Effective Date: 2023.09.29
"Client Data" refers to personal data processed by Provider on behalf of the Client."Provider" refers to Pertento AI."Data Controller" refers to the Client."Data Processor" refers to Pertento AI."Data Protection Officer" refers to the designated data protection officer of Pertento AI, "Data Location" refers to the geographical location where Client Data is stored."Personal Data Breach" refers to a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Client Data."Data Subject" refers to the individual to whom Personal Data relates.
During the provision of services to the Client, Provider may process Client Data. This DPA applies to such processing.
The categories of Personal Data processed by Provider are specified in this DPA, Section 1. Any other Personal Data processed by Provider on behalf of the Client shall also be subject to this DPA.
Data Controller and Data Processor
The Client is the Data Controller, and Provider is the Data Processor.
During the term of the Agreement, the Provider shall store Client Data in the EEA unless with Client’s prior written consent. Client Data cannot be accessed from outside of the EEA without Client’s prior written consent.
Throughout the term of the Agreement, the Provider shall take and implement adequate Technical And Organisational Security Measures to protect Client Data against Personal Data Breaches.
Personal Data Breach Notification
The Provider shall promptly, and in no case later than 24 hours of having become aware, notify Client of any Personal Data Breach it becomes aware it has sustained, and provide Client with all available information pertaining to such Personal Data Breach, including correction and other remedies taken or planned to be taken by Provider. Provider shall thereafter implement all necessary measures to limit and remedy the incident as soon as possible, shall keep Client properly informed on developments and shall provide any and all cooperation requested by Client.
Data Subject Rights
The Provider shall promptly notify Client of: (i) any Data Subject requests or complaints regarding the Processing of their Personal Data; or (ii) any third party (including organizations or associations) requests or complaints regarding the Processing of Personal Data by Provider on behalf of Client; or (iii) any government requests for access to or information about the Processing of Personal Data undertaken by Provider in the context of the Agreement. In the event Provider directly receives such a request or complaint, the Provider shall immediately notify Client and shall in no event respond directly, unless with Client’s prior written instruction.
Correction, Deletion, or Blocking of Personal Data
Where Client notifies Provider that a Data Subject has exerted the right to rectification, erasure, restriction of Processing, or objection to Processing, the Provider shall ensure that this is promptly implemented as instructed by the Client, and in any event within 15 days from the Client’s instruction. Moreover, Provider shall ensure that this is communicated to each recipient to whom it has disclosed the Personal Data in question (e.g. its Subprocessors).
The Provider is under the obligation to implement measures to limit access to Client Data only to those employees of Provider which need access to such data in order to fulfill their work attributions to the benefit of Client, based on the “need to know” and “least privileged access” principles.
The Provider may use Subcontractors to provide limited services on its behalf in accordance with the terms of the Agreement and this DPA. Any such Subcontractor will be permitted to Process Client Data only to deliver the services the Provider has retained them to provide, and Provider shall procure the Subcontractor does not Process Client Data for any other purpose.
Deletion of Personal Data and Restriction of Use
Save for other instructions from Client, Provider shall delete or return the Client Data to Client no later than 90 days after termination of the Contract (or, if applicable, after a project within the Contract is finalized), and delete all records of such data from its systems (including backups).
The Provider shall not be liable to any damages incurred by the use of its services.
Term and Termination
This DPA shall come into effect on the effective date of the Agreement OR the signing date and continue for as long as the Agreement is in force. Termination of the Agreement due to any reason will automatically lead to the termination of this DPA. The termination of the DPA shall not affect the provisions hereof or the legal obligations meant to produce effects after termination.
The provisions of the Agreement referring to confidentiality, dispute resolution shall apply mutatis mutandis.The provisions referring to Technical and Organisational Security Measures, as well as Client’s audit rights, shall remain valid and enforceable for the duration of this DPA as well as an additional period of three calendar years.With regard to the subject matter of this DPA, the terms herein shall prevail on the Agreement.This DPA shall be governed by Swedish law. Any disputes between the Parties shall be resolved pursuant to the terms of the Agreement.This DPA shall be subject to the confidentiality provisions of the Agreement. However, Client may share this DPA with the data protection supervisory authority and with the client without Provider's consent.In the event one or more of the provisions contained in this DPA shall be held, for any reason, to be invalid, void, illegal and/or unenforceable in any respect, the validity, legality and enforceability of the remaining provisions of this DPA shall not be in any way affected and, if necessary for this purpose, such provision(s) shall be deemed to be omitted from this DPA.No amendment of this DPA shall be effective unless in writing and signed by a person duly authorized on behalf of each of the Parties.In case of conflict between the two language versions of this DPA, the English version shall prevail.
Minimum Security MeasuresAuthentication & Access Control
Unauthorized persons shall not be allowed access to the equipment by which personal data are processed or in which personal data are stored.The use of data-processing systems by unauthorized persons shall be strictly prohibited.All reasonable measures shall be taken to ensure that any persons authorized to use the data-processing system have access only to the data they have been authorized to access, and that personal