Please read before access or use of Doohlabs’s software, services and Cloud based services and products installed or via hosted online web services (Services) that the Customer are attempting to access or use or is provided with Doohlabs’s products.
This Data Processing Agreement (Processing Agreement) creates the legal framework, between the Customer as the data controller and Doohlabs as the data processor, for processing of personal data in a manner compliant with EU General Data Protection Regulation 2016/679 (GDPR).
By operating the Services that the Customer is using, and by the Customer using such Services, Doohlabs will, on behalf of the Customer (as data controller), process Personal Data selected, collected and submitted by the Customer, and/or third parties designated by the Customer, and stored and used within the Services.
The terms of this Processing Agreement only apply to data controller with an active subscription to (one or several of) the Services. By actively agreeing to be bound by this Processing Agreement, the Customer agrees to be bound by this Processing Agreement with Doohlabs Ltd, co. reg. no. FI23539391, including all its Affiliates, with address Metsäneidonkuja 6, 02130 Espoo, Finland (Doohlabs).
The Processing Agreement constitutes a legally binding contract between Doohlabs and the Customer with respect to processing of Personal Data, in relation to access and use of the Services. Non-English translations of the Processing Agreement are provided for convenience only. In the event of any ambiguity or conflict between translations, the English version is authoritative and controls.
All capitalized terms used in this Processing Agreement shall have the meanings given to them below:
Affiliate - Any entity controlling or controlled by or under common control with a Party where control is ownership of more than 50 % of the equity or voting rights of such entity.
Data Controller - Has the meaning given in GDPR (and, for the purpose of this Processing Agreement, means the party licensing and using the Services).
Data Processor - Has the meaning given in GDPR.
Data Security Breach - Has the meaning set forth in Clause 4.
Data Subject - An individual who is the subject of Personal Data.
Data Subject Request - Has the meaning set forth in Clause 4.
Data Transfer - A transfer of Personal Data from the Data Controller to the Data Processor, or an onward transfer of Personal Data from the Data Processor to a Sub-Processor, or between two establishments of a Data Processor; in each case, where such transfer would be prohibited by EU Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of EU Data Protection Laws).
Processing Agreement - This Data Processing Agreement together with its annexes, as supplemented and amended from time to time.
EEA - The European Economic Area.
EU Data Protection Laws - EU Directive 95/46/EC, as transposed into domestic legislation of each member state and as amended, replaced, or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
GDPR - EU General Data Protection Regulation 2016/679.
Opportunity - A specific need for Services within an Account.
Party - Either Data Controller or Data Processor.
Parties - Data Controller and Data Processor.
Personal Data - Any information relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing - Any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Services - Doohlabs’s Software-as-a-Services (SaaS) and Cloud based Asset Access Control services and products via hosted online web services, ordered and licensed by the Customer as specified in Subscription Form, and any subsequent updates, upgrades, bug fixes, work around, and other services and/or products delivered or made accessible to the Customer by or on behalf of Doohlabs to the Customer in connection with the Services.
The Services that is provided by Doohlabs, whether on a trial or paid basis, are made available online by Doohlabs, via the applicable Customer login link and other web pages designated by Doohlabs, including, individually and collectively, the applicable software, updates, Applications (App), API, SDK, Documentation, and all applicable Associated Services that Customer has licensed, purchased or deployed (Deployed Associated Services) that are provided by Doohlabs subject to the Purchase Agreement and supplemental license terms and conditions (i.e. for Apps, API). The Services does not include (i) Third-Party Services and Third-Party Materials, and (ii) any Additional Features or Associated Services that are not provided under the Purchase Agreement.
Services Data - Any electronic data, text, messages, communications, or other materials submitted to and stored within the Services by Customer in connection with use of the Services, which may include, without limitation, Personal Data.
Sub-Processor - Any third-party data processor engaged by Data Processor who receives Personal Data from Data Processor or Data Controller for Processing on behalf of Data Controller. Subscription Agreement or Purchase Agreement - The agreement created by Customer and Doohlabs, by the Customer completing the required registration process for use of the Services and actively agreeing to be bound by the GTC and applicable Subscription Form, and any amendments and supplements thereto, that sets forth the terms and conditions for subscription/use, price and payment terms and other terms, conditions and documents.
