Data Processing Agreement (DPA)

Last updated: 27 September 2022

This Data Processing Agreement ("Agreement") forms part of the Swifteq Service Agreement (the "Principal Agreement"). This Agreement is incorporated by reference into the Principal Agreement and comes into effect upon conclusion of the Principal Agreement.

 

We periodically update this Agreement. If you have an active Swifteq account, you will be informed of any modification by email. At the bottom of this page you can find archived versions of our DPA.

 

The term of this Agreement shall follow the term of the Principal Agreement. Terms not defined herein shall have the meaning as set forth in the Principal Agreement.

 

 

WHEREAS

 

(A) Your company acts as a Data Controller (the "Controller").

(B) Your company wishes to subcontract certain Services (as defined below), which imply the Processing of Personal Data, to Swifteq Ltd, acting as the Processor.

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing, including, without limitation, the GDPR and its national implementations.

(D) The Parties wish to lay down their rights and obligations.

 

IT IS AGREED AS FOLLOWS:


1. Definitions and Interpretation

 

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

 

1.1.2 "Company Personal Data" means any Personal Data Processed by a Contracted Processor on Controller's behalf pursuant to or in connection with the Principal Agreement;

 

1.1.3 "Contracted Processor" means a Subprocessor;

 

1.1.4 "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

 

1.1.5 "EEA" means the European Economic Area;

 

1.1.6 “EU Data Protection Laws" means the GDPR, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time;

 

1.1.7 "GDPR" means EU General Data Protection Regulation 2016/679;

 

1.1.8 "Data Transfer" means:

 

1.1.8.1 a transfer of the Service Data from Controller to a Contracted Processor; or

 

1.1.8.2 an onward transfer of the Service Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor,
in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

 

1.1.9 "Services" means customer support application services provided by the Processor to the Controller.

 

1.1.10 "Subprocessor" means any person appointed by or on behalf of the Processor to process Personal Data on behalf of the Controller in connection with the Agreement.

 

1.2 The terms "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.


 

2. Processing of Service Data

 

2.1 Description of Processing

 

The details of the Processing operations, in particular the categories of Personal Data and the purposes of Processing for which  Personal Data is processed on behalf of the Controller, are specified in Annex B.

 

2.2 Processor obligations

 

2.2.1 The Processor shall Process the Service Data only on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Processor is subject. In this case, the Processor shall inform the Controller of that legal requirement before the start of Processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the Controller throughout the duration of the Processing of Personal Data. These instructions shall always be documented.

 

2.2.2 The Processor shall immediately inform the Controller if, in the Processor’s opinion, instructions given by the Controller infringe the GDPR or the applicable Union or Member State data protection provisions.

 

2.3 Purpose limitation

 

The Processor shall Process the Service Data only for the specific purpose(s) of the Processing, as set out in Annex B, unless it receives further instructions from the Controller.

 

2.4 Duration of the processing of Service Data

 

Processing by the Processor shall only take place for the duration specified in Annex B.

 

2.5 Security of Processing

 

2.5.1 The Processor shall at least implement the technical and organisational measures specified in Annex C to ensure the security of the Service Data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.

 

2.5.2  The Processor shall grant access to the Service Data undergoing Processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The Processor shall ensure that persons authorised to process the Service Data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

 

3. Processor Personnel

 

The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Service Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Service Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

 

4. Use of Subprocessors

 

4.1 The Processor has the Controller’s general authorisation for the engagement of sub-processors from the list in ANNEX A. The Processor shall specifically inform in writing the Controller of any intended changes of that list through the addition or replacement of Subprocessors at least 14 days in advance, thereby giving the Controller sufficient time to be able to object to such changes prior to the engagement of the concerned Subprocessor(s). The Processor shall provide the Controller with the information necessary to enable the Controller to exercise the right to object.

 

4.2 Where the Processor engages a Subprocessor for carrying out specific Processing activities (on behalf of the Controller), it shall do so by way of a contract which imposes on the Subprocessor, in substance, the same data protection obligations as the ones imposed on the Processor in accordance with this Agreement. The Processor shall ensure processor complies with the obligations to which the Processor is subject pursuant to this Agreement and to the GDPR.

 

4.3 At the Controller’s request, the Processor shall provide a copy of such a Subprocessor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secrets or other confidential information, including Personal Data, the Processor may redact the text of the agreement prior to sharing the copy.

 

4.4 The Processor shall remain fully responsible to the Controller for the performance of the Subprocessor’s obligations in accordance with its contract with the Processor. The Processor shall notify the Controller of any failure by the Subprocessor to fulfil its contractual obligations.

 

4.5 The Processor shall agree a third party beneficiary clause with the Subprocessor whereby - in the event the Processor has factually disappeared, ceased to exist in law or has become insolvent - the Controller shall have the right to terminate the Subprocessor contract and to instruct the Subprocessor to erase or return the Personal Data.


5. Data Subject Rights

 

5.1 Taking into account the nature of the Processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations, as reasonably understood by the Controller, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

 

5.2 The Processor shall:

 

5.2.1 promptly notify the Controller if it receives a request from a Data Subject under any Data Protection Law in respect of the Service Data; and

 

5.2.2 ensure that it does not respond to that request except on the documented instructions of the Controller or as required by Applicable Laws to which the Processor is subject, in which case the Processor shall to the extent permitted by the Applicable Laws inform the Controller of that legal requirement before the Processor responds to the request.


6.Personal Data Breach

 

6.1 The Processor shall notify the Controller without undue delay upon the Processor becoming aware of a Personal Data Breach affecting the Service Data, providing the Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

 

6.2 The Processor shall co-operate with the Controller and take reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.


7. Data Protection Impact Assessment and Prior Consultation

 

7.1 The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with the Supervising Authorities or other competent data privacy authorities, which the Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to the Processing of the Service Data by, and taking into account the nature of the Processing and information available to, the Processor.


