DATA PROCESSING AGREEMENT
Effective date: October 15, 2024
This Data Processing Agreement (the “
Agreement”) is incorporated into and forms part of the
Terms of Use. Capitalized terms used but not defined in this Agreement shall have the meanings ascribed to them in the
Terms of Use.
This Agreement is entered into by and between the Client and Euphoric.ai.
This Agreement applies only to the extent that Euphoric.ai processes Personal Data on behalf of the Client in the course of providing Euphoric.ai’s services, and where such Personal Data (as defined below) is subject to Applicable Data Protection Laws (as defined below) of the relevant jurisdiction, including the European Union, the European Economic Area and/or its member states, Switzerland, and/or the United Kingdom. The parties agree to comply with the terms and conditions of this Agreement in connection with such Personal Data.
DEFINITIONS
Unless defined in the Terms of Use, all capitalized terms used in this Agreement shall have the meanings given them below:
1.1. Applicable Data Protection Law means any applicable privacy and data protection laws and regulations. With respect to Personal Data from Europe, “Applicable Data Protection Law” shall include, but not be limited to General Data Protection Regulation (Regulation (EU) 2016/679) laws and binding regulations of the European Union, European Economic Area (“EEA”) and/or their member states, and/or Switzerland and/or the United Kingdom, applicable to the Processing of Personal Data under this Agreement. “Applicable Data Protection Law” excludes (a) laws requiring the localisation of Personal Data and (b) laws specific to Client or Client’s industry that are not generally applicable to Euphoric.ai as Processor.
1.2. Controller means the entity which determines the purposes and means of the Processing of Personal Data.
1.3. Data Subject means (i) an individual who is the subject of Personal Data.
1.4. Party means any of Client or Euphoric.ai, and “Parties” means Client and Euphoric.ai.
1.5. Personnel means any employee, agent, contractor, work-for-hire or any other person working under the direct authority of Euphoric.ai.
1.6. Processor has the meaning given in Applicable Data Protection Law.
1.7. Terms of Use means the agreement between Client and Euphoric.ai for the provision of the Services.
1.8. Services means the services described in the Terms of Use.
1.9. Service Data means electronic data, text, messages, communications or other materials processed within the scope of the Services, including without limitation, Personal Data.
1.10. Standard Contractual Clauses means Commission Implementing Decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to processors established in third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
1.11. Sub-processor means any third party processor engaged by Euphoric.ai to assist in fulfilling its obligations with respect to providing the Services pursuant to the Terms of Use or this Agreement in accordance with Client’s instructions and the terms of its written subcontract.
1.12. Third Party Services means third-party products, applications, services, software, networks, systems, directories, websites, databases that are connected to or integrated with the Services.
1.13. The terms “Personal Data”, “Processing”, “Process”, “Supervisory Authority”, “Personal Data Breach” shall have the meanings set out in the Applicable Data Protection Law even if such terms are not capitalized in this Agreement.
PURPOSE
2.1. Client and Euphoric.ai have entered the Terms of Use pursuant to which Euphoric.ai provides Client with the Services.
2.2. The Parties are entering into this Agreement to ensure that the Processing by Euphoric.ai of Personal Data, within the Services is done in a manner compliant with Applicable Data Protection Law and its requirements regarding the collection, use and retention of Personal Data of Data Subjects.
OWNERSHIP OF SERVICE DATA
3.1. All Service Data Processed under the terms of this Agreement and the Terms of Use shall remain the property of Client. Under no circumstances will Euphoric.ai act, or be deemed to act, as a “controller” (or equivalent concept) of the Service Data Processed within the Services under any Applicable Data Protection Law.
OBLIGATIONS OF EUPHORIC.AI
4.1. The Parties agree that the subject-matter and duration of the Processing performed by Euphoric.ai under this Agreement, including the nature and purpose of the Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Annex I to the Standard Contractual Clauses and in the Terms of Use.
