Data Processing Agreement

CyberUpgrade’s Data Processing Agreement Version 1.0.

Updated on: 2023-11-06

This Data Processing Agreement (hereinafter – DPA) is entered into between the Client (or “Company”) and CyberUpgrade (or “Data Processor” or “Processor”) (hereinafter collectively referred to as “Parties”).

WHEREAS

(A) The Client acts as a data controller.

(B) The Client wishes to receive Services under the Agreement, which includes the processing of personal data, from the Data Processor.

(C) The Parties seek to implement a data processing arrangement that complies with the current legal regulatory requirements related to data processing.

(D) The Parties aim to establish their rights and obligations to ensure that the Processing of Personal Data complies with the GDPR.

IT IS AGREED AS FOLLOWS:

  1. Definitions and Interpretation

1.1 Unless otherwise defined in this DPA or the Agreement, terms and expressions written in capital letters in this DPA have the following meanings:

1.1.1 “DPA” – this Data Processing Agreement and all its annexes;

1.1.2 “Company Personal Data”, “Client Personal Data” or “Personal Data” – any personal data processed on behalf of the Company by the Processor;

1.1.3 “Sub-processor” – any person appointed by or on behalf of the Processor to process Personal Data on behalf of the Company under this DPA;

1.1.4 “Data Protection Laws” – EU data protection laws and, where applicable, the data protection or privacy laws of any other country;

1.1.5 “EEA” means the European Economic Area;

1.1.6 “EU Data Protection Legislation” – EU Directive 95/46/EC as transposed into the domestic laws of each Member State and as amended, replaced or repealed, including the GDPR and any laws implementing or supplementing the GDPR;

1.1.7 “GDPR” – EU General Data Protection Regulation 2016/679;

1.1.8 “Data Transfer” – means:

1.1.8.1 the transfer of the Company’s personal data from the Company to the Processor; or

1.1.8.2 further transfer of the Company’s personal data from the Processor to a Sub-processor, or between the Processor and its affiliates;

1.1.9 “Services” – services provided by the Processor, more fully described in the Agreement.

1.2 Terms “Commission”, “data controller”, “data subject”, “Member State”, “personal data”, “personal data breach”, “processing” and “supervisory authority” have the same meaning as in the GDPR.

  1. Processing of the Company’s Personal Data

2.1 The Processor shall:

2.1.1 in processing the Company’s personal data, comply with all applicable Data Protection Laws; and

2.1.2 not process the Company’s personal data other than on the Company’s documented instructions.

2.2 The Company entrusts the Processor to process the Company’s Personal Data. The processed Personal Data are described in Annex II of this DPA.

  1. Processor’s Personnel

The Processor shall take reasonable measures to ensure the reliability of any employee, agent, or contractor of the Processor mentioned in the Agreement who may have access to the Company’s Personal Data, in each case ensuring that access is strictly limited to those individuals who need to know and/or have access to the relevant Company’s Personal Data, as necessary for the purpose of the Agreement, and to comply with Applicable Laws, ensuring that all such individuals are subject to confidentiality commitments or professional or statutory confidentiality obligations.

  1. Security

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk for the Company’s Personal Data. In assessing the appropriate level of security, the Data Processor shall primarily consider the risks that are presented by processing, particularly from a Personal Data breach.

  1. Sub-processors

5.1 Data Sub-processors engaged by the Data Processor are disclosed in Annex I of this DPA. The Data Processor undertakes to ensure that they comply with the terms of this DPA.

  1. Data Subject Rights

6.1 In view of the nature of the processing, the Processor assists the Company in fulfilling its obligations to respond to requests to exercise data subject rights under the Data Protection Laws.

6.2 The Data Processor shall:

6.2.1 immediately inform the Company if it receives a request from a data subject; and

6.2.2 ensure that it does not respond to such a request except on the documented instructions of the Company or as required by Applicable Laws that apply to the Processor. In such a case, the Processor, to the extent permitted, informs the Client about such a requirement.

  1. Personal Data Breach

7.1 Upon becoming aware of a Personal Data breach affecting the Company’s Personal Data, the Processor shall without undue delay notify the Company and provide the Company with sufficient information to enable the Company to meet any obligations to report or inform Data Subjects of the Personal Data breach under the Data Protection Laws.

7.2 The Processor shall cooperate with the Company and take reasonable steps as directed by the Company to assist in the investigation, mitigation, and remediation of each such Personal Data breach.

  1. Data Protection Impact Assessment and Consultations

8.1 The Data Processor provides reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which the Company reasonably considers to be required under Articles 35 or 36 of the GDPR.

  1. Deletion or Return of Company’s Personal Data

9.1 The Processor undertakes to delete all copies of the Company’s personal data within 30 days of the termination of the Agreement.

  1. Audit Rights

10.1 Subject to this Section 10, the Processor shall, upon the Company’s request, provide the Company with all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Company or another auditor mandated by the Company concerning the processing of the Company’s personal data. The Company agrees to bear the costs for such audit.

  1. Data Transfer

11.1 Without prior written consent of the Company, the Data Processor shall not transfer or authorize the transfer of Data to countries outside of the EU and the EEA.

11.2 Where Personal Data processed under this DPA is transferred to a non-EEA country, the Processor ensures that the Personal Data are adequately protected. To achieve this, the Parties, unless otherwise agreed, rely on EU-approved standard contractual clauses for the transfer of personal data, or other transfer mechanisms specified in the GDPR.

  1. Other Terms

12.1 Confidentiality. Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential and may not use or disclose this Confidential Information without the prior written consent of the other Party, except where:

(a) disclosure is required by law;

(b) the relevant information is already publicly available;

(c) disclosure is made to the Data Processor’s affiliates and Sub-processors.

12.2 Notices. All notices and communications given under this DPA must be in writing and sent to the email address specified in the Agreement.

  1. Applicable Law and Jurisdiction

13.1 This DPA is governed by the laws of the Republic of Lithuania.

13.2 Any dispute arising under this DPA, which the Parties are unable to resolve amicably, shall be submitted to the exclusive jurisdiction of the courts of the Republic of Lithuania.

Schedule I to the DPA

Subprocessor Location Provided service
LearnWorlds (CY) Ltd Cyprus Provision of learning management system
Geekbot LTD, SK HOUSE Cyprus Provision of SaaS providing the possibility to deploy the Services via chatbot

Schedule II to the DPA

Data subjects Processed personal data Retention period Processing operations
  • Company’s employees and representatives;
  • Company’s consultants/contractors.
Name, surname, email, Service usage data. During the provision of the Services and 30 days after the end of the Agreement. The personal data transferred will be processed in accordance with the

Agreement and may be subject to the following processing

activities:

  • storage and other processing necessary to provide, maintain, and update the
  • Provision of the Services provided to the Client;
  • Provision of customer support and technical support to the Client;
  • Provision of billing and payment services and in respect of tax-related legislation; and
  • disclosures in accordance with the Agreement, as compelled by law.
2024 Cyber Upgrade. All Rights Reserved.