Data Processing Agreement

1. Preamble

As part of the execution of the services described in the Terms of Use, the company skrapp.io (hereafter the ”Processor”) is required to collect and process, on behalf of customer (hereafter the "Data Controller") of the Services and the Platform, professional data of people connected with such customer on professional network platforms (hereafter “Contacts”) which constitute personal data within the meaning of Article 4 of the Regulations (EU) 2016/679 of 27 April 2016 known as the General Data Protection Regulation (hereafter the “Regulation").

The purpose of these terms and conditions is to define the conditions under which the Processor, in its capacity as such, undertakes to carry out, on behalf of the Data Controller, the collection and processing operations of personal data which are subject of the Services (the "Processing Agreement").

Skrapp.io will apply the Regulation in any and all data collected and processed for European customers or resident in European Union. Data collected and processed for other customers will be made in accordance with the terms of this Processing Agreement.

Within the framework of their contractual relations, the parties herein undertake to comply with the applicable regulations in force for the processing of personal data and, in particular, the Regulation for customers that are Europeans or resident in European Union.

The Processing Agreement may be amended in order to take into account subsequent changes in the applicable Regulations or other applicable legislative or regulatory provisions, which each of the parties acknowledges and accepts.

2. Description of the treatment being subcontracted

Processor is authorized to process on behalf of Data Controller the personal data necessary to provide the Services and perform the operations as described in the Terms of Use, which include:

  • Give access to Data Controller.

  • Store

  • Backup and restore

  • Transfer to Data Controller

Data Controller indicates to Processor that the purposes of the processing are making available the Platform and providing the services related to it.

The personal data processed hereunder are the data of Contacts and includes the full name, business email address, name of employer, business position, location data (the "Data").

3. Processor's obligations to Data Controller

Processor undertakes to comply with the following provisions:

3.1 - Processing of Data by Processor

  1. Process only Data for the aforementioned purposes.

  2. Process Data in accordance with the Terms of Use, which serve as instructions to the Processor. If Processor considers that an instruction constitutes a violation of the Regulation or any other provision of applicable laws or regulations, it undertakes to inform Data Controller immediately. Data Controller acknowledges and agrees that in such a case, Processor may, at its own discretion, suspend the execution of the disputed instructions as long as it considers that the instructions do not comply with the Regulation and/or other applicable laws or regulations.

  3. Ensure the confidentiality of Data processed hereunder.

  4. Ensure that persons authorized to process the Data hereunder are committed to confidentiality or are subject to an appropriate legal duty of confidentiality and receive the necessary training in the protection of personal data.

  5. Take into account the principles of data protection by design and data protection by default for its tools, products, applications or services.

3.2 - Transfer of Data outside the European Union

Data Controller hereby acknowledges and agrees that all or part of Data will be transferred to Processor, located outside the European Union.

In the event that Data Controllers are Europeans or residents in European Union:

  • Processor will apply the appropriate warranties as set forth in the Regulation and recommended by the European Commission.

  • The parties shall provide the data subject with a copy of these clauses upon request. To the extent necessary to protect business secrets or other confidential information, including the measures described in technical and organization measures documentation, the parties may redact the text of said documentation prior to sharing a copy, but shall provide a meaningful summary where otherwise the data subject would not be able to understand the content of such documentation. This is notwithstanding the obligations of Data Controller under Articles 13 and 14 of the Regulation, in particular to inform the data subject about the transfer of special categories of data.

3.3 - Subsequent sub-contracting

Processor is authorized to use the company AWS located in Seattle, Washington, USA, for the hosting of the Data.

By accepting these Processing Agreement, Data Controller expressly authorizes Processor to recruit other subsequent subprocessors and/or to make any changes concerning the replacement of subsequent subcontractors, provided that it has previously informed Data Controller by any means deemed useful and in particular by notifying it by a general message on the Platform of the list of updated subcontractors. The list will contain the subcontracted processing activities, the identity and contact information of the subsequent subcontractors and, for informing Data Controllers that are Europeans or resident in Union European, the possible existence of a transfer of the Data outside the European Union.

Data Controller acknowledges and agrees that Processor remains free to choose, at his own discretion and without any possible objection from Data Controller, any other subsequent subcontractor involved in the performance of services related to the Services, such as, telecommunications services, messaging services, maintenance services for its online platform or its servers, data deletion services, and any providers used to enable it to implement the technical measures provided for in Appendix 1 hereof, including all measures to ensure the confidentiality, availability, integrity and resistance of hardware and software necessary for data processing systems. The list of the aforementioned subcontractors will be made available to Data Controller, under the conditions detailed above.

