Start free trial
Legal

Data Processing Addendum

Last updated: January 2024

Preamble

This DPA supplements and forms part of the terms and conditions between the Customer and the Provider (the "Agreement"). Terms of the Agreement remain in effect except as modified below. In any conflict, the DPA prevails. It is effective as of the Agreement's Effective Date and lasts until termination or the last processing of Customer Personal Data under the Agreement.

1. Definitions

  • "Customer Personal Data" means Personal Data processed by the Provider as Processor on behalf of the Customer under the Agreement.
  • "Controller," "Processor," "Data Subject," "Personal Data," "Personal Data Breach," "Supervisory Authority," and "Processing" carry the meanings assigned under Data Protection Laws.
  • "Data Protection Laws" refers to all laws of Portugal, the EU, and applicable local jurisdictions, including GDPR and related privacy laws as amended.
  • "Sub-Processor" means another Processor engaged by the Provider for processing Customer Personal Data.

2. Data Processing Details and Compliance

2.1 The parties acknowledge the Provider acts as Processor and the Customer as Controller. Each party must comply with Data Protection Laws regarding Customer Personal Data.

2.2 Processing details are as follows:

  • (a) Subject Matter, Nature, and Purpose: Provision of the Provider's Services, specifically granting the Customer access to the Provider's customer service platform.
  • (b) Duration: Processing lasts for the Agreement term consistent with the Provider's retention obligations. Data shall not be Processed for longer than is necessary for the purpose for which it was collected.
  • (c) Personal Data in Scope: Names, communication details (email etc.), contact details, job role, login data, profile image, technical details (device info, IP addresses, cookies), and customer service-related data (account info, orders, subscriptions, chat and email messages).
  • (d) Category of Data Subjects: The Customer's end customers; Customer personnel (employees, contractors); and Customer associated parties.

3. Data Processing Instructions

3.1 The Provider processes Customer Personal Data only on the Customer's written instructions (including as set out in the Agreement) unless required otherwise by Portuguese or EU law. The Provider is instructed to process data for providing the Services. If required by applicable law to process otherwise, and to the extent permitted, the Provider must notify the Customer in writing beforehand.

3.2 The Provider must promptly inform the Customer if it believes a Customer instruction infringes Data Protection Laws.

4. Provider Personnel and Sub-Processors

4.1 All Provider personnel authorized to process Customer Personal Data must be bound by written contractual or statutory confidentiality obligations.

4.2 The Customer authorizes the Provider to engage Sub-Processors including those listed at nikatime.com/subprocessors ("Sub-Processor List") and those engaged per Clause 4.3.

4.3 Before engaging any additional Sub-Processor, the Provider must notify the Customer and provide relevant information, giving the Customer an opportunity to object. If no reasonable objection is made within 14 days of notice, authorization is deemed granted. The Provider must keep the Sub-Processor List updated.

4.4 If the Customer raises a reasonable objection, the Provider may either: (a) use reasonable efforts to remedy the situation; or (b) propose an alternative Sub-Processor. If neither is possible, the Provider shall be entitled to terminate the Agreement without penalty or liability effective immediately on written notice, and the Customer must pay fees for Services performed before termination.

4.5 Before permitting any Sub-Processor to handle Customer Personal Data, the Provider must have a written agreement with that Sub-Processor imposing obligations substantially equivalent to the obligations imposed on the Provider as a Processor. The Provider remains fully liable for the Sub-Processor's performance regarding Customer Personal Data.

5. Transfers

5.1 The Provider shall not transfer Customer Personal Data to any party in a country not deemed adequate by the European Commission or the Portuguese DPA (CNPD), including granting access from such countries, without prior written consent, unless: (a) the transfer/access is to an approved Sub-Processor; and (b) the transfer complies with Data Protection Laws, including appropriate safeguards.

6. Security and Personal Data Breach Notification

6.1 The Provider must implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risks of processing, particularly risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

6.2 The Provider must notify the Customer without undue delay upon becoming aware of a Personal Data Breach and provide details as required under Data Protection Laws.

7. Assistance

7.1 To the extent related to its processing of Customer Personal Data, the Provider must promptly provide reasonable assistance:

  • (a) in complying with Data Subject rights requests;
  • (b) to enable the Customer to conduct data protection impact assessments and consultations with (or notifications to) a relevant Supervisory Authority; and
  • (c) in complying with obligations to implement and maintain security measures.

8. Deletion or Return of Data

8.1 At the Customer's choice, the Provider shall delete or return all Customer Personal Data once processing is no longer required for the Agreement, and delete all existing copies unless applicable law requires storage.

9. Information Requests and Audits

9.1 Upon the Customer's request, the Provider must make available all information necessary to demonstrate compliance with its obligations. The Provider shall allow audits (including inspections) by the Customer or its designated auditor on reasonable prior written notice.