4.2. As part of Euphoric.ai providing the Services to Client under the Terms of Use, Euphoric.ai agrees and declares as follows:
(i) to process Personal Data in accordance with Client's documented instructions as set out in the Service Agreement and this Agreement or as otherwise necessary to provide the Services and also with regard to transfers of Personal Data to a third country or an international organisation in accordance with Article 28 (3)(a) of the GDPR, except where required otherwise by applicable laws (and provided such laws do not conflict with Applicable Data Protection Law); in such case, Euphoric.ai shall inform Client of that legal requirement upon becoming aware of the same (except where prohibited by applicable laws)
(ii) to ensure that all Personnel of Euphoric.ai are fully aware of their responsibilities to protect Personal Data in accordance with this Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(iii) to implement and maintain appropriate technical and organizational measures to protect Personal Data against Personal Data Breach, provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected;
(iv) to notify Client without undue delay, but no later than 48 hours, in the event of a confirmed Personal Data Breach affecting Client’s Service Data and to cooperate with Client as necessary to mitigate or remediate the Personal Data Breach;
(v) taking into account the nature of the Processing, to assist Client (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfill Client’s obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (a “Data Subject Request”). In the event Euphoric.ai receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to Client in the first instance. However, in the event Client is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to Client, Euphoric.ai, shall, on Client’s request and at Client’s reasonable expense, address the Data Subject Request, as required under the Applicable Data Protection Law;
(vi) upon request, to provide Client with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to Euphoric.ai, to help Client to conduct any data protection impact assessment or Supervisory Authority consultation it is required to conduct under Applicable Data Protection Law;
(vii) upon termination of the Terms of Use, to comply with the requirements of Section 9 (Return and Destruction of Personal Data);
(viii) to comply with the requirements of Section 6 (Audit) in order to make available to Client information that demonstrates Euphoric.ai’s compliance with this Agreement;
(ix) to appoint a data protection officer who will act as a point of contact for Client, and coordinate and control compliance with this Agreement, including the measures detailed in Annex II.
4.3. Euphoric.ai shall immediately inform Client if, in its opinion, Client’s Processing instructions infringe any law or regulation. In such event Euphoric.ai is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.
SUB-PROCESSORS AND THIRD PARTY SERVICES
5.1. Client hereby confirms its general written authorisation for Euphoric.ai’s use of the Sub-processors listed at
https://euphoric.ai/sub-processors (“
Sub-Processor List”) in accordance with Article 28 of the GDPR and equivalent requirements in other Applicable Data Protection Law to assist Euphoric.ai in providing the Service and processing Personal Data, provided that such Sub-processors:
(i) agree to act only on Euphoric.ai's instructions when processing the Personal Data, which instructions shall be consistent with Client's processing instructions to Euphoric.ai;
(ii) agree to protect the Personal Data to a standard consistent with the requirements of this Agreement, including implementing and maintaining appropriate technical and organisational measures to protect the Personal Data they process consistent with the Security Standards described in Annex III to this Agreement, as applicable.
5.2. Euphoric.ai shall remain liable to Client for the subcontracted processing services of any of its Sub-processors under this Agreement. Euphoric.ai shall update the Sub-processor List on its Website with any Sub-Processor to be appointed at least thirty (30) days prior to such change. Client may sign up to receive email notification of any such changes on Euphoric.ai’s Website.
5.3. In the event that Client objects to the processing of its Personal Data by any proposed Sub-processor as described in Section 5.2 on reasonable grounds relating to data protection, it shall inform Euphoric.ai in writing by emailing
[email protected] within thirty (30) days following the update of the Sub-processor List above. In such event, the Parties shall negotiate in good faith a solution to Euphoric.ai’s objection. If the Parties cannot reach resolution within sixty (60) days of Euphoric.ai’s receipt of Client’s objection, Euphoric.ai will either (a) instruct the Sub-processor to not process Client's Personal Data, in which event this Agreement shall continue unaffected, or (b) allow Client to terminate this Agreement and any related services agreement with Euphoric.ai immediately and provide it with a pro-rata reimbursement of any sums paid in advance for Services to be provided, but not yet received by Client as of the effective date of termination.