In addition, the Data may only be disclosed to a third party located outside the European Union (hereinafter “onward transfer”) if the third party is or agrees to be bound by terms substantially similar to those contain in this Processing Agreement or, alternatively, an onward transfer by the Processor may only take place if: (i) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of the Regulation with respect to the processing in question; (ii) the onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of the Regulation that covers the onward transfer.

The subsequent subcontractor, whoever it may be, will be required to comply with the obligations of this Processing Agreement, on behalf of and in accordance with the instructions of Data Controller. Processor remains liable to ensure that the subsequent subcontractor provides the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the treatment meets the requirements of this Processing Agreement and the Regulation. If the subsequent subcontractor fails to fulfil its data protection obligations, Processor remains fully liable to Data Controller for the performance by subcontractor of its obligations.

Nevertheless, Data Controller acknowledges and agrees that, in the event that it directly recruits a subcontractor, without the assistance of Processor, the latter will not be held liable in any way for the performance of its obligations by the said subcontractor. It is the sole responsibility of Data Controller to ensure that the subsequent subcontractor he has selected provides sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the applicable laws and regulations.

3.4 - Right to information of data subjects

Data is processed by Processor on the basis of the Data Controller’s legitimate business interests in offering its own products and/or services to Contacts. It is the responsibility of Data Controller to provide information to the people concerned by the processing operations, and in particular to Contacts, at any time deemed useful and at the latest, at the time the Data Controller enters into relation with Contacts.

Information mentions are given as examples below, being understood that use of such mentions by the Data Controller is made on its own risk and liability:

“Your information is intended to me and are collected on the basis of my legitimate business interests in providing you with my products or services. In accordance with the GDPR, you have the right to access, correct and delete information about you. You may also, for legitimate reasons, object to the processing of the data concerning you. You can exercise these rights by contacting me, by return of an email at the address indicated ahead.”

3.5 - Exercise of the rights of the data subjects

To the extent possible, Processor will assist Data Controller in fulfilling its obligation to comply with requests to exercise the rights of data subjects, namely the right of access, rectification, erasure and objection, restriction of processing, portability of Data and not to be subject to an automated individual decision (including profiling).

Data Controller will notify Processor of such requests, in order to give effects accordingly. Processor shall promptly and properly deal with inquiries from Data Controller that relate to rights exercised by data subject, to the extent possible.

3.6 - Notification of personal data breaches

In the event of a data breach, Processor undertakes to carry out all useful investigations into the breaches of the protection rules, in order to remedy them as soon as possible and/or to reduce as far as possible the impact of such breaches on the persons whose data has been collected.

Processor will notify Data Controller of any personal data breach within a maximum of 48 hours after becoming aware of it, by email. This notification will be accompanied by any useful documentation to enable Data Controller, if necessary, to notify the breach to the competent supervisory authority.

The notification must contain at least:

  1. a description of the nature of the data breach including, if possible, the categories and approximate number of people affected by the breach and the categories and approximate number of data records affected.

  2. the name and contact details of the data protection officer or another point of contact from whom further information can be obtained.

  3. a description of the likely consequences of the data breach.

  4. a description of the measures taken to remedy the data breach, including, where appropriate, measures to mitigate any negative consequences.

If, and to the extent that, it is not possible to provide all this information at the same time, the information may be provided in a staggered manner without undue delay.

3.7 - Exercise of the rights of the data subjects

Processor undertakes to implement all appropriate technical and organisational measures to protect the Data throughout the duration of the Terms of Use, in accordance with the state of knowledge, the costs of implementation and the nature, scope and purposes of the processing, as well as the risks that said processing represent for the rights and freedoms of individuals, in order to ensure an appropriate level of security.

In particular, Processor undertakes to take all appropriate measures to prevent any distortion, alteration, damage, accidental or unlawful destruction, loss, disclosure and/or unauthorized access by a third party.

In this context, Processor undertakes to take the following measures:

  • Confidentiality (Article 32(1) letter b GDPR)

    • Authorized persons can only access the data for which they have been granted access - Use of continuously updated antivirus protection software

    • Protecting email exchanges from viruses and spam (central antivirus protection and spam filtering system)

    • Firewall systems

    • Password protection (composed of twelve characters, which must be changed every six months)

  • Integrity (Article 32(1) letter. b GDPR)

    • Transfer control

      • TLS-secured encryption

      • Laptops are audited for security by company engineer to detect any possible security flaw

    • Control of seizure

      • It is possible to determine at a later date whether the data controller’s reference Data has been entered, modified or deleted from the data processing systems.