Supervisory Authority - Any Data Protection Supervisory Authority with competence over Data Controller, Data Processor, and any Sub-Processor Processing of Personal Data.
Third-Party Services - Any services, products, gateways, links, or other functionality that may be included in or linked to the Services and that allows the Customer to access Third-Party services, for example connectivity- and mobile network services.
2.1 The Data Controller has entered into a Purchase Agreement pursuant to which Data Controller is granted a license to access and use the Services, and the Data Processor will, on behalf of the Data Controller, Process Personal Data selected, collected and submitted by the Data Controller, and/or third parties designated by the Data Controller with whom Data Controller transacts using the Services, and such Personal Data is stored and used within the Services. For the avoidance of doubt, the terms of this Processing Agreement shall only apply to the Data Controller with an active license to the Services.
2.2 The Parties are entering into this Processing Agreement to ensure that the Processing by the Data Processor of Personal Data, within the Services, is done in a manner compliant with GDPR and its requirements regarding the collection, use and retention of Personal Data.
2.3 To the extent that any terms of the Purchase Agreement conflict with the substantive terms of this Processing Agreement (as they relate to the protection of Personal Data and the Parties’ respective obligations and liabilities), the terms of this Processing Agreement shall take precedence.
As between the Parties, all Services Data Processed under the terms of this Processing Agreement and the Purchase Agreement shall remain the property of the Data Controller. Under no circumstances will the Data Processor act, or be deemed to act, as a data controller of the Services Data Processed within the Services under GDPR.
4.1 The Parties agree that the subject-matter and duration of Processing performed by the Data Processor under this Processing Agreement and the Purchase Agreement, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Exhibit A.
4.2 As part of the Data Processor providing the Services to the Data Controller under the Purchase Agreement, Data Processor shall comply with the obligations imposed upon it under GDPR Articles 28 - 32 and agrees and declares as follows:
(a) The Data Processor shall process Personal Data in accordance with the instructions set forth in this Processing Agreement;
(b) the Data Processor shall ensure that all staff and management of the Data Processor are fully aware of their responsibilities to protect Personal Data in accordance with this Processing Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with GDPR Article 28(3)(b);
(c) the Data Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data in accordance with GDPR Article 32 against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (Data Security Breach), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected, including data security consistent with the Doohlabs’s Data Security Standards;
(d) the Data Processor shall notify the Data Controller in accordance with GDPR Article 33(2), without undue delay but in any event within 48 hours, in the event of a confirmed Data Security Breach affecting the Data Controller’s Services Data and to cooperate with the Data Controller as necessary to mitigate or remediate the Data Security Breach. Further, the Data Processor shall cooperate with the Data Controller and take such commercially reasonable steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of any such Data Security Breach under GDPR;
(e) the Data Processor shall comply with the requirements of Clause 5 when engaging a Sub-Processor;
(f) taking into account the nature of the Processing, the Data Processor shall assist the Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil Data Controller’s obligation to respond to requests from Data Subjects to exercise their rights under GDPR (a “Data Subject Request”). In the event the Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller. However, in the event the Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to the Data Controller, the Data Processor, shall, on the Data Controller’s written request and the Data Controller’s instruction to the Data Processor, and at the Data Processor’s reasonable expense (scoped prior to the Data Processor’s response to the Data Subject Request), address the Data Subject Request, as required under GDPR;
(g) upon request, the Data Processor shall provide the Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to the Data Processor, to help the Data Controller to conduct any data protection impact assessment or Supervisory Authority consultation it is required to conduct under GDPR;
(h) upon termination of the Data Controller’s access to and use of the Services, the Data Processor shall comply with the requirements of Clause 9;
(i) the Data Processor shall comply with the requirements of Clause 6 to make available to the Data Controller information that demonstrates the Data Processor’s compliance with this Processing Agreement; and
(j) the Data Processor shall appoint a security officer who will act as a point of contact for the Data Controller, and coordinate and control compliance with this Processing Agreement.
4.3 The Data Processor shall immediately inform the Data Controller if, in its opinion, the Data Controller’s processing instructions infringe any law or regulation. In such event, the Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.
