Data Processing Agreement
1. BACKGROUND AND PURPOSE
This Data Processing Agreement ("DPA") forms part of the Services Agreement between: Lucidtech ("Data Processor") and the Licensee (“Data Controller”) together referred to as the “Parties”.
The Data Processor processes Personal Data either
- as a data processor on behalf of the Licensee as a Data Controller; or
- as a sub-processor on behalf of another data processor that processes Personal Data on behalf of its customers, which are Data Controllers.
For the purposes of fulfilling the Services Agreement, the Processor will process certain Personal Data on behalf of the Controller. This DPA sets forth the terms and conditions pursuant to which the Processor shall process Personal Data on behalf of the Controller under the Services Agreement.
In this DPA, the following terms shall have the meanings set out below:
- "Data Processor" means Processor or a Sub-processor;
- "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country, such as the Norwegian Personal Data Act (LOV-2018-06-15-38) and Personal Data Regulations;
- "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
- "GDPR" means EU General Data Protection Regulation 2016/679;
- "Personal Data" means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- "Sub-processor" means a third party sub-contractor engaged by the Processor which, will Process Personal Data on behalf of the Controller; and
The terms "Controller", "Member State", "Personal Data", "Personal Data Breach", and "Processing" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
In addition, definitions set out in Terms of Service. will also apply to words in this DPA when written in capital letters.
3. PROCESSING OF PERSONAL DATA
The Data Processor processes data on behalf of the Data Controller in connection with offering machine learning powered cloud services for reading and validating documents such as receipts and invoices, with continuous self-improvement capabilities as an integral part of the service. The Processing involves extracting information such as date, total amount, supplier, currency, etc. from the documents which may consist of Personal Data. This extracted information will be returned to the Data Controller in a structured format. After Processing, the documents may be stored for up to 5 years on the Data Processor’s systems in order to fulfill the Data Processor’s duties to the Data Controller.
The Data Processor will process the following types of personal data on behalf of the Data Controller:
- Name, IP-address, contact information, occupation, purchase and other personal information that may appear on documents posted to the Service.
The Personal Data is connected to the following categories of Data Subjects:
- The employees or customers of the Data Controller.
The Data Processor shall only process Personal Data for the following purposes:
- To supply machine learning powered self-improving document interpretation cloud services to the Data Controller.
- Train machine learning models in order to continuously improve the accuracy of the service.
The Data Processor shall not process Personal Data in any other manner than what is agreed in this DPA and on documented instructions from the Data Controller. This includes that the Data Processor is not allowed to process data for other purposes than as stated above or its own purposes or to disclose data to third parties.
4. THE DATA PROCESSOR’S DUTIES
When Processing Personal Data on behalf of the Data Controller, the Data Processor shall follow the routines and instructions stipulated in this DPA.
Data Processor shall:
- comply with all applicable Data Protection Laws in the Processing of Personal Data; and
- not Process Personal Data other than on the Data Controller’s documented instructions unless Processing is required by Applicable Laws to which the Data Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform the Controller before the relevant Processing of that Personal Data, and
- immediately inform the Data Controller if, its opinion, an instruction infringes applicable Data Protection laws.
The Data Processor is obliged to give the Data Controller access to his written technical and organizational security measures and to provide assistance so that the Data Controller can fulfill its responsibilities pursuant to the Personal Data Act and the General Data Protection Regulation.
The Data Processor undertakes to only Process Personal Data in accordance with documented instructions communicated by the Data Controller, unless required to do so pursuant to the Applicable Data Protection Law.
The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Law. In the event the Data Processor, according to Applicable Data Protection Law, is required to disclose Personal Data that the Data Processor Processes on behalf of the Controller, the Data Processor will inform the Data Controller thereof. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller.
Unless otherwise agreed or pursuant to statutory regulations, the Data Controller is entitled to access all Personal Data being processed on behalf of the Data Controller and the systems used for this purpose. The Data Processor shall provide the necessary assistance for this.
The Data Processor may not, without prior written approval from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the Processing of Personal Data to any third party. This applies with the exception of Sub-processors engaged pursuant to this DPA.
The Data Processor shall not process Personal Data outside the EU/EEA, unless otherwise stated in this DPA. If the transferring of Personal Data to a country outside the EU/EEA or to an international organization outside the EU/EEA is required according to law in an EU/EEA Member State which the Data Processor is subject to or EU/EEA law, the Data Processor shall inform the Data Controller of such requirement prior to the Processing, unless the law prohibits such information from being given.
5. THE DATA PROCESSOR’S OPPORTUNITY TO USE SUB-PROCESSORS
The Data Processor may use Sub-processors. The Data Processor shall ensure that the Sub-processors are bound by written agreements that require them to comply with data processing obligations corresponding to those contained in this DPA. The Data Processor shall remain fully liable to the Data Controller for the performance of the Sub-processor's obligations.
The following Sub-processor(s) are approved by the Data Controller:
- Amazon Web Services EMEA SARL
In addition, the Data Processor has the right to use other Sub-processors, but is obliged to inform the Data Controller of any intended changes concerning the addition or replacement of other processors. The information shall be given at least three months prior to the planned changes taking effect. If the Data Controller does not consent in the change, the Data Controller has the right to terminate the Agreement with three month’s notice.
6. TRANSFER OF PERSONAL DATA OUTSIDE THE EU/EAA
The Data Processor may not process or use Sub-processors that process Personal Data outside the EU/EEA without prior written approval from the Data Controller. The Data Processor shall ensure that there is a legal basis for the Processing of Personal Data data outside the EU/EEA, or facilitate the establishment of such legal basis.
