Last update: 2023-11-06
CyberUpgrade’s Data Processing Agreement Version 1.0.
This Data Processing Agreement (hereinafter – DPA) is entered into between the Client (or “Company”) and CyberUpgrade (or “Data Processor” or “Processor”) (hereinafter collectively referred to as “Parties”).
WHEREAS
(A) The Client acts as a data controller.
(B) The Client wishes to receive Services under the Agreement, which includes the processing of personal data, from the Data Processor.
(C) The Parties seek to implement a data processing arrangement that complies with the current legal regulatory requirements related to data processing.
(D) The Parties aim to establish their rights and obligations to ensure that the Processing of Personal Data complies with the GDPR.
IT IS AGREED AS FOLLOWS:
1.1 Unless otherwise defined in this DPA or the Agreement, terms and expressions written in capital letters in this DPA have the following meanings:
1.1.1 “DPA” – this Data Processing Agreement and all its annexes;
1.1.2 “Company Personal Data”, “Client Personal Data” or “Personal Data” – any personal data processed on behalf of the Company by the Processor;
1.1.3 “Sub-processor” – any person appointed by or on behalf of the Processor to process Personal Data on behalf of the Company under this DPA;
1.1.4 “Data Protection Laws” – EU data protection laws and, where applicable, the data protection or privacy laws of any other country;
1.1.5 “EEA” means the European Economic Area;
1.1.6 “EU Data Protection Legislation” – EU Directive 95/46/EC as transposed into the domestic laws of each Member State and as amended, replaced or repealed, including the GDPR and any laws implementing or supplementing the GDPR;
1.1.7 “GDPR” – EU General Data Protection Regulation 2016/679;
1.1.8 “Data Transfer” – means:
1.1.8.1 the transfer of the Company’s personal data from the Company to the Processor; or
1.1.8.2 further transfer of the Company’s personal data from the Processor to a Sub-processor, or between the Processor and its affiliates;
1.1.9 “Services” – services provided by the Processor, more fully described in the Agreement.
1.2 Terms “Commission”, “data controller”, “data subject”, “Member State”, “personal data”, “personal data breach”, “processing” and “supervisory authority” have the same meaning as in the GDPR.
2.1 The Processor shall:
2.1.1 in processing the Company’s personal data, comply with all applicable Data Protection Laws; and
2.1.2 not process the Company’s personal data other than on the Company’s documented instructions.
2.2 The Company entrusts the Processor to process the Company’s Personal Data. The processed Personal Data are described in Annex II of this DPA.
The Processor shall take reasonable measures to ensure the reliability of any employee, agent, or contractor of the Processor mentioned in the Agreement who may have access to the Company’s Personal Data, in each case ensuring that access is strictly limited to those individuals who need to know and/or have access to the relevant Company’s Personal Data, as necessary for the purpose of the Agreement, and to comply with Applicable Laws, ensuring that all such individuals are subject to confidentiality commitments or professional or statutory confidentiality obligations.
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk for the Company’s Personal Data. In assessing the appropriate level of security, the Data Processor shall primarily consider the risks that are presented by processing, particularly from a Personal Data breach.
5.1 Data Sub-processors engaged by the Data Processor are disclosed in Annex I of this DPA. The Data Processor undertakes to ensure that they comply with the terms of this DPA.
6.1 In view of the nature of the processing, the Processor assists the Company in fulfilling its obligations to respond to requests to exercise data subject rights under the Data Protection Laws.
6.2 The Data Processor shall:
6.2.1 immediately inform the Company if it receives a request from a data subject; and
6.2.2 ensure that it does not respond to such a request except on the documented instructions of the Company or as required by Applicable Laws that apply to the Processor. In such a case, the Processor, to the extent permitted, informs the Client about such a requirement.
7.1 Upon becoming aware of a Personal Data breach affecting the Company’s Personal Data, the Processor shall without undue delay notify the Company and provide the Company with sufficient information to enable the Company to meet any obligations to report or inform Data Subjects of the Personal Data breach under the Data Protection Laws.
7.2 The Processor shall cooperate with the Company and take reasonable steps as directed by the Company to assist in the investigation, mitigation, and remediation of each such Personal Data breach.
8.1 The Data Processor provides reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which the Company reasonably considers to be required under Articles 35 or 36 of the GDPR.
9.1 The Processor undertakes to delete all copies of the Company’s personal data within 30 days of the termination of the Agreement.
10.1 Subject to this Section 10, the Processor shall, upon the Company’s request, provide the Company with all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Company or another auditor mandated by the Company concerning the processing of the Company’s personal data. The Company agrees to bear the costs for such audit.
11.1 Without prior written consent of the Company, the Data Processor shall not transfer or authorize the transfer of Data to countries outside of the EU and the EEA.
11.2 Where Personal Data processed under this DPA is transferred to a non-EEA country, the Processor ensures that the Personal Data are adequately protected. To achieve this, the Parties, unless otherwise agreed, rely on EU-approved standard contractual clauses for the transfer of personal data, or other transfer mechanisms specified in the GDPR.
12.1 Confidentiality. Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential and may not use or disclose this Confidential Information without the prior written consent of the other Party, except where:
(a) disclosure is required by law;
(b) the relevant information is already publicly available;
(c) disclosure is made to the Data Processor’s affiliates and Sub-processors.
12.2 Notices. All notices and communications given under this DPA must be in writing and sent to the email address specified in the Agreement.
13.1 This DPA is governed by the laws of the Republic of Lithuania.
13.2 Any dispute arising under this DPA, which the Parties are unable to resolve amicably, shall be submitted to the exclusive jurisdiction of the courts of the Republic of Lithuania.
Schedule I to the DPA
| Subprocessor | Location | Provided service |
| LearnWorlds (CY) Ltd | Cyprus | Provision of learning management system |
| Geekbot LTD, SK HOUSE | Cyprus | Provision of SaaS providing the possibility to deploy the Services via chatbot |
Schedule II to the DPA
| Data subjects | Processed personal data | Retention period | Processing operations |
| Name, surname, email, Service usage data. | During the provision of the Services and 30 days after the end of the Agreement. | The personal data transferred will be processed in accordance with the Agreement and may be subject to the following processing activities:
|