  • Availability and Capacity (Article 32(1) letter b, c GDPR)

    • Personal data is continuously available and protected from any risk of accidental destruction or loss, by means of a permanent backup.

    • Concept of data backup (daily backup), backup storage methods (secure, separate, fireproof compartments).

    • Specially protected sections of the data center (structural separation, separate access control systems, fire protection walls in all areas of the data center).

    • Fire protection systems at headquarters and on-site.

  • Regular review, analysis and evaluation procedures (Article 32(1)(d) GDPR, Article 25(1) GDPR) - Employees are informed of data protection requirements through internal rules on the use of computerized data.

In the event of a change in the technical measures put in place to ensure the security and confidentiality of the Data, Processor undertakes to replace them with measures that do not entail a reduction in the security level and to inform Data Controller as soon as possible, by any means deemed useful.

Processor undertakes to maintain these means throughout the performance of the Terms of Use and, failing that, to inform Data Controller immediately.

3.8 - Instructions

Processor acknowledges and agrees that it cannot, on its own initiative, correct, delete, or restrict the processing of Data within the framework of the services. It can only act on instructions from Data Controller. In the event that a person enters into contact with Processor for exercising the aforementioned rights, it undertakes to forward the request to Data Controller, without undue delay.

Processor undertakes not to make any copies or duplicates of the Data without first informing Data Controller. This does not apply to copies deemed necessary for the performance of the services and to ensure proper processing of the Data.

At the end of the services rendered in relation to the processing of the Data or the express request of Data Controller, Processor undertakes to return the Data, in its entirety as well as all copies of said Data, or to destroy them, on the instructions of Data Controller. The deletion register is made available to Data Controller, on request.

Data Controller acknowledges and accepts that Data for which Processor has a legal obligation to retain is exempt from the obligation to destroy and return. This is notwithstanding any requirements under local law applicable to Processor prohibiting return or destruction of the Data. In that case, Processor warrants that it will guarantee, to the extent possible, the level of protection required by this Processing Agreement and will only process it to the extent and for as long as required under that local law.

3.9 - Contact

For any question relating to processing of Data, Data Controller shall send its requests to: support@skrapp.io.

3.10 - Register of processing activity categories

Processor declares to keep a written record of all categories of processing activities carried out on behalf of Data Controller, including:

  1. the name and contact details of Data Controller on whose behalf it is acting, of any sub-processors and if applicable, of the data protection officer.

  2. the categories of processing performed on behalf of Data Controller.

  3. where applicable, transfers of Data to a third country or to an international organization, including the identification of that third country or international organization and, in the case of transfers covered by Article 49, paragraph 1, second paragraph of the Regulation, documents attesting to the existence of appropriate safeguards.

  4. to the extent possible, a general description of technical and organizational security measures, including, including inter alia, as appropriate:

    • Pseudonymization and encryption of Data.

    • Means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services.

    • Means to restore the availability and access to the Data within an appropriate timeframe in the event of a physical or technical incident.

    • A procedure to regularly test, analyze and evaluate the effectiveness of technical and organizational measures to ensure the security of processing.

4 - Obligations of Data Controller to Processor

Data Controller undertakes to:

  • Provide the following information to Processor to enable it to establish its register of processing operations:

    • The name and contact details of Data Controller.

    • The contact details of its Data protection officer or other person in charge of matters relating to processing of personal data, if applicable.

  • Provide Processor with the Data necessary to perform the Services.

  • Document in writing any instructions regarding the data processing by Processor, being understood that parties agree that the Processing Agreement constitutes such written instructions.

  • Ensure, before and for the duration of the processing, that it complies with the Regulation where Data Controller is European or a resident in European Union, or with local specific laws and/or regulations for other Data Controllers.

  • Supervise the processing.

5 - Cooperation in case of control

In the event of a control by a competent authority, the parties undertake to cooperate with each other and with the controlling authority.

In the event that the control relates only to the processing carried out by Skrapp.io as a data controller, Skrapp.io will be responsible for the control and shall refrain from communicating or referring to Data of Data Controller.

In the event that the control relates to the processing carried out by Processor, in the name and on behalf of Data Controller, Processor shall inform Data Controller immediately and not to make any commitment on its behalf.

In the event of an inspection by a competent authority at the premises of Data Controller, particularly in relation to the services provided by Processor, the latter undertakes to cooperate with the Data Controller and to provide it with any information it may require, or which may be necessary.