The Data Processor shall, in order to assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Law regarding security measures and privacy impact assessments, be obliged to take appropriate technical and organizational measures to protect the Personal Data, which is Processed. The Data Processor shall comply with any written information security requirements or policies communicated by the Data Controller from time to time, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
The Data Processor shall maintain adequate security for the Personal Data appropriate to the risk of Processing. The Data Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful access. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the Data Processor shall implement technical and organizational measures to secure the data.
The Data Processor shall document routines and other measures made to comply with these requirements regarding the information system and security measures. The documentation shall be available at request by the Data Controller and the authorities.
In addition to the technical and organizational measures mentioned above, the Data Processor shall implement the following measures:
- Access control whereby access to the Personal Data is managed through a technical system for authorization control. There shall be procedures for allocating and removing authorizations.
- User IDs and passwords used to access Personal Data shall be personal and shall not be shared.
- Secure communications whereby external data communication connections shall be protected using technical functions ensuring that the connection is authorized and encrypted for Personal Data in transit in communication channels outside systems controlled by the Data Processor.
- A process to ensure secure data destruction when fixed or removable storage media no longer are used for their purpose.
- Computer equipment and removable storage media containing Personal Data at the Data Processor’s premises shall be encrypted in order to protect against unauthorized use and theft.
- A process to ensure the confidentiality of employees who have access to the Personal Data.
- Routines for entering into confidentiality agreements with suppliers providing repair and service of equipment used to store Personal Data.
- Routines for supervising the service performed by suppliers at the premises of the Data Processor. Storage media containing the Personal Data shall be locked up if supervision is not possible.
The Data Processor shall maintain a record of all categories of Processing activities carried out on behalf of the Data Controller. The Data Processor shall prepare and keep updated a description of its technical, organisational and physical measures to be, and maintain, compliant with the applicable Data Protection Law.
9. PERSONAL DATA BREACH
In case of a Personal Data Breach involving Personal Data Processed on behalf of the Data Controller, the Data Processor shall assist the Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to Applicable Data Protection Law, including, but not necessarily limited to, article 33 in the GDPR. The Data Processor shall notify the Data Controller in writing without undue delay, but not later than 24 hours after becoming aware of such a Personal Data Breach.
Considering the nature of the Processing performed by and the information available to the Data Processor, the Data Processor shall assist the Data Controller in fulfilling the obligations of the General Data Protection Regulation article 32 to 36. To the extent the Data Controller requires assistance from the Data Processor that exceeds the scope of this DPA, the Data Processor may offer such assistance as a separately paid service.
10. DOCUMENTATION AND SECURITY AUDITS
The Data Processor shall have documentation that proves that the Data Processor complies with its obligations under this DPA and the General Data Protection Regulation. The documentation shall be available for the Data Controller on request. The Data Processor shall regularly conduct security audits, and shall submit the results of the audit to the Data Controller. The Data Controller shall be entitled to conduct audits and inspections regularly, for systems etc. covered by this DPA, in accordance with the requirements of the Personal Data Act, the Personal Data Regulations and the General Data Protection Regulation. Audits may be carried out by a third party mandated by the Data Controller. The third party will be subject to confidentiality (including signing declarations of confidentiality). The audit does not include information concerning Data Processor’s trade secrets. This includes, but is not limited to product know-how, algorithms, software code, test results, processes, inventions, research projects etc.
11. FULFILLING THE RIGHTS OF THE DATA SUBJECTS
The Data Processor’s processing on behalf of the Data Controller is not of a nature which makes it necessary or reasonable for the Data Processor to fulfill or assist in fulfilling the Data Controller’s obligations towards Data Subjects. To the extent the Data Controller requires assistance from the Data Processor, the Data Processor will offer such assistance as a separately paid service. The Data Processor may also refuse, unless the Data Processor’s assistance is necessary in order to be able to fulfill the Data Controller’s obligations.
12. THE DURATION OF THE DPA AND THE PROCESSING
The DPA applies as long as the Data Processor processes and/or retains Personal Data on behalf of the Data Controller according to the Services Agreement.
13. TERM AND TERMINATION
The DPA may be terminated in accordance with the termination clauses in the Services Agreement. A termination of the Services Agreement also constitutes a termination of the DPA.
The Parties may claim damages in respect of any direct loss as specified in the Services Agreement in relation to breaches of this DPA. The liability for damages does not extend to indirect loss, including lost profits or anticipated savings. Loss of data is considered as an indirect loss. The maximum damages that can be awarded pursuant to this DPA is limited to a sum equivalent to the maximum liability in the Services Agreement.
15. RETURN, DELETION AND/OR DESTRUCTION OF DATA UPON TERMINATION OF THE DPA
Upon termination of this DPA the Data Processor shall (i) cease all its Processing activities and (ii) upon the Data Controller’s choice, delete and/or return all Personal Data or copies thereof which is received on behalf of the Data Controller pursuant of this DPA. The duty to delete applies as long as Applicable Data Protection Law does not require the Personal Data to be stored. The Data Processor may, subject to prior express approval of the Data Controller, anonymize all Personal Data received from or on behalf of the Data Controller which is comprised by the DPA.
The Data Processor will permanently erase all Personal Data processed under the DPA (regardless of where and how they are stored), for which the Customer is Data Controller, unless the Data Processor is required by law to store the Personal Data.\