5.4. The Services provide links to integrations with Third Party Services, including, without limitation, certain Third Party Services which may be integrated directly into Client’s account or instance in the Services. If Client elects to enable, access, or use such Third Party Services, its access and use of such Third Party Services is governed solely by the terms and conditions and privacy policies of such Third Party Services, and Euphoric.ai does not endorse and is not responsible or liable for, and makes no representations as to any aspect of such Third Party Services, including, without limitation, their content or the manner in which they handle Service Data (including Personal Data) or any interaction between Client and the provider of such Third Party Services. The providers of Third Party Services shall not be deemed Sub-processors for any purpose under this Agreement.
AUDIT
Client may request to conduct an audit of Euphoric.ai under Applicable Data Protection Law (“
Data Protection Audit”) upon at least thirty (30) days’ advance written notice to
[email protected]. Such Data Protection Audit shall be conducted no more than once during any twelve-month period and shall be conducted during normal business hours with reasonable duration, and not to interfere with Euphoric.ai’s operations. Client may conduct such Data Protection Audit or may use an independent, accredited third-party audit provider subject to an appropriate duty of confidentiality with Euphoric.ai. Client acknowledges that Euphoric.ai operates in a multi-tenant cloud environment, and any on-site Data Protection Audit will be limited to Euphoric.ai’s headquarters or a mutually agreed-upon regional office. No Data Protection Audit shall involve access to any data relating to any other Euphoric.ai client or to systems or facilities not involved in the processing of Personal Data for Client and in no event shall a Data Protection Audit cause Euphoric.ai to violate its confidentiality obligations to any third party. Client shall be responsible for all costs and expenses relating to a Data Protection Audit conducted under this Section 6, including for any time Euphoric.ai expends on such audit at Euphoric.ai’s then-current professional services rates. Any report generated in connection with such a Data Protection Audit shall be considered Euphoric.ai’s Confidential Information and shall be promptly provided to Euphoric.ai. In the event of a conflict between the audit terms in this Section 6 and the audit terms in the EU SCCs and/or UK Addendum, the audits terms in the EU SCCs and/or UK Addendum shall control. Nothing in this Section 6 modifies or affects any supervisory authority’s rights under the EU SCCs and/or UK Addendum.
INTERNATIONAL DATA EXPORTS
7.1. Client acknowledges that Euphoric.ai and its Sub-processors may maintain data processing operations in countries that are outside of the European Union and/or the EEA and/or their member states and/or Switzerland and/or the United Kingdom. If Euphoric.ai processes Personal Data in a country that has not received an adequacy decision from the European Commission or Swiss or UK authorities, as applicable, such transfer shall take place on the basis of the EU SCCs and/or UK Addendum, as applicable.
7.2. EU SCCs
Where Euphoric.ai processes Personal Data that is subject to the GDPR in a country that has not received an adequacy decision from the EU Commission, the Parties hereby incorporate the EU SCCs by reference.
Where the EU SCCs apply, they will be deemed completed as follows:
(i) Module 2 (Controller to Processor) will apply where Client is a controller of Service Data and Euphoric.ai is a processor of Service Data; Module 3 (Processor to Processor) will apply where Client is a processor of Service Data and Euphoric.ai is a processor of Service Data.