5.1 The Data Controller hereby confirms its general written authorisation for the Data Processor’s use of the Sub-Processor(-s) listed in accordance with GDPR Article 28, to assist it in providing the Services and Processing Personal Data provided that such SubProcessor(-s),
(a) agree to act only on the Data Processor's instructions when Processing the Personal Data (which instructions shall be consistent with the Data Controller’s Processing instructions to the Data Processor), and
(b) agree to protect the Personal Data to a standard consistent with the requirements of this Processing Agreement, including by implementing and maintaining appropriate technical and organizational measures to protect the Personal Data they Process consistent with Doohlabs’s Data Security Standards.
5.2 The Data Processor agrees and warrants to remain liable to the Data Controller for the Processing services of any of its Sub-Processor(-s) under this Processing Agreement. The Data Processor shall maintain an up-to-date list of the names and locations of all Sub-Processor(-s) used for the Processing of Personal Data under this Processing Agreement in Appendix B. At least 30 days prior to the date on which a newly appointed Sub-Processor shall commence processing Personal Data, the Data Processor shall on its website, www.doohlabs.com, publish an updated version of this Processing Agreement including information of any new Sub-Processor to be appointed. The Data Controller may request to receive email notification at least 30 days ahead of any addition or change of Sub-Processor(-s).
5.3 In the event that the Data Controller objects to the Processing of its Personal Data by any newly appointed Sub-Processor, as described in this Clause 5, the Data Controller shall inform the Data Processor within 14 days following the update of its online policy above. In such event, the Data Processor will instruct the Sub-Processor to exclude processing of the Data Controller’s Personal Data and this Processing Agreement shall continue unaffected.
5.4 In addition, and as stated in the Purchase Agreement, the Services requires integrations and combinations with Third-Party Services. If the Data Controller elects to enable, access or use such Third-Party Services, its access and use of such Third-Party Services is governed solely by the terms and conditions and privacy policies of such Third-Party Services, and the Data Processor does not endorse, is not responsible or liable for, and makes no representations as to any aspect of such Third-Party Services, including, without limitation, their content or the manner in which they handle Services Data (including Personal Data) or any interaction between the Data Controller and the provider of such Third-Party Services. The Data Processor is not liable for any damage or loss caused or alleged to be caused by or in connection with the Data Controller’s enablement, access or use of any such Third-Party Services, or the Data Controller’s reliance on the privacy practices, data security processes or other policies of such ThirdParty Services. A provider of a Third-Party Services shall not be deemed a SubProcessor for any purpose under this Processing Agreement.
6.1 Subject to this Clause 6, the Data Processor shall make available to the Data Controller on request, and without delay, all information necessary to demonstrate compliance with this Processing Agreement, and shall allow for and contribute to audits, including inspections, by the Data Controller or an auditor mandated by the Data Controller in relation to the Processing of Personal Data by the Data Processor and any SubProcessor.
6.2 Information and audit rights of the Data Controller only arise under Clause 6 to the extent that the Processing Agreement does not otherwise give them information and audit rights meeting the relevant requirements of GDPR.
7.1 Except as requested by the Data Processor and as explicitly approved by the Data Controller, the Data Processor and its Sub-Processors will only maintain Processing operations in countries that are inside of the EEA and by companies which are based within the EEA.
7.2 If the Data Controller has approved that Personal Data processed in the Services is transferred and/or processed in a country outside the EEA, the Data Processor shall ensure that such transferred and/or processed Personal Data are adequately protected. To achieve this, the Data Processor shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of Personal Data.
8.1 As part of the Data Controller receiving the Services under the Purchase Agreement, the Data Controller agrees to abide by its obligations under GDPR and declares and warrants as follows.
(a) That the Data Controller is solely responsible for the means by which Personal Data is acquired and used by the Data Controller, including instructing Processing by the Data Controller in accordance with the provisions of the Purchase Agreement and this Processing Agreement, is and shall continue to be in accordance with all the relevant provisions of GDPR, particularly with respect to the security, protection and disclosure of Personal Data,
(b) that if collection by Data Processor involves any ‘special’ or ‘sensitive’ categories of Personal Data (as defined in GDPR), the Data Controller is acquiring and transferring such Personal Data in accordance with GDPR,
(c) that that Data Controller will inform its Data Subjects (if applicable); - about its general use of data processors to Process their Personal Data, including the Data Processor, and - that their Personal Data may be Processed outside of the EEA,
(d) that, upon instructions from the Data Processor, it shall respond in reasonable time and to the extent reasonably practicable to enquiries by Data Subjects regarding the Processing of their Personal Data by the Data Processor, and to give appropriate instructions to the Data Processor in a timely manner, and (e) that, upon instructions from the Data Processor, it shall respond in a reasonable time to enquiries from a Supervisory Authority regarding the Processing of relevant Personal Data by Data Processor.
