data source such as sales data (e.g., from an eCommerce platform), website traffic data (e.g., from Google Analytics), or ads data (e.g., from Facebook Ads) that the Customer authorizes the Company to access and retrieve data in order to provide the Service.
1.8. Personal data: any information regarding a natural person which is identified or identifiable („data subject”); an identifiable natural person is a person which can be identified either directly or indirectly.
1.9. Processing: any operation or set of operations performed on personal data or datasets of personal data, with or without automated means.
1.10. Regulation or GDPR: the EU Regulation no. 679/2016 of the European Parliament and Council dated April 27, 2016 on data protection, privacy and transfer of personal data, applicable from May 25, 2018 onwards.
1.11. Service: any of the web-based applications, tools, APIs and platforms available as a subscription, developed, operated and maintained by the Company, accessible via https://aqurate.ai or another designated URL, and any ancillary products and services, including cloud hosting, provided to the Customer.
2. Data subjects
2.1. As per the provisions of the Agreement, the Parties process the personal data of the designated contact persons and the representatives of each Party.
2.2. Seeing that the Service provided by the Company based on the Agreement cannot be performed without access to any personal data, the Parties agree that the Customer may transfer to the Company any personal data pertaining to End Users obtained from Integrations.
2.3. Should the data processing performed by the Customer with regard to the End Users may entail analysing their behaviour and/or creating user and behaviour profiles, the Customer in its capacity of Data Controller shall take all necessary measures towards observing the legislation on data protection, security and transfer (including the obligations stipulated under preambles 60, 63, 70, 71, 90 and 91 of GDPR, as well as those under article 4 point 4, article 13 paragraph 2 point f, article 14 paragraph 2 point g, article 15 paragraph 1 point h, article 21 paragraphs 1-5, article 22 paragraphs 1-3, article 35 paragraph 3 point a of the Regulation). The Company shall not be involved in this activity, given that it does not process any of the End Users’ personal data.
3. Processed personal data
3.1. In the context of the Agreement, the Parties shall process these types of personal data:
Data subject: Designated contact persons and representatives of each Party
Personal data: First name, last name, email, phone, role in the company
Parties’ capacity: Customer - data controller. Company - data controller
Purpose of processing: conclusion and execution of the Agreement
Legal ground of processing: article 6 paragraph 1 (b) GDPR
Data subject: End User data, depending on Service and the Customer’s ability to anonymise it
Personal data: First name, last name, email, phone, address, IP
Parties’ capacity: Customer - data controller. Company - data processor
Purpose of processing: rendering of the Service
Legal ground of processing: article 6 paragraph 1 (a) GDPR
4. Rights and obligations of the Parties
4.1. The Parties undertake to observe all obligations pursuant to the legislation applicable to data protection, privacy, and transfer of personal data (including the Regulation and related legislation) in their actions under the Agreement and marketing thereof.
4.2. The Customer is responsible to obtain the consent to record, store and process data from its End Users, in accordance with the applicable laws and regulations regarding Personal Data, as necessary for Company and its Affiliates to provide the Service.
4.3. The Customer shall not send/transfer/disclose to the Company any sensitive personal information of its End Users. If it is necessary for Customer to share/disclose/transfer such personal information to the Company, it shall always be de-personalised, anonymised and/or otherwise encrypted (or hashed) so as to no longer constitute Personal Data within the meaning of the EU General Data Protection Regulation 2016/679 or any other legislation regarding personal data before disclosure/transfer to the Company.
4.4. The Company may collect and use the End User data in an anonymized manner to improve its services and products or create new services and products.
4.5. Irrespective of either Party’s capacity in their actions of processing data as per article 3 herein, it represents that it:
• Processes personal data of data subjects in observance of the rights and liberties thereof;
• Shall process personal data in good faith and of an adequate manner with respect to the purpose;
• Shall not process personal data for any purposes outside the scope of the Agreement;
• Shall ensure adequate informing of the representatives and contact persons of the other Party with regard to the disclosure of their personal data to the other Party. In this respect, each Party undertakes to provide the other Party, upon request, with all the information required by the data subjects pertaining to the manner in which it processes their personal data (internal policies, security measures etc.)