(ii) in Clause 7, the optional docking clause will not apply;
(iii) in Clause 9(a), Option 2 “General Written Authorisation” will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 5 of this Agreement;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply and will be governed by the laws provided in the Terms of Use. If the Terms of Use is not governed by an EEA member state law, then the laws of Ireland shall govern;
(vi) in Clause 18(b), disputes shall be resolved before the courts provided in the Terms of Use. If the Terms of Use does not provide courts in an EEA Member State, the parties agree to the courts of Dublin;
(vii) Annex I.A and I.B and Annex II of the EU SCCs shall be deemed completed with the information set out in Annex I and Annex II to this Agreement; and
(viii) in Annex I.C of the EU SCCs, where the data exporter is established in the EEA shall be the Supervisory Authority with responsibility for ensuring compliance by the data exporter with GDPR as regards the data transfer. Where the data exporter is not established in the EEA, but is within the territorial scope of application of GDPR in accordance with Article 3(2) and has appointed a representative pursuant to Article 27(1), the Supervisory Authority shall be the member state in which the representative within the meaning of Article 27(1) is established. If the data exporter is not established in the EEA, but falls within the territorial scope of application of GDPR without having to appoint a representative pursuant to Article 27(2), the Supervisory Authority of Ireland shall act as the competent Supervisory Authority.
Nothing in the interpretations in this Section 7.2 is intended to conflict with either Party's rights or responsibilities under the EU SCCs and, in the event of any such conflict, the EU SCCs shall prevail.
7.3. UK Addendum
When Euphoric.ai processes Personal Data subject to UK Data Protection Law in a country that has not received an adequacy decision from the UK authorities, the Parties hereby incorporate the UK Addendum for Personal Data subject to UK Data Protection Law by this reference. Where the UK Addendum applies, it will be deemed completed as follows:
(i) T able 1 shall be deemed completed with the information set out in Annex I of this Agreement, the contents of which are hereby agreed by the Parties;
(ii) T able 2, the Parties select the checkbox that reads: “Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum” , and the accompanying table shall be deemed completed according to the Parties’ preferences outlined in Section 7.2 above;
(iii) T able 3, shall be deemed completed with the information set out in Annex I and Annex II and Section 5 of this Agreement; and
(iv) T able 4, the Parties agree that neither Party may terminate the UK Addendum as set out in Section 19.
7.4. Switzerland under EU SCCs
Where Euphoric.ai processes Personal Data subject to FADP in a country that has not received an adequacy decision from Swiss authorities, the Parties hereby incorporate the EU SCCs (for Personal Data subject to FADP) by this reference. T o the extent Personal Data transfers are subject to FADP , the EU SCCs shall be deemed completed with the information set forth in Section 7.2 above, as appropriate, and the following shall apply:
The term “member state”, as used in the EU SCCs, shall not be interpreted to limit data subjects in Switzerland from being able to sue for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs. Until the revised FADP comes into effect (the version enacted on 25 September 2020, as amended), the EU SCCs shall also protect the data of legal entities. For the purposes of Annex I.C of the EU SCCs, where Client is the data exporter and the Personal Data transferred is exclusively subject to FADP , the Swiss Federal Data Protection and Information Commissioner (the “FDPIC”) shall be the competent Supervisory Authority. Where the Personal Data transferred is subject to both the FADP and the GDPR: (i) parallel supervision should apply; or (ii) for the (revised) FADP , the FDPIC shall be the competent Supervisory Authority insofar as the transfer is governed by the (revised) FADP and for the GDPR, the competent Supervisory Authority is as determined in Section 7.2 (viii). References to the GDPR should be understood as references to the FADP and, once effective, the (revised) FADP , insofar as Personal Data transfers are subject to the FADP or (revised) FADP .
OBLIGATIONS OF CLIENT
As part of receiving the Services under the Terms of Use, Client agrees to comply with its obligations under Applicable Data Protection Law.
RETURN AND DESTRUCTION OF PERSONAL DATA
Upon termination of the Services, Euphoric.ai will, for up to thirty (30) calendar days following such termination, permit Client to export its Service Data at its own expense. After this period, Euphoric.ai shall delete all Service Data stored or processed on behalf of Client.
