WHEREAS:
Customer (hereinafter, “the Controller”) of the one part, and Leap Tools Inc. (hereinafter, “the Processor”) of the other part, who have entered into an agreement for services (the “Agreement”), hereby agree to the following terms:
The purpose of these clauses is to define the conditions in which the Processor undertakes to carry out, on the Controller’s behalf, the personal data processing operations defined below.
As part of their contractual relations, the parties shall undertake to comply with the applicable regulations on personal data processing and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 which is applicable from 25 May 2018 (hereinafter “the General Data Protection Regulation” or “GDPR”), including the definitions contained therein.
The Processor is authorized to process, on behalf of the Controller, the necessary personal data for providing the services outlined in the Agreement (the “Services”). The purpose of the Services is to enable a user to visualize the Controller’s product in a room picture, to store such a picture and to share such a picture with third parties. For this purpose the following personal data shall be processed by the Processor:
The Services as well as any personal data being processed by the Processor is run on IT-infrastructure (including server) of the Processor.
The categories of data subjects are users of the software Roomvo.
As a result of being incorporated into the Agreement, this Data Processing Agreement enters into force in concurrence with the Agreement, for the duration of the Agreement.
The Processor shall undertake to:
The Processor may engage other processors (hereinafter “the sub-processors”) to conduct specific processing activities. In this case, the Processor shall inform the Controller, in writing, of any changes concerning the addition or replacement of sub-processors. If the Controller disapproves of changes to the sub-processors (the Controller’s disapproval shall not be unreasonable), the Controller shall notify the Processor immediately and the Processor will have the right to attempt to resolve, mitigate, or cure the adverse change within a reasonable period of time. If the Processor cannot, or will not cure the adverse change, the Controller shall have the right to terminate this agreement, without further obligation, within 30 days of the aforementioned changes being made.
These are the sub-processors engaged by the Processor:
The Processor has a Data Processing Agreement in place with Amazon Web Services, which includes the Standard Contractual Clauses as adopted by the European Commission for the transfer of personal data to processors established in third countries.
It is the Controller’s responsibility to inform the data subjects concerned by the processing operations prior to the time data are being collected.
The Processor shall assist the Controller, insofar as this is possible, for the fulfilment of its obligation to respond to requests for exercising the data subject’s rights: right of access, to rectification, erasure and to object, right to restriction of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).
The Processor shall notify the Controller of any violations of the protection of personal data processed on behalf of the Controller, including special occurrences such as burglary, theft, and hacking attacks that result in such violations.
The notification shall contain the following information, if known at the time of the notification:
The Processor assists the Controller in carrying out data protection impact assessments.
The Processor assists the Controller with regard to prior consultation of the supervisory authority.
The Processor undertakes to implement the following security measures:
At the end of performing the Services, the Processor undertakes to destroy all non-pseudonymized personal data, except for archiving in the public interest, scientific or historical research purposes for statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by GDPR.
The Processor shall communicate to the Controller the name and contact details of its data protection officer, if it has designated one in accordance with Article 37 of the GDPR.
The Processor states that it maintains a written record of all categories of processing activities carried out on behalf of the Controller, containing:
The Processor provides the Controller with the necessary documentation for demonstrating compliance with all of its obligations and for allowing an independent third-party auditor, appointed by the Controller and approved by the Processor, to conduct audits, including inspections, and for contributing to such audits. The Controller shall compensate the Processor for any and all reasonable costs related to audits and inspections.
The Controller undertakes to:
Last Updated: January 23, 2024
© 2024 Roomvo | Roomvo is a registered trademark of Leap Tools Inc.