• Shall only select subcontractors that observe the data protection legislation and that have expressly undertook to observe the confidentiality obligation with respect to the processed personal data;
• The Customer shall be allowed to perform audits of the Company’s observance of data protection provisions, provided that it notifies the Company of its intent at least 15 days prior,
that the checks shall be limited exclusively to the documentation relevant to the audit and that it covers all costs thereof. After the audit, it is understood that the Customer is fully informed regarding the data processing means employed by the Company with respect to their Agreement, and the continuation of the Parties collaboration or lack of active measures towards sanctioning the Company’s employed means shall equate to a confirmation from the Customer on the Company’s observance of the data protection legislation;
• Is held responsible with implementing adequate technical and organizational measures to ensure security of data subjects’ personal data (including training their own employees, partners and subcontractors with respect to the confidentiality of processed data);
• Undertakes the confidentiality obligation regarding the personal data it has access to as per the Agreement, for the entirety of its duration and for a period of 3 years after its termination (as per article 8 of the Agreement);
• Shall designate a data protection officer, if this is mandatory as per the relevant legislation, or a person which can be contacted by the other Party and the data subjects with inquiries related to their personal data protection.
4.6. Name of data protection officer / contact person
For the Customer
First and last name (Required): ____________________________________
E-mail (Required): _______________________________________________
For the Company
First and last name: Raul-Teodor Mazilu
4.7. Should a Party designate a data protection officer, their data shall also be communicated to the competent authorities;
• Shall inform the other Party regarding any complaint/inquiry originating from the data subjects pertaining to any security breach of personal data, if such a breach could affect the other Party’s operations or liability, or to the emergence of any risk of security breach of personal data within 1 business day since it has acquired knowledge of the breach or the emergence of the risk;
• Shall not transfer processed personal data to any third countries without implementing the adequate guarantees acknowledged under the Regulation;
• Shall take all required measures to reduce risk or remove the negative effects of a breach, additionally providing its support to the other Party in order to fulfill its legal obligations pertaining to necessary actions upon a data breach.
4.8. In addition to the provisions of article 4.5., in exceptional cases where the Company processes data in a capacity of Data processor, it shall act under the authority of the Data controller, only upon written instructions and within the confines thereof. The instructions communicated by the Customer shall observe the legislation on data protection, this obligation being incumbent solely upon the Customer, the Company’s liability thereof being excluded. The instructions shall include at least information on: object of processing, duration, scope and purpose, types of data, categories of data subjects, obligations and rights.
4.9. In these situations, the Company undertakes the following:
• Not to recruit another data processor without prior written confirmation from the Data controller, either specific or general, nor without ensuring the new data processor shall observe the same obligations from the Agreement;
• To offer assistance to the Data controller to fulfill its obligations under the Regulation, within reasonable limits. However, the evaluation of impact on data and risks generated by personal data breach of End Users’ personal data, the consultation with the competent authority (if applicable), as well as the taking the measures indicated under article 2.3. above are solely in the responsibility of the Data controller.
• Not to create data derived from the processing performed for or on behalf of the Customer for any purpose other than the execution of the Agreement.
• To delete, destroy or return to the Customer all personal data processed on the basis of the Agreement, upon the Data controller’s choice, within at most 30 days from the termination of the Agreement, or after this term if the legislation requires the storage of such data for a longer period or if it is justified by a legitimate interest of the Company (e.g. the existence of a legal dispute which shall not be finalized within the 30 day term).
5. Parties’ liability
5.1. Each Party hereby represents that it is informed of and observes the provisions of the data protection legislation and accepts all consequences deriving from its capacity of independent Data controller and, respectively, Data processor as specified under article 3, and does not undertake any further obligations or obligations pertaining to the other Party.
5.2. Neither Party shall be held liable for how the other Party, its employees, or partners fulfil their legal obligations. Thus, each Party shall be held liable for its own actions and inactions, as well as for those of its employees and partners.
5.3. Each Party’s liability towards the other Party and towards the data subjects shall be established with respect to the Party’s capacity specified under article 3 above, the cause and location of the data
breach, the data security measures employed, the actions employed to avoid such incidents and the observance of obligations specified under article 4.
5.4. Any limitation of the Company’s patrimonial liability stipulated under the Agreement shall also be applicable to any breaches of this Data Processing Addendum.
6. Final provisions
6.1. The provisions of this Data Processing Addendum shall prevail should there be any inconsistencies with the clauses in the Agreement.