DURATION
The duration of the Processing covered by this Agreement shall correspond to the period during which Client utilizes the Services.
LIMITATION ON LIABILITY
This Agreement shall be subject to the limitations of liability agreed between the Parties set forth in the Terms of Use and any reference to the liability of a Party means that Party and its Affiliates in the aggregate. For the avoidance of doubt, Client acknowledges and agrees that Euphoric.ai’s total liability for all claims from Client or its Affiliates arising out of or related to the Agreement and this Terms of Use shall apply in aggregate for all claims under both the Terms of Use and this Agreement. This section shall not be construed as limiting the liability of either Party with respect to claims brought by data subjects or under the EU SCCs’ Clause 12 and/or the UK Addendum.
MISCELLANEOUS
Periodically, Euphoric.ai may make revisions to this Agreement. Unless expressly stated by Euphoric.ai, these changes will take effect for Client upon (i) Client continued use of the Services, or (ii) 30 days from posting of such modified Agreement on or through the Website. Euphoric.ai will make reasonable efforts to notify Client of these changes through various means. Each Party’s rights and obligations concerning assignment and delegation under this Agreement shall be as described in the Terms of Use. Subject to the foregoing restrictions, this Agreement will be fully binding upon, inure to the benefit of and be enforceable by the Parties and their respective successors and assigns. This Agreement and the Terms of Use constitute the entire understanding between the Parties with respect to the subject matter herein, and shall supersede any other arrangements, negotiations or discussions between the Parties relating to that subject-matter.
GOVERNING LAW AND JURISDICTION
This Agreement shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Terms of Use, unless required otherwise by Applicable Data Protection Law. Notices under this Agreement should be sent in accordance with the notice provisions in the Terms of Use.
ANNEX I
A. LIST OF PARTIES
Data exporter:Name: As specified in the Account
Address: As specified in the Account
Role: Controller or ProcessorData importer:Name: SupportYourApp, Inc.
Address: 1007 North Orange Street, 4th Floor, Suite 122, Wilmington, DE 19801, USA
Contact person’s name, position and contact details: [email protected]Role: Processor B. DESCRIPTION OF PROCESSING
Categories of data subjects
Client may, at its sole discretion, submit Personal Data to the Services, which may include, but is not limited to, the following categories of data subjects: employees (including contractors and temporary employees), customers, end-users, service providers, business partners, and vendors (all of whom are natural persons), as well as any natural persons authorized by Client to use the Services.
Categories of Personal Data
Client may, at its sole discretion, transfer Personal Data to the Services, which may include, but is not limited to, the following categories of Personal Data: first and last name, email address, telephone number, addresses (business or personal), date of birth, communications (telephone recordings, voicemail), IP addresses, order information, and any personal data submitted by Client’s customers and end-users.
Special Categories of Personal Data (if applicable)
Sensitive Data may, from time to time, be included in processing via the Services where Client or its customers and end-users choose to include Special Categories of Personal Data (as defined below) within the Services. Client is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Client's customers and end-users to transmit or process any Special Categories of Personal Data via the Services. “Special Categories of Personal Data” shall have the same meaning as special categories of personal data in Article 9 of the GDPR and be inclusive of similar concepts under Applicable Data Protection Law.
Retention
Euphoric.ai will process and retain Personal Data in accordance with the Section 9 (Return and Destruction of Personal Data) of this Agreement.
Nature and Purpose(s) of the Processing
The data importer will process personal data solely to fulfill its purposes under the Terms of Use executed between the data importer and data exporter, including processing personal data: (i) to provide the service in accordance with the Terms of Use; (ii) to perform any steps necessary for the performance of the Terms of Use; (iii) to perform any processing activity initiated by data exporter in its use of the services; and (iv) to comply with other reasonable instructions provided by data exporter that are consistent with the terms of the Terms of Use.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Euphoric.ai reserves the right to update its technical and organisational measures from time to time without prior notification to Client; provided that any updates do not materially reduce the overall protections set forth in this Annex.