Upon the termination of the Data Controller’s access to and use of the Services, the Data Processor will up to 30 days following such termination at the choice of the Data Controller either (a) permit the Data Controller to export its Services Data, at its expense; or (b) delete all Services Data in accordance with the capabilities of the Services in accordance with GDPR Article 28(3)(g). Following such period, the Data Processor shall delete or anonymize all Services Data stored or Processed by the Data Processor on behalf of the Data Controller in accordance with the Data Processor’s deletion policies and procedures. The Data Controller expressly consents to such action.
This Processing Agreement will remain in force for as long as the Data Processor Processes Personal Data on behalf of the Data Controller under the Purchase Agreement and for the Services.
11.1 In the event that compensation for damages in relation to Processing is payable to the Data Subject, through a legally binding judgement or settlement, due to a violation of the Agreement, Instructions and/or applicable provision of the Data Protection Legislation, Article 82 of GDPR is applicable.
11.2 Fines in accordance with Article 83 of GDPR or Chapter 6, Section 2 of the Data Protection Act (2018:218) shall be paid by the party to this Agreement that has been levied such a fee.
11.3 If either party becomes aware of circumstances that could be detrimental to the other party, the first party shall immediately inform the other party of this and work actively with the other party to prevent and minimise the damage or loss.
11.4 Notwithstanding any of the provisions of the Purchase Agreement, items 11.1 and 11.2 of this Agreement take precedence over other rules regarding the allocation between the parties of claims regarding the Processing.
12.1 This Processing Agreement may not be amended or modified except by a writing signed by both Parties hereto. This Processing Agreement may be executed in counterparts, provided however that the Data Processor shall be entitled to from time to time make non-material functional changes and updates to the Processing Agreement (not changing the Parties’ respective rights and responsibilities in this Processing Agreement) by giving the Data Controller 30 days’ notice. Also, should European Parliament and/or the Council pass new regulations and/or issue any guidelines which contains terms that conflict with those used in this Processing Agreement, the Parties hereby agree that such terms in this Processing Agreement shall primarily be changed or secondarily be interpreted and applied strictly in accordance with any such new regulation and guideline.
12.2 The terms and conditions of this Processing Agreement are confidential and each party agrees and represents, on behalf of itself, its employees and agents to whom it is permitted to disclose such information that it will not disclose such information to any third party; provided, however, that each party shall have the right to disclose such information to its officers, directors, employees, auditors, attorneys and Third-Party contractors who are under an obligation to maintain the confidentiality thereof and further may disclose such information as necessary to comply with an order or subpoena of any administrative agency or a court of competent jurisdiction or as reasonably necessary to comply with any applicable law or regulation.
12.3 Subject to the foregoing restrictions, this Processing Agreement will be fully binding upon, inure to the benefit of and be enforceable by the Parties and their respective successors and assigns.
12.4 This Processing Agreement and the Purchase Agreement constitute the entire understanding between the Parties with respect to the subject matter herein, and shall supersede any other arrangements, negotiations or discussions between the Parties relating to that subject-matter.
13.1 This Processing Agreement and the rights and obligations of the Parties pursuant thereto will be governed by the laws of Sweden, without regard to conflicts of law principles. The Parties irrevocably agree that, subject as provided below, the courts of Finland shall have exclusive jurisdiction in relation to any claim, dispute or difference concerning this Processing Agreement (including the right to possible appeal), and any matter arising therefrom and irrevocably waive any right that they may have to object to an action being brought in those courts, or to claim that the action has been brought in an inconvenient forum, or that those courts do not have jurisdiction. -END-
Exhibit A
PROCESSING, PERSONAL DATA AND DATA SUBJECTS (DATA CONTROLLER’S INSTRUCTIONS) Terms defined in the Processing Agreement shall have the same meaning in this Exhibit.
End of document