8. Deletion or return of the Service Data

 

8.1 The Processor shall promptly and in any event within 90 days of the date of cessation of any Services involving the Processing of the Service Data (the "Cessation Date"), delete and procure the deletion of all copies of the service Data.

 

8.2 Upon request of the Controller, the Processor shall provide written certification to the Controller that it has fully complied with this section 8.


9. Audit rights

 

9.1 Subject to this section 9, the Processor shall make available to the Controller on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the Processing of the Service Data by the Processor.

 

9.2 Information and audit rights of the Controller only arise under section 9.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of the Data Protection Law.


10. Data Transfer

 

10.1  Any transfer of data to a third country or an international organisation by the Processor shall be done only on the basis of documented instructions from the Controller or in order to fulfil a specific requirement under Union or Member State law to which the Processor is subject and shall take place in compliance with the GDPR.

 

10.2  The Controller agrees that, where the Processor engages a Subprocessor in accordance with Clause 7.7. for carrying out specific processing activities (on behalf of the Controller) and those processing activities involve a transfer of Personal Data within the meaning of the GDPR, the Processor and the Subprocessor can ensure compliance with the GDPR by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of the GDPR, provided the conditions for the use of those standard contractual clauses are met.


11. General Terms

 

11.1 Confidentiality. Each Party must keep any information it receives about the other Party and its business in connection with this Agreement ("Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

(a) disclosure is required by law;
(b) the relevant information is already in the public domain.

 

11.2 Notices. All notices and communications given under this Agreement must be in writing and will be sent by email. The Controller shall be notified by email sent to the address related to its use of the Services under the Principal Agreement. The Processor shall be notified by email sent to the address: legal@swifteq.com.


12. Governing Law and Jurisdiction

 

12.1 This Agreement is governed by laws of Ireland.

 

12.2 The Parties shall attempt to resolve any dispute arising out of or relating to this Agreement in a good faith through negotiations between senior executives of the Parties, who have authority to settle the same. If the Parties are not able to resolve the dispute amicably, the dispute shall be submitted to the exclusive jurisdiction of the courts of Dublin, subject to possible appeal to the Supreme Court in Dublin.

ANNEX A - SUBPROCESSORS

Name
Address
Processing
Jurisdiction

ANNEX B - DESCRIPTION OF THE PROCESSING

Applies to all Swifteq applications

•       Categories of Data Subjects whose Personal Data is Processed by the Processor: End-users who are logging into any Swifteq application, including, without limitations, Controller’s customers and staff.

•       Categories of Personal Data Processed: name and email address.

•       Nature of the Processing: Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data within the scope of the Services and for the duration of the Principal Agreement.

•       The Processing shall be carried out by the Processor only for the purpose of providing the Services to the Controller under the Principal Agreement for the duration of the Principal Agreement.

Applies to the Help Center Manager and Help Center Export apps

•       Categories of Data Subjects whose Personal Data is Processed by the Processor: Controller’s employees registered as authors of help center articles.

•       Categories of personal data processed: name

Nature of processing: Data deletion, storage, systematisation, analysis, transfer, and copying

Applies to the Analytics extension of the Help Center Manager app, and the Help Center Analytics app

•       Categories of Data Subjects whose Personal Data is Processed by the Processor: Data Subjects who are visiting the Controller's help center.

•       Categories of Personal Data Processed: email address.

•       Nature of Processing: anonymization by hashing. The plain email address is NOT transferred, nor stored by the Processor.

Applies to the Merge Duplicates app

•       Categories of Data Subjects whose Personal Data is Processed by the Processor: Helpdesk Ticket Requesters: Data Subjects who are creating tickets in the Controller's helpdesk.

•       Categories of Personal Data Processed: email address.

•       Nature of Processing: the requester email address is sent to the app for verification only (in-memory), but it is NOT stored in any shape or form on Processor's servers.

Applies to the Remove CC app

Categories of Data Subjects whose Personal Data is Processed by the Processor:

 

•       Helpdesk Ticket Requesters: Data Subjects who are creating tickets in the Controller's helpdesk.

•       Categories of Personal Data Processed: email address.

•       Nature of Processing:

    ◦  Each requester's email address is sent to the app for verification only (in-memory), but it is NOT stored in any shape or form on Processor's servers.

    ◦  The Controller can configure specific email addresses of tits customers to be removed from tickets.

Applies to the Attachment Workflows app, Auto-Remove Attachements app

No personal data is processed.

ANNEX C - SECURITY MEASURES

The Processor uses at least the following organisational and technical security measures to ensure the security of the Processing:

a)    Access to Personal Data is restricted, controlled and recorded;

b)    Access to Personal Data has been allowed to only those employees, who require the Personal Data to perform their functions and only to the extent required to perform their functions;

c)     Access of unauthorized persons to premises, where the Personal Data have been stored, is strictly restricted;

d)    The Processor maintains adequate access control mechanisms (e.g., two-factor authentication, password protection, and limited access) covering any systems, servers, or files;

e)    Upon expiry of the Personal Data storage period secure destruction of the Personal Data is ensured;

f)      Persons, having access to Personal Data, use at a minimum password of at least 10 characters long and containing uppercase letters, lowercase letters and digits and passwords are changed at least every year or if compromise is suspected;

g)    Password encryption;

h)    During transfer of Personal Data only encrypted communication channels are utilised;

i)      All servers and data are stored securely in Amazon Web Services (AWS) facilities in Europe, Ireland. This service provider meets international security standards such as ISO 27001 and SOC 1, 2 and 3; and

j)      DDOS mitigation.

 

More detailed information on Processor’s security policies is available at https://www.swifteq.com/security-policy.