1. Physical ControlsControls related to the physical environment, such as ID badges, biometric door access to the office/space, cypher/key locks to the doors or cabinets/safes, visual controls of the information access (via windows or screen):
- Closed-Circuit Television (CCTV) and Security Access Cameras;
- Biometric Access Control System;
- Fire Suppression Systems;
- Heating, ventilation, and air conditioning (HVAC) and Humidity Controls;
- Physical Security Areas and Zones Controls.
2. Logical ControlsControls are defined as restricting virtual access to data; they consist of identification, authentication, and authorization protocols utilized worldwide to protect data from unauthorized access, including password programs, smart cards, or tokens to identify and screen users and access levels:
- Data Encryption in transit and at rest;
- Role Based Access Control (RBAC);
- Firewall, IDS/IPS;
- Anti-virus and Anti-malware protection;
- Database Monitoring and Management system;
- Log Management;
- Regular Backups.
3. Technical/Operational ControlsControls related to the technical and operational processes and procedures:
- Change and Configuration Management Process;
- Vulnerability and Patch Management Process;
- Security Awareness and Training Process;
- Secure Software Development;
- Continuous Improvement Process.
4. Administrative/Management ControlsControls related to administration and management processes, procedure, and principles:
- Security and Compliance Policies;
- ISO 27001 certification;
- Compliance Assessment Process;
- Firewall Change Management Process;
- Internal Audit Process;
- Incident Response Plan;
- Business Continuity and Disaster Recovery Plan;
- Regular Access Rights Review Process;
ANNEX III
SUB-PROCESSORS SECURITY STANDARDS
As of the Effective Date of this Agreement, Euphoric.ai’s Sub-processors, when processing Service Data on behalf of Client in connection with the Services, shall implement and maintain the following technical and organizational security measures for the processing of such Service Data (the “
Services Security Standards”):
- Physical Access Controls: Sub-processors will take reasonable measures, such as employing security personnel and securing buildings, to prevent unauthorized persons from gaining physical access to Service Data.
- System Access Controls: Sub-processors will take reasonable measures to prevent the use of Service Data without authorization. These controls shall vary based on the nature of the processing and may include, among other measures, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and logging of access at multiple levels. This also includes but not limited to the Role Based Access Control as per need-to-know security principle.
- Data Access Controls: Sub-processors will take reasonable measures to ensure that Service Data is accessible and manageable only by properly authorized staff. Direct database query access will be restricted, and application access rights will be established and enforced to ensure that only persons entitled to access specific Service Data have such access. Service Data shall not be read, copied, modified, or removed without authorization during processing. Euphoric.ai will implement and maintain an access policy under which access to its system environment, data processing systems, Service Data, and other data is restricted to authorized personnel only.
- Transmission Controls: Sub-processors will take reasonable measures to ensure that it is possible to verify and establish which entities are authorized to receive Service Data during transmission so that Service Data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport.
- Input Controls: Sub-processors will take reasonable measures to ensure that it is possible to verify and establish whether and by whom Service Data has been entered into, modified, or removed from data processing systems. Additionally, any transfer of Service Data to a third-party service provider will be conducted via secure transmission.
- Data Protection: Sub-processors will take reasonable measures to ensure that Service Data is secured to protect against accidental destruction or loss. Sub-processors will ensure that, when hosted by a Sub-processor, backups are completed regularly, secured, and encrypted to ensure that Service Data is protected. Sub-processors will implement and maintain a managed security program to identify risks and deploy preventative technologies and processes to mitigate common attacks.
- Logical Separation: Sub-processors will logically segregate Service Data from the data of other parties on its systems to ensure that Service Data is processed separately.
- People Controls: Sub-processors will take reasonable measures to ensure that all staff, who have access to the systems and data, have appropriate NDA signed and passed Sub-processor’s Security Awareness training.